From 3431ce14ed53574f7cef199e51b5741ca9a485c2 Mon Sep 17 00:00:00 2001 From: sathyaseelan Date: Fri, 23 Jun 2023 21:54:39 +0530 Subject: [PATCH] Added kuttl tests and cli tests for kyverno 1.10 (#80) * Added kuttl tests for kyverno 1.10 * updated e2e workflow yaml Updated the license key in the helm command Added Kuttl e2e tests for best practices policy Updated the kuttl test yaml files Updated the resource yaml Kyverno 1.10 policy updates (#79) * Update policies to use Kyverno 1.10 * Update Kyverno version annotation * Update Kyverno annotation and e2e tests --- .github/workflows/cli.yaml | 6 +- .github/workflows/e2e.yaml | 4 +- Makefile | 15 +- .../disallow_empty_ingress_host.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../e2e/policy-assert.yaml | 2 +- .../disallow_cri_sock_mount.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../e2e/policy-assert.yaml | 2 +- .../disallow_default_namespace.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../e2e/policy-assert.yaml | 2 +- .../disallow_latest_tag.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../e2e/policy-assert.yaml | 2 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../require_drop_all/e2e/policy-assert.yaml | 2 +- .../require_drop_all/require_drop_all.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../e2e/policy-assert.yaml | 2 +- .../require_drop_cap_net_raw.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../require_labels/e2e/policy-assert.yaml | 2 +- .../require_labels/require_labels.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../e2e/policy-assert.yaml | 2 +- .../require_pod_requests_limits.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../require_probes/e2e/policy-assert.yaml | 2 +- .../require_probes/require_probes.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../require_ro_rootfs/e2e/policy-assert.yaml | 2 +- .../require_ro_rootfs/require_ro_rootfs.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../e2e/policy-assert.yaml | 2 +- .../restrict-service-external-ips.yaml | 3 +- .../e2e/03-enforce-policy-assert.yaml | 2 +- .../restrict_node_port/e2e/policy-assert.yaml | 2 +- .../restrict_node_port.yaml | 3 +- .../Chart.yaml | 2 +- .../templates/disallow_cri_sock_mount.yaml | 3 +- .../templates/disallow_default_namespace.yaml | 3 +- .../disallow_empty_ingress_host.yaml | 2 +- .../templates/disallow_latest_tag.yaml | 3 +- .../templates/e2e/01-policy.yaml | 6 + .../templates/e2e/02-enforce.yaml | 5 + .../e2e/03-enforce-policy-assert.yaml | 11 ++ .../templates/e2e/04-manifests.yaml | 15 ++ .../templates/e2e/05-ephemeral.yaml | 4 + .../templates/e2e/98-delete.yaml | 6 + .../templates/e2e/99-delete.yaml | 6 + .../templates/e2e/bad-pod-false.yaml | 8 + .../templates/e2e/bad-pod-noregistry.yaml | 8 + .../templates/e2e/bad-pod-notall.yaml | 21 +++ .../templates/e2e/bad-podcontrollers.yaml | 140 ++++++++++++++++++ .../templates/e2e/good-podcontrollers.yaml | 48 ++++++ .../templates/e2e/good-pods.yaml | 34 +++++ .../templates/e2e/policy-assert.yaml | 11 ++ .../templates/require_drop_all.yaml | 2 +- .../templates/require_drop_cap_net_raw.yaml | 3 +- .../templates/require_labels.yaml | 3 +- .../require_pod_requests_limits.yaml | 3 +- .../templates/require_probes.yaml | 2 +- .../templates/require_ro_rootfs.yaml | 3 +- .../restrict-service-external-ips.yaml | 3 +- .../templates/restrict_image_registries.yaml | 5 + .../templates/restrict_node_port.yaml | 3 +- charts/multitenancy/Chart.yaml | 2 +- .../templates/add-network-policy.yaml | 1 + .../templates/allowed-podpriorities.yaml | 2 +- charts/pod-security-baseline/Chart.yaml | 2 +- charts/pod-security-restricted/Chart.yaml | 2 +- charts/rbac-best-practices/Chart.yaml | 2 +- .../templates/disable-automount-sa-token.yaml | 1 - .../disallow-service-type-loadbalancer | 2 +- cost-management/namespace-inventory-check | 2 +- cost-management/require-requests-and-limits | 2 +- eks-best-practices/allowed-base-images.yaml | 3 +- eks-best-practices/allowed-podpriorities.yaml | 2 +- .../check-amazon-inspector.yaml | 2 +- .../check-ami-deprecation-time.yaml | 2 +- .../check-cluster-endpoint.yaml | 2 +- eks-best-practices/check-cluster-logging.yaml | 2 +- .../check-cluster-remote-access.yaml | 2 +- eks-best-practices/check-cluster-rolearn.yaml | 2 +- .../check-cluster-secrets-encryption.yaml | 2 +- eks-best-practices/check-cluster-tags.yaml | 2 +- .../check-immutable-tags-ecr.yaml | 2 +- .../check-instance-profile-access.yaml | 2 +- eks-best-practices/check-public-dns.yaml | 2 +- eks-best-practices/check-vpc-flow-logs.yaml | 2 +- eks-best-practices/disallow-all-secrets.yaml | 3 +- .../disallow-secrets-from-env-vars.yaml | 3 +- .../ensure-readonly-hostpath.yaml | 3 +- eks-best-practices/require-aws-node-irsa.yaml | 3 +- eks-best-practices/require-base-image.yaml | 3 +- .../restrict-adding-capabilities.yaml | 3 +- .../restrict-wildcard-verbs.yaml | 3 +- finops/Require limits_and_requests.yaml | 2 +- .../disallow_service_type_loadBalancer.yaml | 2 +- finops/namespace_inventory_check.yaml | 2 +- finops/prevent_orphan_pods.yaml | 4 +- finops/restrict_scale.yaml | 4 +- finops/scale_deployment_to_zero.yaml | 2 +- multitenancy/add-network-policy.yaml | 1 + multitenancy/add-roles.yaml | 5 +- pci-dss/require-network-policy.yaml | 4 +- pci-dss/restrict-basic-auth-secret.yaml | 2 +- permit-dns/permit-dns.yaml | 3 +- .../disallow-capabilities.yaml | 3 +- .../disallow-host-namespaces.yaml | 3 +- .../disallow-host-path.yaml | 3 +- .../disallow-host-ports.yaml | 3 +- .../disallow-host-process.yaml | 3 +- .../disallow-privileged-containers.yaml | 3 +- .../disallow-proc-mount.yaml | 3 +- .../disallow-selinux/disallow-selinux.yaml | 3 +- .../restrict-apparmor-profiles.yaml | 3 +- .../restrict-seccomp/restrict-seccomp.yaml | 3 +- .../restrict-sysctls/restrict-sysctls.yaml | 3 +- .../disallow-capabilities-strict.yaml | 3 +- .../disallow-privilege-escalation.yaml | 3 +- .../require-run-as-non-root-user.yaml | 3 +- .../require-run-as-nonroot.yaml | 3 +- .../restrict-seccomp-strict.yaml | 3 +- .../restrict-volume-types.yaml | 3 +- .../disable-automount-sa-token.yaml | 1 - .../restrict-automount-sa-token.yaml | 2 +- .../restrict-binding-system-groups.yaml | 3 +- .../restrict-clusterrole-nodesproxy.yaml | 3 +- .../restrict-escalation-verbs-roles.yaml | 3 +- .../restrict-wildcard-resources.yaml | 3 +- .../disallow-custom-snippets.yaml | 4 +- ...ow-security-context-constraint-anyuid.yaml | 4 +- workload-security/restrict-annotations.yaml | 4 +- .../restrict-binding-clusteradmin.yaml | 4 +- .../restrict-binding-system-groups.yaml | 4 +- .../restrict-edit-for-endpoints.yaml | 4 +- .../restrict-escalation-verbs-roles.yaml | 4 +- workload-security/restrict-path.yaml | 4 +- .../restrict-secret-role-verbs.yaml | 4 +- .../restrict-wildcard-resources.yaml | 4 +- .../restrict-wildcard-verbs.yaml | 4 +- 143 files changed, 506 insertions(+), 175 deletions(-) create mode 100644 charts/best-practices-workload-security/templates/e2e/01-policy.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/02-enforce.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/03-enforce-policy-assert.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/04-manifests.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/05-ephemeral.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/98-delete.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/99-delete.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/bad-pod-false.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/bad-pod-noregistry.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/bad-pod-notall.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/bad-podcontrollers.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/good-podcontrollers.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/good-pods.yaml create mode 100644 charts/best-practices-workload-security/templates/e2e/policy-assert.yaml diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml index c1c60839..de336905 100644 --- a/.github/workflows/cli.yaml +++ b/.github/workflows/cli.yaml @@ -2,10 +2,10 @@ name: Kyverno CLI Test on: push: branches: - - main + - kyverno-1.10 pull_request: branches: - - main + - kyverno-1.10 concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -16,7 +16,7 @@ jobs: strategy: fail-fast: false matrix: - n4k-version: [v1.9.0-n4kbuild.3] + n4k-version: [v1.10.0-n4k.nirmata.1] runs-on: ubuntu-latest steps: - name: Checkout diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 15ff7d86..12d442ee 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -3,13 +3,13 @@ name: Kuttl Test on: push: branches: - - 'main' + - 'kyverno-1.10' # this action needs to read GH secret # hence prevents executing on PRs from forks # disabling running on PRs until we find a workaround for this pull_request: branches: - - 'main' + - 'kyverno-1.10' concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/Makefile b/Makefile index 68c25634..32458068 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,13 @@ .DEFAULT_GOAL: build-all K8S_VERSION ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-) -KIND_IMAGE ?= kindest/node:v1.25.2 +KIND_IMAGE ?= kindest/node:v1.27.1 KIND_NAME ?= kind USE_CONFIG ?= standard TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind -KIND_VERSION := v0.17.0 +KIND_VERSION := v0.19.0 HELM := $(TOOLS_DIR)/helm HELM_VERSION := v3.10.1 KUTTL := $(TOOLS_DIR)/kubectl-kuttl @@ -60,9 +60,16 @@ kind-delete-cluster: $(KIND) kind-deploy-kyverno: $(HELM) @echo Install kyverno chart... >&2 @echo $(N4K_LICENSE_KEY) >&2 - @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts - @$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj + +## @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts +## @$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set image.tag=v1.10.0-n4k.nirmata.1 --set initImage.tag=v1.10.0-n4k.nirmata.1 --set cleanupController.image.tag=v1.10.0-n4k.nirmata.1 + ### Adding temporary installation command for the kyverno n4k 1.10 + git clone -b kyverno-1.10-beta1 https://github.com/nirmata/kyverno-charts.git + @$(HELM) install kyverno ./kyverno-charts/charts/nirmata -n kyverno --create-namespace --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj + +## @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts +## @$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj --set image.tag=v1.10.0-n4k.nirmata.1 --set initImage.tag=v1.10.0-n4k.nirmata.1 --set cleanupController.image.tag=v1.10.0-n4k.nirmata.1 ## Check Kyverno status .PHONY: wait-for-kyverno wait-for-kyverno: diff --git a/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml b/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml index 7fb3671b..06b25027 100644 --- a/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml +++ b/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml @@ -6,13 +6,14 @@ metadata: policies.kyverno.io/title: Disallow empty Ingress host policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Ingress policies.kyverno.io/description: >- An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: disallow-empty-ingress-host diff --git a/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml b/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml index bd068f5d..5fdc0d37 100644 --- a/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-empty-ingress-host spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml b/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml index b0371309..e1157eca 100644 --- a/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml +++ b/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-empty-ingress-host spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml b/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml index 5717ae4e..84f5f199 100644 --- a/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml +++ b/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Best Practices, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/description: >- Container daemon socket bind mounts allows access to the container engine on the @@ -14,7 +15,7 @@ metadata: outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-docker-sock-mount diff --git a/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml b/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml index c0c45ac9..5554e871 100644 --- a/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-container-sock-mounts spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml b/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml index 47f5ae8b..63edae2c 100644 --- a/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml +++ b/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-container-sock-mounts spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/disallow_default_namespace/disallow_default_namespace.yaml b/best-practices/disallow_default_namespace/disallow_default_namespace.yaml index 8abb57f8..f4caa57d 100644 --- a/best-practices/disallow_default_namespace/disallow_default_namespace.yaml +++ b/best-practices/disallow_default_namespace/disallow_default_namespace.yaml @@ -5,6 +5,7 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/title: Disallow Default Namespace + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/category: Multi-Tenancy policies.kyverno.io/severity: medium @@ -18,7 +19,7 @@ metadata: due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-namespace diff --git a/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml b/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml index 510b01df..ee710e5e 100644 --- a/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-default-namespace spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/disallow_default_namespace/e2e/policy-assert.yaml b/best-practices/disallow_default_namespace/e2e/policy-assert.yaml index 7243ffc6..14e8bb4b 100644 --- a/best-practices/disallow_default_namespace/e2e/policy-assert.yaml +++ b/best-practices/disallow_default_namespace/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-default-namespace spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/disallow_latest_tag/disallow_latest_tag.yaml b/best-practices/disallow_latest_tag/disallow_latest_tag.yaml index da3607ca..48542e5d 100644 --- a/best-practices/disallow_latest_tag/disallow_latest_tag.yaml +++ b/best-practices/disallow_latest_tag/disallow_latest_tag.yaml @@ -7,13 +7,14 @@ metadata: policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-image-tag diff --git a/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml b/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml index a990970e..263110a4 100644 --- a/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/disallow_latest_tag/e2e/policy-assert.yaml b/best-practices/disallow_latest_tag/e2e/policy-assert.yaml index c9b16eb2..056d482f 100644 --- a/best-practices/disallow_latest_tag/e2e/policy-assert.yaml +++ b/best-practices/disallow_latest_tag/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml b/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml index 3b6cdb07..7ce4d08e 100644 --- a/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: drop-all-capabilities spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/require_drop_all/e2e/policy-assert.yaml b/best-practices/require_drop_all/e2e/policy-assert.yaml index 383fdf6f..3372893f 100644 --- a/best-practices/require_drop_all/e2e/policy-assert.yaml +++ b/best-practices/require_drop_all/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: drop-all-capabilities spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/require_drop_all/require_drop_all.yaml b/best-practices/require_drop_all/require_drop_all.yaml index 84cb8ad7..4010bad0 100644 --- a/best-practices/require_drop_all/require_drop_all.yaml +++ b/best-practices/require_drop_all/require_drop_all.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Capabilities permit privileged actions without giving full root access. All @@ -15,7 +16,7 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-drop-all diff --git a/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml b/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml index f349eb79..b2704d10 100644 --- a/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: drop-cap-net-raw spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml b/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml index 5eec2729..69052c9e 100644 --- a/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml +++ b/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: drop-cap-net-raw spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml b/best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml index 8ba82e0c..13cb5355 100644 --- a/best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml +++ b/best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Best Practices policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Capabilities permit privileged actions without giving full root access. The @@ -16,7 +17,7 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-drop-cap-net-raw diff --git a/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml b/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml index 24ea8c63..de756e51 100644 --- a/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/require_labels/e2e/policy-assert.yaml b/best-practices/require_labels/e2e/policy-assert.yaml index fe39bbfa..9c48b242 100644 --- a/best-practices/require_labels/e2e/policy-assert.yaml +++ b/best-practices/require_labels/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/require_labels/require_labels.yaml b/best-practices/require_labels/require_labels.yaml index 33a4213a..3c89ad9b 100644 --- a/best-practices/require_labels/require_labels.yaml +++ b/best-practices/require_labels/require_labels.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Require Labels policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod, Label policies.kyverno.io/description: >- Define and use labels that identify semantic attributes of your application or Deployment. @@ -13,7 +14,7 @@ metadata: all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-for-labels diff --git a/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml b/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml index b548f413..95d59fe5 100644 --- a/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-requests-limits spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml b/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml index 1da12606..eb7dd5f1 100644 --- a/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml +++ b/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-requests-limits spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml b/best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml index d75e8c0d..a0551719 100644 --- a/best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml +++ b/best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml @@ -8,6 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and @@ -16,7 +17,7 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-resources diff --git a/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml b/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml index 1651a7fe..2e473537 100644 --- a/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-pod-probes spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/require_probes/e2e/policy-assert.yaml b/best-practices/require_probes/e2e/policy-assert.yaml index 2658fe0c..6f2f2e50 100644 --- a/best-practices/require_probes/e2e/policy-assert.yaml +++ b/best-practices/require_probes/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-pod-probes spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/require_probes/require_probes.yaml b/best-practices/require_probes/require_probes.yaml index 00304549..1d67338d 100644 --- a/best-practices/require_probes/require_probes.yaml +++ b/best-practices/require_probes/require_probes.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/title: Require Pod Probes policies.kyverno.io/category: Best Practices, EKS Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Liveness and readiness probes need to be configured to correctly manage a Pod's @@ -17,7 +18,7 @@ metadata: This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-probes diff --git a/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml b/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml index eae542af..76939a3d 100644 --- a/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-ro-rootfs spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/require_ro_rootfs/e2e/policy-assert.yaml b/best-practices/require_ro_rootfs/e2e/policy-assert.yaml index 5420c89e..cc9de696 100644 --- a/best-practices/require_ro_rootfs/e2e/policy-assert.yaml +++ b/best-practices/require_ro_rootfs/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: require-ro-rootfs spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/require_ro_rootfs/require_ro_rootfs.yaml b/best-practices/require_ro_rootfs/require_ro_rootfs.yaml index 4d469d2a..ba0cc9b7 100644 --- a/best-practices/require_ro_rootfs/require_ro_rootfs.yaml +++ b/best-practices/require_ro_rootfs/require_ro_rootfs.yaml @@ -8,6 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. @@ -15,7 +16,7 @@ metadata: host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-readOnlyRootFilesystem diff --git a/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml b/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml index eee63ac5..d05abe21 100644 --- a/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-external-ips spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml b/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml index 28aadd5c..64c32cc0 100644 --- a/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml +++ b/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-external-ips spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml index 08964030..0f71b568 100644 --- a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml +++ b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml @@ -7,13 +7,14 @@ metadata: policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Service + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- Service externalIPs can be used for a MITM attack (CVE-2020-8554). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-ips diff --git a/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml b/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml index 9625271e..260bf2c8 100644 --- a/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml +++ b/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-nodeport spec: - validationFailureAction: enforce + validationFailureAction: Enforce status: conditions: - reason: Succeeded diff --git a/best-practices/restrict_node_port/e2e/policy-assert.yaml b/best-practices/restrict_node_port/e2e/policy-assert.yaml index e743d0ab..7ae2a8a0 100644 --- a/best-practices/restrict_node_port/e2e/policy-assert.yaml +++ b/best-practices/restrict_node_port/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-nodeport spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/best-practices/restrict_node_port/restrict_node_port.yaml b/best-practices/restrict_node_port/restrict_node_port.yaml index 9965fdec..40360587 100644 --- a/best-practices/restrict_node_port/restrict_node_port.yaml +++ b/best-practices/restrict_node_port/restrict_node_port.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Disallow NodePort policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Service policies.kyverno.io/description: >- A Kubernetes Service of type NodePort uses a host port to receive traffic from @@ -14,7 +15,7 @@ metadata: with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-nodeport diff --git a/charts/best-practices-workload-security/Chart.yaml b/charts/best-practices-workload-security/Chart.yaml index 55c42e2a..1360ec73 100644 --- a/charts/best-practices-workload-security/Chart.yaml +++ b/charts/best-practices-workload-security/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: workload-security-best-practice-policies description: Workload Security Best Practice policy set type: application -version: 0.1.3 +version: 0.2.0 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/best-practices-workload-security/templates/disallow_cri_sock_mount.yaml b/charts/best-practices-workload-security/templates/disallow_cri_sock_mount.yaml index 5717ae4e..6940b7d0 100644 --- a/charts/best-practices-workload-security/templates/disallow_cri_sock_mount.yaml +++ b/charts/best-practices-workload-security/templates/disallow_cri_sock_mount.yaml @@ -8,13 +8,14 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-docker-sock-mount diff --git a/charts/best-practices-workload-security/templates/disallow_default_namespace.yaml b/charts/best-practices-workload-security/templates/disallow_default_namespace.yaml index 8abb57f8..923554d5 100644 --- a/charts/best-practices-workload-security/templates/disallow_default_namespace.yaml +++ b/charts/best-practices-workload-security/templates/disallow_default_namespace.yaml @@ -6,6 +6,7 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/title: Disallow Default Namespace policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/category: Multi-Tenancy policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod @@ -18,7 +19,7 @@ metadata: due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-namespace diff --git a/charts/best-practices-workload-security/templates/disallow_empty_ingress_host.yaml b/charts/best-practices-workload-security/templates/disallow_empty_ingress_host.yaml index 861c93e2..b3342b25 100644 --- a/charts/best-practices-workload-security/templates/disallow_empty_ingress_host.yaml +++ b/charts/best-practices-workload-security/templates/disallow_empty_ingress_host.yaml @@ -12,7 +12,7 @@ metadata: in order to be valid. This policy ensures that there is a hostname for each rule defined. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: disallow-empty-ingress-host diff --git a/charts/best-practices-workload-security/templates/disallow_latest_tag.yaml b/charts/best-practices-workload-security/templates/disallow_latest_tag.yaml index da3607ca..4f66a741 100644 --- a/charts/best-practices-workload-security/templates/disallow_latest_tag.yaml +++ b/charts/best-practices-workload-security/templates/disallow_latest_tag.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Disallow Latest Tag policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- The ':latest' tag is mutable and can lead to unexpected errors if the @@ -13,7 +14,7 @@ metadata: a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-image-tag diff --git a/charts/best-practices-workload-security/templates/e2e/01-policy.yaml b/charts/best-practices-workload-security/templates/e2e/01-policy.yaml new file mode 100644 index 00000000..1c19d47e --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- ../restrict_image_registries.yaml +assert: +- policy-assert.yaml diff --git a/charts/best-practices-workload-security/templates/e2e/02-enforce.yaml b/charts/best-practices-workload-security/templates/e2e/02-enforce.yaml new file mode 100644 index 00000000..e7ca7dfd --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/02-enforce.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict_image_registries.yaml | kubectl apply -f - diff --git a/charts/best-practices-workload-security/templates/e2e/03-enforce-policy-assert.yaml b/charts/best-practices-workload-security/templates/e2e/03-enforce-policy-assert.yaml new file mode 100644 index 00000000..4862bac1 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/03-enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + validationFailureAction: enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/charts/best-practices-workload-security/templates/e2e/04-manifests.yaml b/charts/best-practices-workload-security/templates/e2e/04-manifests.yaml new file mode 100644 index 00000000..322c6bf1 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/04-manifests.yaml @@ -0,0 +1,15 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: good-pods.yaml + shouldFail: false +- file: good-podcontrollers.yaml + shouldFail: false +- file: bad-pod-noregistry.yaml + shouldFail: true +- file: bad-pod-notall.yaml + shouldFail: true +- file: bad-pod-false.yaml + shouldFail: true +- file: bad-podcontrollers.yaml + shouldFail: true diff --git a/charts/best-practices-workload-security/templates/e2e/05-ephemeral.yaml b/charts/best-practices-workload-security/templates/e2e/05-ephemeral.yaml new file mode 100644 index 00000000..f579a0b0 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/05-ephemeral.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: if kubectl debug -it goodpod02-registry --image=busybox:1.35 --target=k8s-nginx -n ir-pods-namespace; then exit 1; else exit 0; fi; diff --git a/charts/best-practices-workload-security/templates/e2e/98-delete.yaml b/charts/best-practices-workload-security/templates/e2e/98-delete.yaml new file mode 100644 index 00000000..b51fdf15 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/98-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete deployments --all --force --grace-period=0 -n ir-pods-namespace + - command: kubectl delete pods --all --force --grace-period=0 -n ir-pods-namespace + - command: kubectl delete cronjobs --all --force --grace-period=0 -n ir-pods-namespace diff --git a/charts/best-practices-workload-security/templates/e2e/99-delete.yaml b/charts/best-practices-workload-security/templates/e2e/99-delete.yaml new file mode 100644 index 00000000..08ea2eb2 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/99-delete.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-image-registries diff --git a/charts/best-practices-workload-security/templates/e2e/bad-pod-false.yaml b/charts/best-practices-workload-security/templates/e2e/bad-pod-false.yaml new file mode 100644 index 00000000..1c367f2f --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/bad-pod-false.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01-registry +spec: + containers: + - name: k8s-nginx + image: registry.k8s.io/nginx:1.7.9 diff --git a/charts/best-practices-workload-security/templates/e2e/bad-pod-noregistry.yaml b/charts/best-practices-workload-security/templates/e2e/bad-pod-noregistry.yaml new file mode 100644 index 00000000..208049a2 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/bad-pod-noregistry.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod04-registry +spec: + containers: + - name: k8s-nginx + image: nginx diff --git a/charts/best-practices-workload-security/templates/e2e/bad-pod-notall.yaml b/charts/best-practices-workload-security/templates/e2e/bad-pod-notall.yaml new file mode 100644 index 00000000..62f9130f --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/bad-pod-notall.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod02-registry +spec: + containers: + - name: k8s-nginx + image: registry.k8s.io/nginx:1.7.9 + - name: busybox + image: bar.io/busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03-registry +spec: + containers: + - name: busybox + image: eu.foo.io/busybox + - name: k8s-nginx + image: registry.k8s.io/nginx:1.7.9 diff --git a/charts/best-practices-workload-security/templates/e2e/bad-podcontrollers.yaml b/charts/best-practices-workload-security/templates/e2e/bad-podcontrollers.yaml new file mode 100644 index 00000000..4f903f66 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/bad-podcontrollers.yaml @@ -0,0 +1,140 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reqro-baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + foo: bar + spec: + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: busybox-init + image: busybox + containers: + - name: busybox + image: busybox:1.35 + - name: k8s-nginx + image: bar.io/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reqro-baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + foo: bar + spec: + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: nginx-init + image: eu.foo.io/nginx + containers: + - name: k8s-nginx + image: bar.io/nginx + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reqro-baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + foo: bar + spec: + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: busybox-init + image: busybox:1.35 + containers: + - name: k8s-nginx + image: bar.io/nginx + - name: nginx + image: eu.foo.io/nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: reqro-badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: busybox-init + image: busybox + containers: + - name: busybox + image: busybox:1.35 + - name: k8s-nginx + image: bar.io/nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: reqro-badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: nginx-init + image: eu.foo.io/nginx + containers: + - name: k8s-nginx + image: bar.io/nginx + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: reqro-badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: busybox-init + image: busybox:1.35 + containers: + - name: k8s-nginx + image: bar.io/nginx + - name: nginx + image: eu.foo.io/nginx diff --git a/charts/best-practices-workload-security/templates/e2e/good-podcontrollers.yaml b/charts/best-practices-workload-security/templates/e2e/good-podcontrollers.yaml new file mode 100644 index 00000000..87dc9dcc --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/good-podcontrollers.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reqro-gooddeployment01 + namespace: ir-pods-namespace +spec: + replicas: 1 + selector: + matchLabels: + foo: bar + template: + metadata: + labels: + foo: bar + spec: + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: busybox-init + image: eu.foo.io/busybox + containers: + - name: busybox + image: eu.foo.io/nginx + - name: k8s-nginx + image: bar.io/nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: reqprobes-goodcronjob01 + namespace: ir-pods-namespace +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + - name: busybox-init + image: eu.foo.io/busybox + containers: + - name: busybox + image: eu.foo.io/nginx + - name: k8s-nginx + image: bar.io/nginx diff --git a/charts/best-practices-workload-security/templates/e2e/good-pods.yaml b/charts/best-practices-workload-security/templates/e2e/good-pods.yaml new file mode 100644 index 00000000..ecca6ff7 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/good-pods.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ir-pods-namespace +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01-registry + namespace: ir-pods-namespace +spec: + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + containers: + - name: k8s-nginx + image: eu.foo.io/nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02-registry + namespace: ir-pods-namespace +spec: + initContainers: + - name: nginx-init + image: bar.io/nginx + - name: busybox-init + image: eu.foo.io/busybox + containers: + - name: k8s-nginx + image: bar.io/nginx + - name: busybox + image: eu.foo.io/busybox diff --git a/charts/best-practices-workload-security/templates/e2e/policy-assert.yaml b/charts/best-practices-workload-security/templates/e2e/policy-assert.yaml new file mode 100644 index 00000000..ee109212 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + validationFailureAction: audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/charts/best-practices-workload-security/templates/require_drop_all.yaml b/charts/best-practices-workload-security/templates/require_drop_all.yaml index 29d6101e..3f2625c0 100644 --- a/charts/best-practices-workload-security/templates/require_drop_all.yaml +++ b/charts/best-practices-workload-security/templates/require_drop_all.yaml @@ -15,7 +15,7 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-drop-all diff --git a/charts/best-practices-workload-security/templates/require_drop_cap_net_raw.yaml b/charts/best-practices-workload-security/templates/require_drop_cap_net_raw.yaml index 9f2af8b5..40fb707e 100644 --- a/charts/best-practices-workload-security/templates/require_drop_cap_net_raw.yaml +++ b/charts/best-practices-workload-security/templates/require_drop_cap_net_raw.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Drop CAP_NET_RAW policies.kyverno.io/category: Best Practices policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -16,7 +17,7 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-drop-cap-net-raw diff --git a/charts/best-practices-workload-security/templates/require_labels.yaml b/charts/best-practices-workload-security/templates/require_labels.yaml index 33a4213a..3c89ad9b 100644 --- a/charts/best-practices-workload-security/templates/require_labels.yaml +++ b/charts/best-practices-workload-security/templates/require_labels.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Require Labels policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Pod, Label policies.kyverno.io/description: >- Define and use labels that identify semantic attributes of your application or Deployment. @@ -13,7 +14,7 @@ metadata: all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-for-labels diff --git a/charts/best-practices-workload-security/templates/require_pod_requests_limits.yaml b/charts/best-practices-workload-security/templates/require_pod_requests_limits.yaml index d75e8c0d..a0551719 100644 --- a/charts/best-practices-workload-security/templates/require_pod_requests_limits.yaml +++ b/charts/best-practices-workload-security/templates/require_pod_requests_limits.yaml @@ -8,6 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and @@ -16,7 +17,7 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-resources diff --git a/charts/best-practices-workload-security/templates/require_probes.yaml b/charts/best-practices-workload-security/templates/require_probes.yaml index cbd7fb46..15a03f58 100644 --- a/charts/best-practices-workload-security/templates/require_probes.yaml +++ b/charts/best-practices-workload-security/templates/require_probes.yaml @@ -17,7 +17,7 @@ metadata: This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-probes diff --git a/charts/best-practices-workload-security/templates/require_ro_rootfs.yaml b/charts/best-practices-workload-security/templates/require_ro_rootfs.yaml index 4d469d2a..ba0cc9b7 100644 --- a/charts/best-practices-workload-security/templates/require_ro_rootfs.yaml +++ b/charts/best-practices-workload-security/templates/require_ro_rootfs.yaml @@ -8,6 +8,7 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/description: >- A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. @@ -15,7 +16,7 @@ metadata: host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-readOnlyRootFilesystem diff --git a/charts/best-practices-workload-security/templates/restrict-service-external-ips.yaml b/charts/best-practices-workload-security/templates/restrict-service-external-ips.yaml index 08964030..4f8177ed 100644 --- a/charts/best-practices-workload-security/templates/restrict-service-external-ips.yaml +++ b/charts/best-practices-workload-security/templates/restrict-service-external-ips.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Restrict External IPs policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Service policies.kyverno.io/description: >- Service externalIPs can be used for a MITM attack (CVE-2020-8554). @@ -13,7 +14,7 @@ metadata: See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-ips diff --git a/charts/best-practices-workload-security/templates/restrict_image_registries.yaml b/charts/best-practices-workload-security/templates/restrict_image_registries.yaml index 2e93f9c0..aaf44281 100644 --- a/charts/best-practices-workload-security/templates/restrict_image_registries.yaml +++ b/charts/best-practices-workload-security/templates/restrict_image_registries.yaml @@ -7,6 +7,7 @@ metadata: policies.kyverno.io/category: Best Practices, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.26" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Images from unknown, public registries can be of dubious quality and may not be @@ -28,5 +29,9 @@ spec: message: "Unknown image registry." pattern: spec: + =(ephemeralContainers): + - image: "eu.foo.io/* | bar.io/*" + =(initContainers): + - image: "eu.foo.io/* | bar.io/*" containers: - image: "eu.foo.io/* | bar.io/*" diff --git a/charts/best-practices-workload-security/templates/restrict_node_port.yaml b/charts/best-practices-workload-security/templates/restrict_node_port.yaml index 9965fdec..40360587 100644 --- a/charts/best-practices-workload-security/templates/restrict_node_port.yaml +++ b/charts/best-practices-workload-security/templates/restrict_node_port.yaml @@ -6,6 +6,7 @@ metadata: policies.kyverno.io/title: Disallow NodePort policies.kyverno.io/category: Best Practices policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/subject: Service policies.kyverno.io/description: >- A Kubernetes Service of type NodePort uses a host port to receive traffic from @@ -14,7 +15,7 @@ metadata: with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-nodeport diff --git a/charts/multitenancy/Chart.yaml b/charts/multitenancy/Chart.yaml index ba4151b5..896b4a1e 100644 --- a/charts/multitenancy/Chart.yaml +++ b/charts/multitenancy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: multitenancy-best-practice-policies description: Multitenancy Best Practices policy set type: application -version: 0.1.2 +version: 0.2.0 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/multitenancy/templates/add-network-policy.yaml b/charts/multitenancy/templates/add-network-policy.yaml index bc40d7d1..631e9129 100644 --- a/charts/multitenancy/templates/add-network-policy.yaml +++ b/charts/multitenancy/templates/add-network-policy.yaml @@ -21,6 +21,7 @@ spec: - "Namespace" name: "*" generate: + apiVersion: networking.k8s.io/v1 kind: "NetworkPolicy" name: "default-deny" namespace: "{{`{{`}}request.object.metadata.name{{`}}`}}" diff --git a/charts/multitenancy/templates/allowed-podpriorities.yaml b/charts/multitenancy/templates/allowed-podpriorities.yaml index 33476f44..b76741c8 100644 --- a/charts/multitenancy/templates/allowed-podpriorities.yaml +++ b/charts/multitenancy/templates/allowed-podpriorities.yaml @@ -15,7 +15,7 @@ metadata: PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-pod-priority diff --git a/charts/pod-security-baseline/Chart.yaml b/charts/pod-security-baseline/Chart.yaml index dce061cf..f376c3f4 100644 --- a/charts/pod-security-baseline/Chart.yaml +++ b/charts/pod-security-baseline/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: pss-baseline-policies description: Pod Security Standards (baseline) policy set type: application -version: 0.2.4 +version: 0.3.0 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/pod-security-restricted/Chart.yaml b/charts/pod-security-restricted/Chart.yaml index a28c39e6..7c92395f 100644 --- a/charts/pod-security-restricted/Chart.yaml +++ b/charts/pod-security-restricted/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: pss-restricted-policies description: Pod Security Standards (restricted) policy set type: application -version: 0.2.4 +version: 0.3.0 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/rbac-best-practices/Chart.yaml b/charts/rbac-best-practices/Chart.yaml index 33ab1852..ed4c8274 100644 --- a/charts/rbac-best-practices/Chart.yaml +++ b/charts/rbac-best-practices/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: rbac-best-practice-policies description: Rbac Best Practice policy set type: application -version: 0.1.2 +version: 0.2.0 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/rbac-best-practices/templates/disable-automount-sa-token.yaml b/charts/rbac-best-practices/templates/disable-automount-sa-token.yaml index ee3ae7c3..1a70db7f 100644 --- a/charts/rbac-best-practices/templates/disable-automount-sa-token.yaml +++ b/charts/rbac-best-practices/templates/disable-automount-sa-token.yaml @@ -8,7 +8,6 @@ metadata: policies.kyverno.io/category: RBAC Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: ServiceAccount - kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- diff --git a/cost-management/disallow-service-type-loadbalancer b/cost-management/disallow-service-type-loadbalancer index 08eca6a9..18b2ebc0 100644 --- a/cost-management/disallow-service-type-loadbalancer +++ b/cost-management/disallow-service-type-loadbalancer @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: "Cost Management" policies.kyverno.io/severity: medium policies.kyverno.io/subject: Namespace - kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.9.0 kyverno.io/kubernetes-version: "1.24" policies.kyverno.io/description: >- diff --git a/cost-management/namespace-inventory-check b/cost-management/namespace-inventory-check index 08eca6a9..18b2ebc0 100644 --- a/cost-management/namespace-inventory-check +++ b/cost-management/namespace-inventory-check @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: "Cost Management" policies.kyverno.io/severity: medium policies.kyverno.io/subject: Namespace - kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.9.0 kyverno.io/kubernetes-version: "1.24" policies.kyverno.io/description: >- diff --git a/cost-management/require-requests-and-limits b/cost-management/require-requests-and-limits index b329d59b..4465f000 100644 --- a/cost-management/require-requests-and-limits +++ b/cost-management/require-requests-and-limits @@ -16,7 +16,7 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-resources diff --git a/eks-best-practices/allowed-base-images.yaml b/eks-best-practices/allowed-base-images.yaml index be42eaf7..b395dc4e 100644 --- a/eks-best-practices/allowed-base-images.yaml +++ b/eks-best-practices/allowed-base-images.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/title: Allowed Base Images policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.7.0 policies.kyverno.io/minversion: 1.7.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod @@ -18,7 +17,7 @@ metadata: that a container's base, found in an OCI annotation, is in a cluster-wide allow list. spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: allowed-base-images match: diff --git a/eks-best-practices/allowed-podpriorities.yaml b/eks-best-practices/allowed-podpriorities.yaml index 8714a938..2ed509fb 100644 --- a/eks-best-practices/allowed-podpriorities.yaml +++ b/eks-best-practices/allowed-podpriorities.yaml @@ -16,7 +16,7 @@ metadata: PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-pod-priority diff --git a/eks-best-practices/check-amazon-inspector.yaml b/eks-best-practices/check-amazon-inspector.yaml index 1663eb58..50f06ffb 100644 --- a/eks-best-practices/check-amazon-inspector.yaml +++ b/eks-best-practices/check-amazon-inspector.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Amazon Inspector is not enabled on both EC2 and ECR spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-amazon-inspector diff --git a/eks-best-practices/check-ami-deprecation-time.yaml b/eks-best-practices/check-ami-deprecation-time.yaml index 82d9cc90..dd75d908 100644 --- a/eks-best-practices/check-ami-deprecation-time.yaml +++ b/eks-best-practices/check-ami-deprecation-time.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- AMIs past their deprecation time spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-ami-deprecation-time diff --git a/eks-best-practices/check-cluster-endpoint.yaml b/eks-best-practices/check-cluster-endpoint.yaml index 502c022d..995ca65f 100644 --- a/eks-best-practices/check-cluster-endpoint.yaml +++ b/eks-best-practices/check-cluster-endpoint.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Cluster endpoint should not be public. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-cluster-endpoint diff --git a/eks-best-practices/check-cluster-logging.yaml b/eks-best-practices/check-cluster-logging.yaml index 02f1447f..eb65fd22 100644 --- a/eks-best-practices/check-cluster-logging.yaml +++ b/eks-best-practices/check-cluster-logging.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Cluster logging should be enabled. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-cluster-audit-logging diff --git a/eks-best-practices/check-cluster-remote-access.yaml b/eks-best-practices/check-cluster-remote-access.yaml index cab74aaa..d1e5f3e2 100644 --- a/eks-best-practices/check-cluster-remote-access.yaml +++ b/eks-best-practices/check-cluster-remote-access.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Cluster remote access should be disabled. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-cluster-remote-access diff --git a/eks-best-practices/check-cluster-rolearn.yaml b/eks-best-practices/check-cluster-rolearn.yaml index a7e2c1b3..2e4fb0b3 100644 --- a/eks-best-practices/check-cluster-rolearn.yaml +++ b/eks-best-practices/check-cluster-rolearn.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Incorrect cluster role ARN is used. Requires customization with your role ARN. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-cluster-role-arn diff --git a/eks-best-practices/check-cluster-secrets-encryption.yaml b/eks-best-practices/check-cluster-secrets-encryption.yaml index a2ec7c57..c1098453 100644 --- a/eks-best-practices/check-cluster-secrets-encryption.yaml +++ b/eks-best-practices/check-cluster-secrets-encryption.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Cluster secrets encryption should be enabled. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-cluster-secrets-encryption diff --git a/eks-best-practices/check-cluster-tags.yaml b/eks-best-practices/check-cluster-tags.yaml index 0a621bd1..c36f794e 100644 --- a/eks-best-practices/check-cluster-tags.yaml +++ b/eks-best-practices/check-cluster-tags.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Required tags are missing on the cluster. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-department-tag diff --git a/eks-best-practices/check-immutable-tags-ecr.yaml b/eks-best-practices/check-immutable-tags-ecr.yaml index 72e9a55e..4f838631 100644 --- a/eks-best-practices/check-immutable-tags-ecr.yaml +++ b/eks-best-practices/check-immutable-tags-ecr.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Immutable tags are not enabled on all ECR repositories. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-immutable-tag diff --git a/eks-best-practices/check-instance-profile-access.yaml b/eks-best-practices/check-instance-profile-access.yaml index 88c6f31b..3746d047 100644 --- a/eks-best-practices/check-instance-profile-access.yaml +++ b/eks-best-practices/check-instance-profile-access.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Restrict access to the instance profile assigned to nodes spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-instance-profile-access diff --git a/eks-best-practices/check-public-dns.yaml b/eks-best-practices/check-public-dns.yaml index 38bd2c97..3a5c36da 100644 --- a/eks-best-practices/check-public-dns.yaml +++ b/eks-best-practices/check-public-dns.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- Deploy workers onto private subnets. If a public DNSName exists, then it means the worker is deployed on a public subnet spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-public-dns diff --git a/eks-best-practices/check-vpc-flow-logs.yaml b/eks-best-practices/check-vpc-flow-logs.yaml index 4ed2da32..e7d2c8f5 100644 --- a/eks-best-practices/check-vpc-flow-logs.yaml +++ b/eks-best-practices/check-vpc-flow-logs.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/description: >- VPC Flow logs are not enabled. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-vpc-flow-logs diff --git a/eks-best-practices/disallow-all-secrets.yaml b/eks-best-practices/disallow-all-secrets.yaml index 2412a1e5..e2a00483 100644 --- a/eks-best-practices/disallow-all-secrets.yaml +++ b/eks-best-practices/disallow-all-secrets.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- @@ -16,7 +15,7 @@ metadata: this Policy needs a separate Policy or rule to require `automountServiceAccountToken=false` at the Pod level or ServiceAccount level since this would otherwise result in a Secret being mounted. spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: secrets-not-from-env match: diff --git a/eks-best-practices/disallow-secrets-from-env-vars.yaml b/eks-best-practices/disallow-secrets-from-env-vars.yaml index bc904dc4..eac67b4d 100644 --- a/eks-best-practices/disallow-secrets-from-env-vars.yaml +++ b/eks-best-practices/disallow-secrets-from-env-vars.yaml @@ -7,13 +7,12 @@ metadata: policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Secret - kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/description: >- Secrets used as environment variables containing sensitive information may, if not carefully controlled, be printed in log output which could be visible to unauthorized people and captured in forwarding applications. This policy disallows using Secrets as environment variables. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: secrets-not-from-env-vars diff --git a/eks-best-practices/ensure-readonly-hostpath.yaml b/eks-best-practices/ensure-readonly-hostpath.yaml index fcefec9b..50586bbd 100644 --- a/eks-best-practices/ensure-readonly-hostpath.yaml +++ b/eks-best-practices/ensure-readonly-hostpath.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.6.2 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- @@ -19,7 +18,7 @@ metadata: explicitly mounted in readOnly mode. spec: background: false - validationFailureAction: audit + validationFailureAction: Audit rules: - name: ensure-hostpaths-readonly match: diff --git a/eks-best-practices/require-aws-node-irsa.yaml b/eks-best-practices/require-aws-node-irsa.yaml index 093a6a3c..b336dfbc 100644 --- a/eks-best-practices/require-aws-node-irsa.yaml +++ b/eks-best-practices/require-aws-node-irsa.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: DaemonSet - kyverno.io/kyverno-version: 1.8.2 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.24" policies.kyverno.io/description: >- @@ -19,7 +18,7 @@ metadata: the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-node-daemonset-irsa diff --git a/eks-best-practices/require-base-image.yaml b/eks-best-practices/require-base-image.yaml index 8c3e9ca9..b32421b2 100644 --- a/eks-best-practices/require-base-image.yaml +++ b/eks-best-practices/require-base-image.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/title: Check Image Base policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.7.0 policies.kyverno.io/minversion: 1.7.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod @@ -21,7 +20,7 @@ metadata: to specify it using metadata or build directives of some sort (ex., Dockerfile FROM statements do not automatically expose this information). spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: require-base-image match: diff --git a/eks-best-practices/restrict-adding-capabilities.yaml b/eks-best-practices/restrict-adding-capabilities.yaml index 985d8af2..b7216626 100644 --- a/eks-best-practices/restrict-adding-capabilities.yaml +++ b/eks-best-practices/restrict-adding-capabilities.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/title: Restrict Adding Capabilities policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod @@ -18,7 +17,7 @@ metadata: ephemeralContainers, initContainers, and containers to ensure the only capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: allowed-capabilities diff --git a/eks-best-practices/restrict-wildcard-verbs.yaml b/eks-best-practices/restrict-wildcard-verbs.yaml index 94146f5b..d2f191e8 100644 --- a/eks-best-practices/restrict-wildcard-verbs.yaml +++ b/eks-best-practices/restrict-wildcard-verbs.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.6.2 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -17,7 +16,7 @@ metadata: This policy blocks any Role or ClusterRole that contains a wildcard entry in the verbs list found in any rule. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: wildcard-verbs diff --git a/finops/Require limits_and_requests.yaml b/finops/Require limits_and_requests.yaml index a0a7305f..d5a4b192 100644 --- a/finops/Require limits_and_requests.yaml +++ b/finops/Require limits_and_requests.yaml @@ -16,7 +16,7 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-resources diff --git a/finops/disallow_service_type_loadBalancer.yaml b/finops/disallow_service_type_loadBalancer.yaml index d8709974..4eef2c02 100644 --- a/finops/disallow_service_type_loadBalancer.yaml +++ b/finops/disallow_service_type_loadBalancer.yaml @@ -15,7 +15,7 @@ metadata: overrun established budgets and security practices set by the organization. This policy restricts use of the Service type LoadBalancer. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: no-LoadBalancer diff --git a/finops/namespace_inventory_check.yaml b/finops/namespace_inventory_check.yaml index 1bfe54c0..760441f7 100644 --- a/finops/namespace_inventory_check.yaml +++ b/finops/namespace_inventory_check.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: FinOps policies.kyverno.io/severity: medium policies.kyverno.io/subject: Namespace - kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.9.0 kyverno.io/kubernetes-version: "1.24" policies.kyverno.io/description: >- diff --git a/finops/prevent_orphan_pods.yaml b/finops/prevent_orphan_pods.yaml index 83e171a9..f289152b 100644 --- a/finops/prevent_orphan_pods.yaml +++ b/finops/prevent_orphan_pods.yaml @@ -7,7 +7,7 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: FinOps policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.7.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Pod @@ -17,7 +17,7 @@ metadata: This policy prevents such "naked" Pods from being created unless they originate from a higher-level workload controller of some sort. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: naked-pods diff --git a/finops/restrict_scale.yaml b/finops/restrict_scale.yaml index c8d38b45..f4daf332 100644 --- a/finops/restrict_scale.yaml +++ b/finops/restrict_scale.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Restrict Scale policies.kyverno.io/category: FinOps policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.9.0 kyverno.io/kubernetes-version: "1.24" policies.kyverno.io/subject: Deployment @@ -18,7 +18,7 @@ metadata: of rules which can be used to limit the replica count both upon creation of a Deployment and when a scale operation is performed. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: # This rule can be used to limit scale operations based upon Deployment labels assuming the given label diff --git a/finops/scale_deployment_to_zero.yaml b/finops/scale_deployment_to_zero.yaml index 7c28100a..c63f0366 100644 --- a/finops/scale_deployment_to_zero.yaml +++ b/finops/scale_deployment_to_zero.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: FinOps policies.kyverno.io/severity: medium policies.kyverno.io/subject: Deployment - kyverno.io/kyverno-version: 1.7.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.7.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- diff --git a/multitenancy/add-network-policy.yaml b/multitenancy/add-network-policy.yaml index e48f82b2..2f5bf855 100644 --- a/multitenancy/add-network-policy.yaml +++ b/multitenancy/add-network-policy.yaml @@ -21,6 +21,7 @@ spec: - "Namespace" name: "*" generate: + apiVersion: networking.k8s.io/v1 kind: "NetworkPolicy" name: "default-deny" namespace: "{{request.object.metadata.name}}" diff --git a/multitenancy/add-roles.yaml b/multitenancy/add-roles.yaml index 18d495d1..67957043 100644 --- a/multitenancy/add-roles.yaml +++ b/multitenancy/add-roles.yaml @@ -36,6 +36,7 @@ spec: operator: NotEquals value: "" generate: + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}" data: @@ -64,6 +65,7 @@ spec: operator: NotEquals value: "" generate: + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding" data: @@ -94,6 +96,7 @@ spec: operator: NotEquals value: "" generate: + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding name: "ns-admin-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding" namespace: "{{request.object.metadata.name}}" @@ -108,4 +111,4 @@ spec: subjects: - kind: ServiceAccount name: "{{serviceAccountName}}" - namespace: "{{serviceAccountNamespace}}" \ No newline at end of file + namespace: "{{serviceAccountNamespace}}" diff --git a/pci-dss/require-network-policy.yaml b/pci-dss/require-network-policy.yaml index c97fd67d..a96e2d24 100644 --- a/pci-dss/require-network-policy.yaml +++ b/pci-dss/require-network-policy.yaml @@ -6,7 +6,7 @@ metadata: policies.kyverno.io/title: Require NetworkPolicy policies.kyverno.io/category: PCI DSS Compliance policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.6.2 + kyverno.io/kyverno-version: 1.10.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/subject: Deployment, NetworkPolicy policies.kyverno.io/description: >- @@ -15,7 +15,7 @@ metadata: traffic. This policy checks incoming Deployments to ensure they have a matching, preexisting NetworkPolicy. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: require-network-policy diff --git a/pci-dss/restrict-basic-auth-secret.yaml b/pci-dss/restrict-basic-auth-secret.yaml index 519a7204..ad27f12b 100644 --- a/pci-dss/restrict-basic-auth-secret.yaml +++ b/pci-dss/restrict-basic-auth-secret.yaml @@ -13,7 +13,7 @@ metadata: Namespaces so Pods there have access. This policy will check for the username and password present in a secret. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-secrets diff --git a/permit-dns/permit-dns.yaml b/permit-dns/permit-dns.yaml index aea1fdfb..9be2d3b1 100644 --- a/permit-dns/permit-dns.yaml +++ b/permit-dns/permit-dns.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: add-allow-dns-access spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: default-allow-dns-access match: @@ -11,6 +11,7 @@ spec: kinds: - Namespace generate: + apiVersion: networking.k8s.io/v1 kind: NetworkPolicy name: allow-dns-access namespace: "{{request.object.metadata.name}}" diff --git a/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml b/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml index 533adebe..2bcbda72 100644 --- a/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml +++ b/pod-security/baseline/disallow-capabilities/disallow-capabilities.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/title: Disallow Capabilities policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/subject: Pod @@ -14,7 +13,7 @@ metadata: policies.kyverno.io/description: >- Any additional capabilities not mentioned in the allowed list, which includes AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT, are prohibited and not permitted. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: adding-capabilities diff --git a/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml b/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml index 1cdb576c..049ff583 100644 --- a/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml +++ b/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/title: Disallow Host Namespaces policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/subject: Pod policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/" @@ -16,7 +15,7 @@ metadata: privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: host-namespaces diff --git a/pod-security/baseline/disallow-host-path/disallow-host-path.yaml b/pod-security/baseline/disallow-host-path/disallow-host-path.yaml index d0f11bc3..46e4b736 100644 --- a/pod-security/baseline/disallow-host-path/disallow-host-path.yaml +++ b/pod-security/baseline/disallow-host-path/disallow-host-path.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod,Volume - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-path/" policies.kyverno.io/description: >- @@ -15,7 +14,7 @@ metadata: Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: host-path diff --git a/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml index d3a4a518..f326d7db 100644 --- a/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml +++ b/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-ports/" policies.kyverno.io/description: >- @@ -16,7 +15,7 @@ metadata: , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort field is unset or set to `0`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: host-ports-none diff --git a/pod-security/baseline/disallow-host-process/disallow-host-process.yaml b/pod-security/baseline/disallow-host-process/disallow-host-process.yaml index 6054a8d4..82c4479b 100644 --- a/pod-security/baseline/disallow-host-process/disallow-host-process.yaml +++ b/pod-security/baseline/disallow-host-process/disallow-host-process.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-process/" policies.kyverno.io/description: >- @@ -16,7 +15,7 @@ metadata: policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures fields spec.securityContext.windowsOptions.hostProcess, spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined or set to `false`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: host-process-containers diff --git a/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml b/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml index 842d7a9d..59554d05 100644 --- a/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml +++ b/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml @@ -7,14 +7,13 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-privileged-containers/" policies.kyverno.io/description: >- Privileged mode disables most security mechanisms and must not be allowed. This policy ensures the fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: privileged-containers diff --git a/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml b/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml index d693da53..b77d6fdf 100644 --- a/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml +++ b/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-proc-mount/" policies.kyverno.io/description: >- @@ -18,7 +17,7 @@ metadata: to deviate from the `Default` procMount requires setting a feature gate at the API server. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-proc-mount diff --git a/pod-security/baseline/disallow-selinux/disallow-selinux.yaml b/pod-security/baseline/disallow-selinux/disallow-selinux.yaml index 7a6a7f00..97cee2a8 100644 --- a/pod-security/baseline/disallow-selinux/disallow-selinux.yaml +++ b/pod-security/baseline/disallow-selinux/disallow-selinux.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-selinux/" policies.kyverno.io/description: >- @@ -15,7 +14,7 @@ metadata: spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type, spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t). spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: selinux-type diff --git a/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml b/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml index ea27affe..39ba7b87 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/restrict-apparmor-profiles.yaml @@ -8,7 +8,6 @@ metadata: policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod, Annotation policies.kyverno.io/minversion: 1.3.0 - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-apparmor-profiles/" policies.kyverno.io/description: >- @@ -17,7 +16,7 @@ metadata: overrides to an allowed set of profiles. This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default` or `localhost/*`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: app-armor diff --git a/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml b/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml index b14664db..da9d8719 100644 --- a/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml +++ b/pod-security/baseline/restrict-seccomp/restrict-seccomp.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-seccomp/" policies.kyverno.io/description: >- @@ -20,7 +19,7 @@ metadata: must be unset or set to `RuntimeDefault` or `Localhost`. spec: background: true - validationFailureAction: audit + validationFailureAction: Audit rules: - name: check-seccomp match: diff --git a/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml b/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml index 8d8762b9..012546ab 100644 --- a/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml +++ b/pod-security/baseline/restrict-sysctls/restrict-sysctls.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Baseline) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/baseline/restrict-sysctls/" policies.kyverno.io/description: >- @@ -21,7 +20,7 @@ metadata: net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and net.ipv4.ping_group_range. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-sysctls diff --git a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml index e73743be..07962530 100644 --- a/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/disallow-capabilities-strict.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) policies.kyverno.io/severity: medium policies.kyverno.io/minversion: 1.6.0 - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/subject: Pod policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/restricted/disallow-capabilities-strict/" @@ -15,7 +14,7 @@ metadata: Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-drop-all diff --git a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml index 36b66d1c..572e9a02 100644 --- a/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/restricted/disallow-privilege-escalation/" policies.kyverno.io/description: >- @@ -18,7 +17,7 @@ metadata: and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation is set to `false`. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: privilege-escalation diff --git a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml index b4cf0e4d..64164a73 100644 --- a/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/restricted/require-run-as-non-root-user/" policies.kyverno.io/description: >- @@ -17,7 +16,7 @@ metadata: and spec.ephemeralContainers[*].securityContext.runAsUser is either unset or set to a number greater than zero. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: run-as-non-root-user diff --git a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml index 4c155cba..ec351780 100644 --- a/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml +++ b/pod-security/restricted/require-run-as-nonroot/require-run-as-nonroot.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/restricted/require-run-as-non-root/" policies.kyverno.io/description: >- @@ -18,7 +17,7 @@ metadata: is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: run-as-non-root diff --git a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml index 826a0b07..a0ef9cf3 100644 --- a/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/restricted/restrict-seccomp-strict/" policies.kyverno.io/description: >- @@ -22,7 +21,7 @@ metadata: using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: background: true - validationFailureAction: audit + validationFailureAction: Audit rules: - name: check-seccomp-strict match: diff --git a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml index 60cdd94c..79cdf1cd 100644 --- a/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml +++ b/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml @@ -9,7 +9,6 @@ metadata: policies.kyverno.io/subject: Pod,Volume policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" - kyverno.io/kyverno-version: 1.6.0 policies.nirmata.io/remediation: "https://docs.nirmata.io/policysets/podsecurity/restricted/restrict-volume-types/" policies.kyverno.io/description: >- In addition to restricting HostPath volumes, the restricted pod security profile @@ -17,7 +16,7 @@ metadata: This policy blocks any other type of volume other than those in the allow list (configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret). spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: restricted-volumes diff --git a/rbac-best-practices/disable-automount-sa-token/disable-automount-sa-token.yaml b/rbac-best-practices/disable-automount-sa-token/disable-automount-sa-token.yaml index e8519034..e5e96313 100644 --- a/rbac-best-practices/disable-automount-sa-token/disable-automount-sa-token.yaml +++ b/rbac-best-practices/disable-automount-sa-token/disable-automount-sa-token.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: RBAC Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: ServiceAccount - kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.21" policies.kyverno.io/description: >- diff --git a/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml b/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml index 757bb9a1..0c8bd6fa 100644 --- a/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/restrict-automount-sa-token.yaml @@ -15,7 +15,7 @@ metadata: be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-automountServiceAccountToken diff --git a/rbac-best-practices/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/rbac-best-practices/restrict-binding-system-groups/restrict-binding-system-groups.yaml index 8d4a9c97..e68b1977 100644 --- a/rbac-best-practices/restrict-binding-system-groups/restrict-binding-system-groups.yaml +++ b/rbac-best-practices/restrict-binding-system-groups/restrict-binding-system-groups.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: RBAC Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC - kyverno.io/kyverno-version: 1.8.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -15,7 +14,7 @@ metadata: are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings for system:masters group. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: restrict-masters diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml index 78f14983..019302c4 100644 --- a/rbac-best-practices/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: RBAC Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: ClusterRole, RBAC - kyverno.io/kyverno-version: 1.7.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -18,7 +17,7 @@ metadata: for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: clusterrole-nodesproxy diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml index 6baa1da7..99314f7c 100644 --- a/rbac-best-practices/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml +++ b/rbac-best-practices/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: RBAC Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.6.2 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -15,7 +14,7 @@ metadata: privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: escalate diff --git a/rbac-best-practices/restrict-wildcard-resources/restrict-wildcard-resources.yaml b/rbac-best-practices/restrict-wildcard-resources/restrict-wildcard-resources.yaml index fc4d00d1..5b3b88f8 100644 --- a/rbac-best-practices/restrict-wildcard-resources/restrict-wildcard-resources.yaml +++ b/rbac-best-practices/restrict-wildcard-resources/restrict-wildcard-resources.yaml @@ -7,7 +7,6 @@ metadata: policies.kyverno.io/category: RBAC Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: ClusterRole, Role, RBAC - kyverno.io/kyverno-version: 1.7.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -17,7 +16,7 @@ metadata: This policy blocks any Role or ClusterRole that contains a wildcard entry in the resources list found in any rule. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: wildcard-resources diff --git a/workload-security/disallow-custom-snippets.yaml b/workload-security/disallow-custom-snippets.yaml index b2181cd9..5ddf0c2c 100644 --- a/workload-security/disallow-custom-snippets.yaml +++ b/workload-security/disallow-custom-snippets.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/subject: ConfigMap, Ingress policies.kyverno.io/minversion: "1.6.0" - kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kyverno-version: 1.10.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- Users that can create or update ingress objects can use the custom snippets @@ -16,7 +16,7 @@ metadata: blocks *-snippet annotations on an Ingress. See: https://github.com/kubernetes/ingress-nginx/issues/7837 spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: check-config-map match: diff --git a/workload-security/disallow-security-context-constraint-anyuid.yaml b/workload-security/disallow-security-context-constraint-anyuid.yaml index ef86e40f..073cde3c 100644 --- a/workload-security/disallow-security-context-constraint-anyuid.yaml +++ b/workload-security/disallow-security-context-constraint-anyuid.yaml @@ -6,14 +6,14 @@ metadata: policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: high - kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.20" policies.kyverno.io/subject: Role,ClusterRole,RBAC policies.kyverno.io/description: >- Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: check-security-context-constraint diff --git a/workload-security/restrict-annotations.yaml b/workload-security/restrict-annotations.yaml index 3a0e55ed..8152d07f 100644 --- a/workload-security/restrict-annotations.yaml +++ b/workload-security/restrict-annotations.yaml @@ -8,7 +8,7 @@ metadata: policies.kyverno.io/severity: high policies.kyverno.io/subject: Ingress policies.kyverno.io/minversion: "1.6.0" - kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kyverno-version: 1.10.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. @@ -17,7 +17,7 @@ metadata: "annotation-value-word-blocklist" configuration setting is also recommended. Please refer to the CVE for details. spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: check-ingress match: diff --git a/workload-security/restrict-binding-clusteradmin.yaml b/workload-security/restrict-binding-clusteradmin.yaml index 14bd3c7a..0a6d9145 100644 --- a/workload-security/restrict-binding-clusteradmin.yaml +++ b/workload-security/restrict-binding-clusteradmin.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: medium policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC - kyverno.io/kyverno-version: 1.6.2 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -16,7 +16,7 @@ metadata: policy prevents binding to the cluster-admin ClusterRole in RoleBinding or ClusterRoleBinding resources. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: clusteradmin-bindings diff --git a/workload-security/restrict-binding-system-groups.yaml b/workload-security/restrict-binding-system-groups.yaml index 13ba96b3..2fdd197e 100644 --- a/workload-security/restrict-binding-system-groups.yaml +++ b/workload-security/restrict-binding-system-groups.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: medium policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC - kyverno.io/kyverno-version: 1.8.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -16,7 +16,7 @@ metadata: for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: restrict-anonymous diff --git a/workload-security/restrict-edit-for-endpoints.yaml b/workload-security/restrict-edit-for-endpoints.yaml index 0a005b6d..39710734 100644 --- a/workload-security/restrict-edit-for-endpoints.yaml +++ b/workload-security/restrict-edit-for-endpoints.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: low policies.kyverno.io/subject: ClusterRole - kyverno.io/kyverno-version: 1.9.0 + kyverno.io/kyverno-version: 1.10.0 kyverno.io/kubernetes-version: "1.24" policies.kyverno.io/description: >- Clusters not initially installed with Kubernetes 1.22 may be vulnerable to an issue @@ -18,7 +18,7 @@ metadata: to CVE-2021-25740 by ensuring the system:aggregate-to-edit ClusterRole does not have the edit permission of Endpoints. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: system-aggregate-to-edit-check diff --git a/workload-security/restrict-escalation-verbs-roles.yaml b/workload-security/restrict-escalation-verbs-roles.yaml index e44022f4..618ea53f 100644 --- a/workload-security/restrict-escalation-verbs-roles.yaml +++ b/workload-security/restrict-escalation-verbs-roles.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: medium policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.6.2 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -15,7 +15,7 @@ metadata: privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: escalate diff --git a/workload-security/restrict-path.yaml b/workload-security/restrict-path.yaml index e38a2ea7..a776a91f 100644 --- a/workload-security/restrict-path.yaml +++ b/workload-security/restrict-path.yaml @@ -8,14 +8,14 @@ metadata: policies.kyverno.io/severity: high policies.kyverno.io/subject: Ingress policies.kyverno.io/minversion: "1.6.0" - kyverno.io/kyverno-version: "1.6.0" + kyverno.io/kyverno-version: 1.10.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. Please refer to the CVE for details. spec: - validationFailureAction: audit + validationFailureAction: Audit rules: - name: check-paths match: diff --git a/workload-security/restrict-secret-role-verbs.yaml b/workload-security/restrict-secret-role-verbs.yaml index 3ec3b39f..e11acf57 100644 --- a/workload-security/restrict-secret-role-verbs.yaml +++ b/workload-security/restrict-secret-role-verbs.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: medium policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.6.2 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -18,7 +18,7 @@ metadata: also prevents use of the wildcard ('*') in the verbs list either when explicitly naming Secrets or when also using a wildcard in the base API group. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: secret-verbs diff --git a/workload-security/restrict-wildcard-resources.yaml b/workload-security/restrict-wildcard-resources.yaml index 26169fe4..f622b0f8 100644 --- a/workload-security/restrict-wildcard-resources.yaml +++ b/workload-security/restrict-wildcard-resources.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: medium policies.kyverno.io/subject: ClusterRole, Role, RBAC - kyverno.io/kyverno-version: 1.7.0 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -17,7 +17,7 @@ metadata: This policy blocks any Role or ClusterRole that contains a wildcard entry in the resources list found in any rule. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: wildcard-resources diff --git a/workload-security/restrict-wildcard-verbs.yaml b/workload-security/restrict-wildcard-verbs.yaml index b57f702a..ce46af91 100644 --- a/workload-security/restrict-wildcard-verbs.yaml +++ b/workload-security/restrict-wildcard-verbs.yaml @@ -7,7 +7,7 @@ metadata: policies.kyverno.io/category: Workload Security policies.kyverno.io/severity: medium policies.kyverno.io/subject: Role, ClusterRole, RBAC - kyverno.io/kyverno-version: 1.6.2 + kyverno.io/kyverno-version: 1.10.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- @@ -17,7 +17,7 @@ metadata: This policy blocks any Role or ClusterRole that contains a wildcard entry in the verbs list found in any rule. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: wildcard-verbs