Merge pull request #1247 from chipzoller/main

Create sample policies for labels

samples/AddDefaultNetworkPolicy.md

@@ -22,11 +22,12 @@ spec:
         - Namespace
         name: "*"
     exclude:
-      namespaces:
-        - "kube-system"
-        - "default"
-        - "kube-public"
-        - "kyverno"
+      resources:
+        namespaces:
+          - "kube-system"
+          - "default"
+          - "kube-public"
+          - "kyverno"
     generate:
       kind: NetworkPolicy
       name: default-deny-ingress

samples/README.md

@@ -1,6 +1,6 @@
 # Sample Policies
 
-Sample policies are designed to be applied to your Kubernetes clusters with minimal changes. 
+Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.
 
 The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy complaince.
 
@@ -9,45 +9,49 @@ The policies are mostly validation rules in `audit` mode i.e. your existing work
 These policies are highly recommended.
 
 1. [Disallow root user](DisallowRootUser.md)
-2. [Disallow privileged containers](DisallowPrivilegedContainers.md)
-3. [Disallow new capabilities](DisallowNewCapabilities.md)
-4. [Disallow kernel parameter changes](DisallowSysctls.md)
-5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md)
-6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
-7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
-8. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
-9. [Disallow use of default namespace](DisallowDefaultNamespace.md)
-10. [Disallow latest image tag](DisallowLatestTag.md)
-11. [Disallow Helm Tiller](DisallowHelmTiller.md)
-12. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
-13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-15. [Add default network policy](AddDefaultNetworkPolicy.md)
-16. [Add namespace quotas](AddNamespaceQuotas.md)
-17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
+1. [Disallow privileged containers](DisallowPrivilegedContainers.md)
+1. [Disallow new capabilities](DisallowNewCapabilities.md)
+1. [Disallow kernel parameter changes](DisallowSysctls.md)
+1. [Disallow use of bind mounts (`hostPath` volumes)](DisallowBindMounts.md)
+1. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
+1. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)
+1. [Disallow `hostPID` and `hostIPC`](DisallowHostPIDIPC.md)
+1. [Disallow use of default namespace](DisallowDefaultNamespace.md)
+1. [Disallow latest image tag](DisallowLatestTag.md)
+1. [Disallow Helm Tiller](DisallowHelmTiller.md)
+1. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
+1. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+1. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+1. [Add default network policy](AddDefaultNetworkPolicy.md)
+1. [Add namespace quotas](AddNamespaceQuotas.md)
+1. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
 
 ## Additional Policies
 
-These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments. 
+These policies provide additional best practices and are worthy of close consideration. These policies may require specific changes for your workloads and environments.
 
-17. [Restrict image registries](RestrictImageRegistries.md)
-18. [Restrict `NodePort` services](RestrictNodePort.md)
-19. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
-20. [Restrict ingress classes](RestrictIngressClasses.md)
-21. [Restrict User Group](CheckUserGroup.md)
+1. [Restrict image registries](RestrictImageRegistries.md)
+1. [Restrict `NodePort` services](RestrictNodePort.md)
+1. [Restrict auto-mount of service account credentials](RestrictAutomountSAToken.md)
+1. [Restrict ingress classes](RestrictIngressClasses.md)
+1. [Restrict User Group](CheckUserGroup.md)
+1. [Require pods are labeled](RequireLabels.md)
+1. [Require pods have certain labels](RequireCertainLabels.md)
+1. [Require Deployments have multiple replicas](RequireDeploymentsHaveReplicas.md)
 
 ## Applying the sample policies
 
 To apply these policies to your cluster, install Kyverno and import the policies as follows:
 
-**Install Kyverno**
+### Install Kyverno**
 
 ````sh
-kubectl create -f https://github.com/kyverno/kyverno/raw/master/definitions/install.yaml
+kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
 ````
+
 <small>[(installation docs)](../documentation/installation.md)</small>
 
-**Apply Kyverno Policies**
+### Apply Kyverno Policies**
 
 To start applying policies to your cluster, first clone the repo:
 
@@ -56,15 +60,14 @@ git clone https://github.com/kyverno/kyverno.git
 cd kyverno
 ````
 
-Import best_practices from [here](best_pratices):
+Import best practices from [here](best_pratices):
 
 ````bash
 kubectl create -f samples/best_practices
 ````
 
-Import addition policies from [here](more):
+Import additional policies from [here](more):
 
 ````bash
 kubectl create -f samples/more/
 ````
-

samples/RequireCertainLabels.md

@@ -0,0 +1,31 @@
+# Require certain labels
+
+In many cases, you may require that at least a certain number of labels are assigned to each Pod from a select list of approved labels. This sample policy demonstrates the [`anyPattern`](https://kyverno.io/docs/writing-policies/validate/#anypattern---logical-or-across-multiple-validation-patterns) option in a policy by requiring any of the two possible labels defined within. A pod must either have the label `app.kubernetes.io/name` or `app.kubernetes.io/component` defined.
+
+## Policy YAML
+
+[require_certain_labels.yaml](best_practices/require_certain_labels.yaml)
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-certain-labels
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: validate-certain-labels
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required."
+      anyPattern:
+      - metadata:
+          labels:
+            app.kubernetes.io/name: "?*"
+      - metadata:
+          labels:
+            app.kubernetes.io/component: "?*"
+```

samples/RequireDeploymentsHaveReplicas.md

@@ -0,0 +1,40 @@
+# Require deployments have multiple replicas
+
+Deployments with only a single replica produce availability concerns should that single replica fail. In most cases, you would want Deployment objects to have more than one replica to ensure continued availability if not scale.
+
+This sample policy requires that Deployments have more than one replica excluding a list of system namespaces.
+
+## More Information
+
+* [Kubernetes Deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/)
+
+## Policy YAML
+
+[require_deployments_have_multiple_replicas.yaml](more/require_deployments_have_multiple_replicas.yaml)
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deployment-has-multiple-replicas
+spec:
+  validationFailureAction: audit
+  rules:
+    - name: deployment-has-multiple-replicas
+      match:
+        resources:
+          kinds:
+            - Deployment
+      exclude:
+        resources:
+          namespaces:
+          - kyverno
+          - kube-system
+          - kube-node-lease
+          - kube-public
+      validate:
+        message: "Deployments must have more than one replica to ensure availability."
+        pattern:
+          spec:
+            replicas: ">1"
+```

samples/RequireLabels.md

@@ -0,0 +1,34 @@
+# Require labels
+
+Labels are a fundamental and important way to assign descriptive metadata to Kubernetes resources, especially Pods. Labels are especially important as the number of applications grow and are composed in different ways.
+
+This sample policy requires that the label `app.kubernetes.io/name` be defined on all Pods. If you wish to require that all Pods have multiple labels defined (as opposed to [any labels from an approved list](RequireCertainLabels.md)), this policy can be altered by adding an additional rule block which checks for a second (or third, etc.) label name.
+
+## More Information
+
+* [Common labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/)
+
+## Policy YAML
+
+[require_labels.yaml](best_practices/require_labels.yaml)
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: check-for-labels
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The label `app.kubernetes.io/name` is required."
+      pattern:
+        metadata:
+          labels:
+            app.kubernetes.io/name: "?*"
+```

samples/best_practices/require_certain_labels.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-certain-labels
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: validate-certain-labels
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The label `app.kubernetes.io/name` or `app.kubernetes.io/component` is required."
+      anyPattern:
+      - metadata:
+          labels:
+            app.kubernetes.io/name: "?*"
+      - metadata:
+          labels:
+            app.kubernetes.io/component: "?*"

samples/best_practices/require_labels.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: check-for-labels
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The label `app.kubernetes.io/name` is required."
+      pattern:
+        metadata:
+          labels:
+            app.kubernetes.io/name: "?*"

samples/more/require_deployments_have_multiple_replicas.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deployment-has-multiple-replicas
+spec:
+  validationFailureAction: audit
+  rules:
+    - name: deployment-has-multiple-replicas
+      match:
+        resources:
+          kinds:
+            - Deployment
+      exclude:
+        resources:
+          namespaces:
+          - kyverno
+          - kube-system
+          - kube-node-lease
+          - kube-public
+      validate:
+        message: "Deployments must have more than one replica to ensure availability."
+        pattern:
+          spec:
+            replicas: ">1"