add policies

content/en/policies/best-practices/disallow_cri_sock_mount.md

@@ -0,0 +1,64 @@
+---
+type: "docs"
+title: Disallow CRI socket mounts
+linkTitle: Disallow CRI socket mounts
+weight: 4
+description: >
+    Container daemon socket bind mounts allows access to the container engine on the  node. This access can be used for privilege escalation and to manage containers  outside of Kubernetes, and hence should not be allowed.  
+---
+
+## Policy Definition
+<a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow_cri_sock_mount.yaml" target="-blank">/best-practices/disallow_cri_sock_mount.yaml</a>
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-container-sock-mounts
+  annotations:
+    policies.kyverno.io/title: Disallow CRI socket mounts
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/description: >-
+      Container daemon socket bind mounts allows access to the container engine on the 
+      node. This access can be used for privilege escalation and to manage containers 
+      outside of Kubernetes, and hence should not be allowed.  
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: validate-docker-sock-mount
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of the Docker Unix socket is not allowed."
+      pattern:
+        spec:
+          =(volumes):
+            - =(hostPath):
+                path: "!/var/run/docker.sock"
+  - name: validate-containerd-sock-mount
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of the Containerd Unix socket is not allowed."
+      pattern:
+        spec:
+          =(volumes):
+            - =(hostPath):
+                path: "!/var/run/containerd.sock"
+  - name: validate-crio-sock-mount
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of the CRI-O Unix socket is not allowed."
+      pattern:
+        spec:
+          =(volumes):
+            - =(hostPath):
+                path: "!/var/run/crio.sock"                
+```

content/en/policies/best-practices/require_drop_all.md

@@ -0,0 +1,52 @@
+---
+type: "docs"
+title: Drop-All-Capabilities
+linkTitle: Drop-All-Capabilities
+weight: 8
+description: >
+    Capabilities permit privileged actions without giving full root access. All  capabilities should be dropped from a pod, with only those required added back.
+---
+
+## Policy Definition
+<a href="https://github.com/kyverno/policies/raw/main//best-practices/require_drop_all.yaml" target="-blank">/best-practices/require_drop_all.yaml</a>
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: drop-all-capabilities
+  annotations:
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/description: >-
+      Capabilities permit privileged actions without giving full root access. All 
+      capabilities should be dropped from a pod, with only those required added back.
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: check-containers
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "All capabilities should be dropped with only those required added back."
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              capabilities:
+                drop: ["ALL"]
+  - name: check-init-containers
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "All capabilities should be dropped with only those required added back."
+      pattern:
+        spec:
+          initContainers:
+          - securityContext:
+              capabilities:
+                drop: ["ALL"]
+```

content/en/policies/best-practices/restrict-service-external-ips.md

@@ -0,0 +1,41 @@
+---
+type: "docs"
+title: Restrict External IPs
+linkTitle: Restrict External IPs
+weight: 13
+description: >
+    Service externalIPs can be used for a MITM attack (CVE-2020-8554). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367.
+---
+
+## Policy Definition
+<a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict-service-external-ips.yaml" target="-blank">/best-practices/restrict-service-external-ips.yaml</a>
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-external-ips
+  annotations:
+    policies.kyverno.io/title: Restrict External IPs
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/description: >-
+      Service externalIPs can be used for a MITM attack (CVE-2020-8554).
+      Restrict externalIPs or limit to a known set of addresses.
+      See: https://github.com/kyverno/kyverno/issues/1367.
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: check-ips
+    match:
+      resources:
+        kinds:
+        - Service
+    validate:
+      message: "externalIPs are not allowed."
+      pattern:
+        spec:
+          # restrict external IP addresses
+          # you can alternatively restrict to a known set of addresses using:
+          #     =(externalIPs): ["37.10.11.53", "153.10.20.1"]
+          X(externalIPs): nil
+```

content/en/policies/best-practices/restrict_image_registries.md

@@ -0,0 +1,37 @@
+---
+type: "docs"
+title: Restrict-Image-Registries
+linkTitle: Restrict-Image-Registries
+weight: 14
+description: >
+    Images from unknown registries may not be scanned and secured.  Requiring use of known registries helps reduce threat exposure.
+---
+
+## Policy Definition
+<a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict_image_registries.yaml" target="-blank">/best-practices/restrict_image_registries.yaml</a>
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-image-registries
+  annotations:
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/description: >-
+      Images from unknown registries may not be scanned and secured. 
+      Requiring use of known registries helps reduce threat exposure.
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: validate-registries
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Unknown image registry."
+      pattern:
+        spec:
+          containers:
+          - image: "k8s.gcr.io/* | gcr.io/*"
+```

content/en/policies/best-practices/restrict_node_port.md

@@ -0,0 +1,38 @@
+---
+type: "docs"
+title: Disallow Node Ports
+linkTitle: Disallow Node Ports
+weight: 15
+description: >
+    A Kubernetes service of type NodePort uses a host port to receive traffic from  any source. A 'NetworkPolicy' resource cannot be used to control traffic to host ports.  Although 'NodePort' services can be useful, their use must be limited to services  with additional upstream security checks.
+---
+
+## Policy Definition
+<a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict_node_port.yaml" target="-blank">/best-practices/restrict_node_port.yaml</a>
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-nodeport
+  annotations:
+    policies.kyverno.io/title: Disallow Node Ports
+    policies.kyverno.io/category: Best Practice
+    policies.kyverno.io/description: >-
+      A Kubernetes service of type NodePort uses a host port to receive traffic from 
+      any source. A 'NetworkPolicy' resource cannot be used to control traffic to host ports. 
+      Although 'NodePort' services can be useful, their use must be limited to services 
+      with additional upstream security checks.
+spec:
+  rules:
+  - name: validate-nodeport
+    match:
+      resources:
+        kinds:
+        - Service
+    validate:
+      message: "Services of type NodePort are not allowed."
+      pattern: 
+        spec:
+          type: "!NodePort"
+```