-
Notifications
You must be signed in to change notification settings - Fork 146
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fa7e171
commit ea1a485
Showing
5 changed files
with
232 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
content/en/policies/best-practices/disallow_cri_sock_mount.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
--- | ||
type: "docs" | ||
title: Disallow CRI socket mounts | ||
linkTitle: Disallow CRI socket mounts | ||
weight: 4 | ||
description: > | ||
Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. | ||
--- | ||
|
||
## Policy Definition | ||
<a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow_cri_sock_mount.yaml" target="-blank">/best-practices/disallow_cri_sock_mount.yaml</a> | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: disallow-container-sock-mounts | ||
annotations: | ||
policies.kyverno.io/title: Disallow CRI socket mounts | ||
policies.kyverno.io/category: Best Practices | ||
policies.kyverno.io/description: >- | ||
Container daemon socket bind mounts allows access to the container engine on the | ||
node. This access can be used for privilege escalation and to manage containers | ||
outside of Kubernetes, and hence should not be allowed. | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: validate-docker-sock-mount | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "Use of the Docker Unix socket is not allowed." | ||
pattern: | ||
spec: | ||
=(volumes): | ||
- =(hostPath): | ||
path: "!/var/run/docker.sock" | ||
- name: validate-containerd-sock-mount | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "Use of the Containerd Unix socket is not allowed." | ||
pattern: | ||
spec: | ||
=(volumes): | ||
- =(hostPath): | ||
path: "!/var/run/containerd.sock" | ||
- name: validate-crio-sock-mount | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "Use of the CRI-O Unix socket is not allowed." | ||
pattern: | ||
spec: | ||
=(volumes): | ||
- =(hostPath): | ||
path: "!/var/run/crio.sock" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
type: "docs" | ||
title: Drop-All-Capabilities | ||
linkTitle: Drop-All-Capabilities | ||
weight: 8 | ||
description: > | ||
Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a pod, with only those required added back. | ||
--- | ||
|
||
## Policy Definition | ||
<a href="https://github.com/kyverno/policies/raw/main//best-practices/require_drop_all.yaml" target="-blank">/best-practices/require_drop_all.yaml</a> | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: drop-all-capabilities | ||
annotations: | ||
policies.kyverno.io/category: Best Practices | ||
policies.kyverno.io/description: >- | ||
Capabilities permit privileged actions without giving full root access. All | ||
capabilities should be dropped from a pod, with only those required added back. | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: check-containers | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "All capabilities should be dropped with only those required added back." | ||
pattern: | ||
spec: | ||
containers: | ||
- securityContext: | ||
capabilities: | ||
drop: ["ALL"] | ||
- name: check-init-containers | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "All capabilities should be dropped with only those required added back." | ||
pattern: | ||
spec: | ||
initContainers: | ||
- securityContext: | ||
capabilities: | ||
drop: ["ALL"] | ||
``` |
41 changes: 41 additions & 0 deletions
41
content/en/policies/best-practices/restrict-service-external-ips.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
--- | ||
type: "docs" | ||
title: Restrict External IPs | ||
linkTitle: Restrict External IPs | ||
weight: 13 | ||
description: > | ||
Service externalIPs can be used for a MITM attack (CVE-2020-8554). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367. | ||
--- | ||
|
||
## Policy Definition | ||
<a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict-service-external-ips.yaml" target="-blank">/best-practices/restrict-service-external-ips.yaml</a> | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: restrict-external-ips | ||
annotations: | ||
policies.kyverno.io/title: Restrict External IPs | ||
policies.kyverno.io/category: Best Practices | ||
policies.kyverno.io/description: >- | ||
Service externalIPs can be used for a MITM attack (CVE-2020-8554). | ||
Restrict externalIPs or limit to a known set of addresses. | ||
See: https://github.com/kyverno/kyverno/issues/1367. | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: check-ips | ||
match: | ||
resources: | ||
kinds: | ||
- Service | ||
validate: | ||
message: "externalIPs are not allowed." | ||
pattern: | ||
spec: | ||
# restrict external IP addresses | ||
# you can alternatively restrict to a known set of addresses using: | ||
# =(externalIPs): ["37.10.11.53", "153.10.20.1"] | ||
X(externalIPs): nil | ||
``` |
37 changes: 37 additions & 0 deletions
37
content/en/policies/best-practices/restrict_image_registries.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
--- | ||
type: "docs" | ||
title: Restrict-Image-Registries | ||
linkTitle: Restrict-Image-Registries | ||
weight: 14 | ||
description: > | ||
Images from unknown registries may not be scanned and secured. Requiring use of known registries helps reduce threat exposure. | ||
--- | ||
|
||
## Policy Definition | ||
<a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict_image_registries.yaml" target="-blank">/best-practices/restrict_image_registries.yaml</a> | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: restrict-image-registries | ||
annotations: | ||
policies.kyverno.io/category: Best Practices | ||
policies.kyverno.io/description: >- | ||
Images from unknown registries may not be scanned and secured. | ||
Requiring use of known registries helps reduce threat exposure. | ||
spec: | ||
validationFailureAction: audit | ||
rules: | ||
- name: validate-registries | ||
match: | ||
resources: | ||
kinds: | ||
- Pod | ||
validate: | ||
message: "Unknown image registry." | ||
pattern: | ||
spec: | ||
containers: | ||
- image: "k8s.gcr.io/* | gcr.io/*" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
--- | ||
type: "docs" | ||
title: Disallow Node Ports | ||
linkTitle: Disallow Node Ports | ||
weight: 15 | ||
description: > | ||
A Kubernetes service of type NodePort uses a host port to receive traffic from any source. A 'NetworkPolicy' resource cannot be used to control traffic to host ports. Although 'NodePort' services can be useful, their use must be limited to services with additional upstream security checks. | ||
--- | ||
|
||
## Policy Definition | ||
<a href="https://github.com/kyverno/policies/raw/main//best-practices/restrict_node_port.yaml" target="-blank">/best-practices/restrict_node_port.yaml</a> | ||
|
||
```yaml | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: restrict-nodeport | ||
annotations: | ||
policies.kyverno.io/title: Disallow Node Ports | ||
policies.kyverno.io/category: Best Practice | ||
policies.kyverno.io/description: >- | ||
A Kubernetes service of type NodePort uses a host port to receive traffic from | ||
any source. A 'NetworkPolicy' resource cannot be used to control traffic to host ports. | ||
Although 'NodePort' services can be useful, their use must be limited to services | ||
with additional upstream security checks. | ||
spec: | ||
rules: | ||
- name: validate-nodeport | ||
match: | ||
resources: | ||
kinds: | ||
- Service | ||
validate: | ||
message: "Services of type NodePort are not allowed." | ||
pattern: | ||
spec: | ||
type: "!NodePort" | ||
``` |