-
Notifications
You must be signed in to change notification settings - Fork 6
/
registries.yml
237 lines (212 loc) · 9.02 KB
/
registries.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
- path: https://github.com/open-policy-agent/contrib/api_authz/docker/policy
description: |
"HTTP API Authorization with OPA
This directory helps provide fine-grained, policy-based control over who can run which RESTful APIs."
maintainers:
- https://github.com/tsandall
version: master
homepage: http://www.openpolicyagent.org/docs/http-api-authorization
name: contrib.api_authz
labels:
- api
- authz
- path: https://github.com/open-policy-agent/contrib/cloud-foundry/policies
description: |
"This directory provides configuration policies and validators for you Cloud Foundry Deployments.
With the use of OPA, bundles of policies to be used with conftest for fitness function testing your platform.
OPA provides the policy rules as well as policy language rego. Conftest provides developers with local tooling to do static analysis of configuration files so that engineers can shift left on testing infrastructure as code.
Why you should care? Being able to test baseline values before attempting to deploy allows operators to fail fast. These policies along with these tools are used to help bridge that gap."
maintainers:
- https://github.com/tsandall
version: master
homepage: https://github.com/open-policy-agent/contrib
name: contrib.cloud-foundry
labels:
- cloud-foundry
- path: https://github.com/open-policy-agent/contrib/dart_authz/policies
description: |
"This repository shows how to integrate a service written in Dart with OPA to perform API authorization. It is a direct port of the OPA-Python example, with a few enhancements."
maintainers:
- https://github.com/tsandall
version: master
homepage: https://github.com/open-policy-agent/contrib
name: contrib.dart_authz
labels:
- dart
- authz
- path: https://github.com/open-policy-agent/contrib/image_enforcer/policies
description: |
"This directory shows how you can use OPA to enforce admission policies on container images in Kubernetes.
You can use this project to enforce simple admission policies on images such as:
Naming conventions
Version pinning (e.g., no latest)
Registry usage (e.g., production must use internal registry)
Using the openpolicyagent/clair-layer-sync image, you can also enforce more sophisticated policies based on image vulnerability scanning.
This directory contains the following:
Kubernetes manifests for deploying the image enforcer.
Steps to use the image enforcer.
Source for the openpolicyagent/clair-layer-sync Docker image.
"
maintainers:
- https://github.com/tsandall
version: master
homepage: https://github.com/open-policy-agent/contrib
name: contrib.image_enforcer
labels:
- image
- path: https://github.com/open-policy-agent/contrib/k8s_node_selector
description: |
"Cloud providers support the concept of agentpools or nodepools in a Kubernetes (Azure AKS, GCP and AWS). Each pool is a group of VMs with a specific spec/type. This allows a cluster to support, for example, both high memory VMs and GPU VMs. Workloads can then be scheduled onto these different VM types using nodeSelectors.
A nodeSelector provides controls around which nodes each pod gets scheduled on. Typically developers don't include nodeSelectors which means that an admin needs to write a mutating admission controller to tell k8s to automatically add them and assign the workload to the correct type of machine in the cluster.
In this example, we show how to use an OPA Policy to assign nodeSelectors to ensure that pods from different k8s namespaces run on different agentpools.
The policy looks at the namespace in which the pod is to be scheduled and checks for an agentpool label. If the namespace has a label set then a nodeselector is set to assign the pod to the agentpool."
maintainers:
- https://github.com/tsandall
version: master
homepage: https://github.com/open-policy-agent/contrib
name: contrib.k8s_node_selector
labels:
- kubernetes
- k8s
- node_selector
- path: https://github.com/open-policy-agent/contrib/puppet_example
description: |
"Puppet Authorization Example
This example shows how OPA can authorize changes to Puppet manifests.
"
maintainers:
- https://github.com/tsandall
version: master
homepage: https://github.com/open-policy-agent/contrib
name: contrib.puppet_example
labels:
- puppet
- path: https://github.com/crdant/cf-manifest-policy/policy
description: |
"A set of OPA policies to validate Cloud Foundry or Tanzu Application Service deployment manifests using Conftest.
Policies help you avoid obvious errors, e.g. no applications defined, and enforce best practices like running more than one instance. They can be used to validate your manifests during development or as part of your CI/CD pipeline."
maintainers:
- https://github.com/crdant
version: v0.0.4
homepage: https://github.com/crdant/cf-manifest-policy
name: cf-manifest-policy
labels:
- cloud-foundry
- tanzu
- TAS
- path: https://github.com/plexsystems/konstraint/examples
description: |
"a Rego library to assist with writing policies for Kubernetes resources.
sample policies and libraries helpful for use with gatekeeper
any-warn-deprecated-api-versions
container-deny-added-caps
container-deny-escalation
container-deny-latest-tag
container-deny-privileged
container-deny-without-resource-constraints
container-warn-no-ro-fs
lib
pod-deny-host-alias
pod-deny-host-ipc
pod-deny-host-network
pod-deny-host-pid
pod-deny-without-runasnonroot
psp-deny-added-caps
psp-deny-escalation
psp-deny-host-alias
psp-deny-host-ipc
psp-deny-host-network
psp-deny-host-pid
psp-deny-privileged
psp-warn-no-ro-fs
role-deny-use-privileged-psp
test-data
"
maintainers:
- https://github.com/garethahealy
version: v0.8.0
homepage: https://github.com/plexsystems/konstraint
name: konstraint
labels:
- k8s
- kubernetes
- gatekeeper
- path: https://github.com/redhat-cop/rego-policies/policy
description: |
"Rego policies collection.
Violations
Namespace has a NetworkPolicy
Namespace has a ResourceQuota
Common k8s labels are set
Container env has CONTAINER_MAX_MEMORY set
Container image is not set as latest
Container image is not from a known registry
Container does not set Java Xmx option
Label key is consistent
Container liveness and readiness probes are equal
Container liveness prob is not set
Container readiness prob is not set
Container resource limits CPU not set
Container resource limits memory not greater than
Container resource limits memory not set
Container resources limit memory has incorrect unit
Container resources requests cpu has incorrect unit
Container resource requests memory not greater than
Container secret not mounted as envs
Container volume mount path is consistent
Container volume mount not set
DeploymentConfig triggers not set
Pod hostnetwork not set
Pod replica below 1
Pod replica is not odd
RoleBinding has apiGroup set
RoleBinding has kind set
Route has TLS Termination Defined
BuildConfig no longer served by v1
DeploymentConfig no longer served by v1
ImageStream no longer served by v1
ProjectRequest no longer served by v1
RoleBinding no longer served by v1
Route no longer served by v1
SecurityContextConstraints no longer served by v1
Template no longer served by v1
BuildConfig exposeDockerSocket deprecated
authorization openshift io is deprecated
automationbroker io v1alpha1 is deprecated
operators coreos com v1 CatalogSourceConfigs is deprecated
operators coreos com v2 CatalogSourceConfigs is deprecated
operators coreos com v1 OperatorSource is deprecated
osb openshift io v1 is deprecated
servicecatalog k8s io v1beta1 is deprecated
BuildConfig jenkinsPipelineStrategy is deprecated
Deployment has a matching PodDisruptionBudget
Deployment has matching PersistentVolumeClaim
Deployment has a matching Service
Deployment has matching ServiceAccount
Service has matching ServiceMonitor
Image contains expected SHA in history.
Image size is not greater than an expected value
"
maintainers:
- https://github.com/garethahealy
version: v1.2.0
homepage: https://github.com/redhat-cop/rego-policies
name: redhat-cop.rego-policies
labels:
- k8s
- kubernetes
- gatekeeper
- path: https://github.com/swade1987/deprek8ion/policies
description: |
"Deprek8ion
A set of rego policies to monitor Kubernetes APIs deprecations.
The Kubernetes API deprecations can be found using https://relnotes.k8s.io/?markdown=deprecated."
maintainers:
- https://github.com/swade1987
version: master
homepage: https://github.com/swade1987/deprek8ion
name: deprek8ion
labels:
- k8s
- kubernetes
- gatekeeper