Merge commit 'fe564d72279f4ab061b961dd528623f0ed272667' as 'cluster-config'
This commit is contained in:
@@ -0,0 +1,64 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: annotate-argo-cd-external-link
|
||||
annotations:
|
||||
policies.kyverno.io/title: Annotate Route with Argo CD External Link
|
||||
policies.kyverno.io/category: Argo
|
||||
policies.kyverno.io/minversion: 1.0.0
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Route
|
||||
policies.kyverno.io/description: >-
|
||||
This policy adds an annotation to a route that will cause the Argo CD UI
|
||||
to display an icon representing a clickable link for the route.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
rules:
|
||||
- name: add-annotations-for-https
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- route.openshift.io/v1/Route
|
||||
operations:
|
||||
- UPDATE
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.object.spec.host || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.metadata.annotations.\"argocd.argoproj.io/tracking-id\" || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.spec.tls.termination || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
+(link.argocd.argoproj.io/external-link): https://{{ request.object.spec.host }}/{{ request.object.spec.path || '' }}
|
||||
- name: add-annotations-for-http
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- route.openshift.io/v1/Route
|
||||
operations:
|
||||
- UPDATE
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.object.spec.host || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.metadata.annotations.\"argocd.argoproj.io/tracking-id\" || '' }}"
|
||||
operator: NotEquals
|
||||
value: ""
|
||||
- key: "{{ request.object.spec.tls.termination || '' }}"
|
||||
operator: Equals
|
||||
value: ""
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
+(link.argocd.argoproj.io/external-link): http://{{ request.object.spec.host }}/{{ request.object.spec.path || '' }}
|
||||
@@ -0,0 +1,57 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: application-field-validation
|
||||
annotations:
|
||||
policies.kyverno.io/title: Application Field Validation
|
||||
policies.kyverno.io/category: Argo
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Application
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
This policy performs some best practices validation on Application fields.
|
||||
Path or chart must be specified but never both. And destination.name or
|
||||
destination.server must be specified but never both.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: source-path-chart
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Application
|
||||
validate:
|
||||
message: >-
|
||||
`spec.source.path` OR `spec.source.chart` should be specified but never both.
|
||||
anyPattern:
|
||||
- spec:
|
||||
source:
|
||||
path: '?*'
|
||||
X(chart):
|
||||
- spec:
|
||||
source:
|
||||
X(path):
|
||||
chart: '?*'
|
||||
- name: destination-server-name
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Application
|
||||
validate:
|
||||
message: >-
|
||||
`spec.destination.server` OR `spec.destination.name` should be specified but never both.
|
||||
anyPattern:
|
||||
- spec:
|
||||
destination:
|
||||
server: '?*'
|
||||
X(name):
|
||||
- spec:
|
||||
destination:
|
||||
X(server):
|
||||
name: '?*'
|
||||
@@ -0,0 +1,35 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: application-prevent-default-project
|
||||
annotations:
|
||||
policies.kyverno.io/title: Prevent Use of Default Project
|
||||
policies.kyverno.io/category: Argo
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.2
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/subject: Application
|
||||
policies.kyverno.io/description: >-
|
||||
This policy prevents the use of the default project in an Application.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: default-project
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Application
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
validate:
|
||||
message: "The default project may not be used in an Application."
|
||||
pattern:
|
||||
spec:
|
||||
project: "!default"
|
||||
@@ -0,0 +1,119 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-deprecated-apis
|
||||
annotations:
|
||||
policies.kyverno.io/title: Check deprecated APIs
|
||||
policies.kyverno.io/category: Best Practices
|
||||
policies.kyverno.io/subject: Kubernetes APIs
|
||||
kyverno.io/kyverno-version: 1.7.4
|
||||
policies.kyverno.io/minversion: 1.7.4
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Kubernetes APIs are sometimes deprecated and removed after a few releases.
|
||||
As a best practice, older API versions should be replaced with newer versions.
|
||||
This policy validates for APIs that are deprecated or scheduled for removal.
|
||||
Note that checking for some of these resources may require modifying the Kyverno
|
||||
ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind
|
||||
has been commented out due to a check for this kind having a performance penalty
|
||||
on Kubernetes clusters with many leases. Its enabling should be attended carefully
|
||||
and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25
|
||||
so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
|
||||
This policy requires Kyverno v1.7.4+ to function properly.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
background: true
|
||||
rules:
|
||||
- name: validate-v1-25-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
# NOTE: PodSecurityPolicy is completely removed in 1.25.
|
||||
kinds:
|
||||
- batch/*/CronJob
|
||||
- discovery.k8s.io/*/EndpointSlice
|
||||
- events.k8s.io/*/Event
|
||||
- policy/*/PodDisruptionBudget
|
||||
- node.k8s.io/*/RuntimeClass
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- batch/v1beta1
|
||||
- discovery.k8s.io/v1beta1
|
||||
- events.k8s.io/v1beta1
|
||||
- policy/v1beta1
|
||||
- node.k8s.io/v1beta1
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
- name: validate-v1-26-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- flowcontrol.apiserver.k8s.io/*/FlowSchema
|
||||
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
|
||||
- autoscaling/*/HorizontalPodAutoscaler
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- flowcontrol.apiserver.k8s.io/v1beta1
|
||||
- autoscaling/v2beta2
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
- name: validate-v1-27-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- storage.k8s.io/*/CSIStorageCapacity
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- storage.k8s.io/v1beta1
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
- name: validate-v1-29-removals
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- flowcontrol.apiserver.k8s.io/*/FlowSchema
|
||||
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation || 'BACKGROUND' }}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
- key: "{{request.object.apiVersion}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- flowcontrol.apiserver.k8s.io/v1beta2
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29.
|
||||
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
|
||||
deny: {}
|
||||
@@ -0,0 +1,36 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-openshift-deprecated-apis
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow deprecated APIs
|
||||
policies.kyverno.io/category: OpenShift
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC
|
||||
policies.kyverno.io/description: >-
|
||||
OpenShift APIs are sometimes deprecated and removed after a few releases.
|
||||
As a best practice, older API versions should be replaced with newer versions.
|
||||
This policy validates for APIs that are deprecated or scheduled for removal.
|
||||
Note that checking for some of these resources may require modifying the Kyverno
|
||||
ConfigMap to remove filters.
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: check-deprecated-apis
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- authorization.openshift.io/v1/ClusterRole
|
||||
- authorization.openshift.io/v1/ClusterRoleBinding
|
||||
- authorization.openshift.io/v1/Role
|
||||
- authorization.openshift.io/v1/RoleBinding
|
||||
validate:
|
||||
message: >-
|
||||
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated.
|
||||
deny: {}
|
||||
@@ -0,0 +1,56 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-security-context-constraint-anyuid
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid
|
||||
policies.kyverno.io/category: Security
|
||||
policies.kyverno.io/severity: high
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: Role,ClusterRole
|
||||
policies.kyverno.io/description: >-
|
||||
Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: check-security-context-constraint
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ClusterRole
|
||||
- Role
|
||||
validate:
|
||||
message: >-
|
||||
Use of the SecurityContextConstraint (SCC) anyuid is not allowed
|
||||
foreach:
|
||||
- list: request.object.rules[]
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: anyuid
|
||||
operator: AnyIn
|
||||
value: "{{element.resourceNames[]}}"
|
||||
- key: "{{ element.verbs[] | contains(@, 'use') || contains(@, '*') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
- name: check-security-context-roleref
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ClusterRoleBinding
|
||||
- RoleBinding
|
||||
validate:
|
||||
message: >-
|
||||
Use of the SecurityContextConstraint (SCC) anyuid is not allowed
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: system:openshift:scc:anyuid
|
||||
operator: Equals
|
||||
value: "{{request.object.roleRef.name}}"
|
||||
@@ -0,0 +1,34 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-jenkins-pipeline-strategy
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow OpenShift Jenkins Pipeline Build Strategy
|
||||
policies.kyverno.io/category: OpenShift
|
||||
policies.kyverno.io/severity: medium
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: BuildConfig
|
||||
policies.kyverno.io/description: >-
|
||||
The Jenkins Pipeline Build Strategy has been deprecated. This policy prevents its use. Use OpenShift Pipelines instead.
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: check-build-strategy
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- build.openshift.io/v1/BuildConfig
|
||||
validate:
|
||||
message: >-
|
||||
Jenkins Pipeline Build Strategy has been deprecated and is not allowed
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: "{{ keys(request.object.spec.strategy) | contains(@, 'jenkinsPipelineStrategy') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
@@ -0,0 +1,41 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: disallow-latest-tag
|
||||
annotations:
|
||||
policies.kyverno.io/title: Disallow Latest Tag
|
||||
policies.kyverno.io/category: Best Practices
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
The ':latest' tag is mutable and can lead to unexpected errors if the
|
||||
image changes. A best practice is to use an immutable tag that maps to
|
||||
a specific version of an application Pod. This policy validates that the image
|
||||
specifies a tag and that it is not called `latest`.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: require-image-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "An image tag is required."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "*:*"
|
||||
- name: validate-image-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Using a mutable image tag e.g. 'latest' is not allowed."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "!*:latest"
|
||||
@@ -0,0 +1,19 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/compare-options: IgnoreExtraneous
|
||||
|
||||
resources:
|
||||
- ../../base
|
||||
- validate-probes-policy.yaml
|
||||
- require-requests-limits-policy.yaml
|
||||
- disallow-anyuid-scc-policy.yaml
|
||||
- require-tls-routes.yaml
|
||||
- check-deprecated-apis.yaml
|
||||
- check-openshift-deprecated-apis.yaml
|
||||
- disallow-latest-tag.yaml
|
||||
- disallow-jenkins-pipeline-strategy.yaml
|
||||
- application-prevent-default-project.yaml
|
||||
- application-field-validation.yaml
|
||||
# - annotate-route-argo-external-link.yaml
|
||||
@@ -0,0 +1,37 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-requests-limits
|
||||
annotations:
|
||||
policies.kyverno.io/title: Require Limits and Requests
|
||||
policies.kyverno.io/category: Multi-Tenancy
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
As application workloads share cluster resources, it is important to limit resources
|
||||
requested and consumed by each Pod. It is recommended to require resource requests and
|
||||
limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
|
||||
defaults will automatically be applied to each Pod based on the LimitRange configuration.
|
||||
This policy validates that all containers have something specified for memory and CPU
|
||||
requests and memory limits.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: validate-resources
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "CPU and memory resource requests and limits are required."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- resources:
|
||||
requests:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
limits:
|
||||
memory: "?*"
|
||||
@@ -0,0 +1,39 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-routes
|
||||
annotations:
|
||||
policies.kyverno.io/title: Require TLS routes in OpenShift
|
||||
policies.kyverno.io/category: OpenShift
|
||||
policies.kyverno.io/severity: high
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.20"
|
||||
policies.kyverno.io/subject: Route
|
||||
policies.kyverno.io/description: |-
|
||||
HTTP traffic is not encrypted and hence insecure. This policy prevents configuration of OpenShift HTTP routes.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: require-tls-routes
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- route.openshift.io/v1/Route
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: NotEquals
|
||||
value: ["DELETE"]
|
||||
validate:
|
||||
message: >-
|
||||
HTTP routes are not allowed. Configure TLS for secure routes.
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: "{{ keys(request.object.spec) | contains(@, 'tls') }}"
|
||||
operator: Equals
|
||||
value: false
|
||||
@@ -0,0 +1,37 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-pod-probes
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
|
||||
policies.kyverno.io/title: Require Pod Probes
|
||||
policies.kyverno.io/category: Best Practices
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Liveness and readiness probes need to be configured to correctly manage a Pod's
|
||||
lifecycle during deployments, restarts, and upgrades. For each Pod, a periodic
|
||||
`livenessProbe` is performed by the kubelet to determine if the Pod's containers
|
||||
are running or need to be restarted. A `readinessProbe` is used by Services
|
||||
and Deployments to determine if the Pod is ready to receive network traffic.
|
||||
This policy validates that all containers have liveness and readiness probes by
|
||||
ensuring the `periodSeconds` field is greater than zero.
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
rules:
|
||||
- name: validate-livenessProbe-readinessProbe
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "Liveness and readiness probes are required."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- livenessProbe:
|
||||
periodSeconds: ">0"
|
||||
readinessProbe:
|
||||
periodSeconds: ">0"
|
||||
@@ -0,0 +1,43 @@
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: verify-signed-image
|
||||
annotations:
|
||||
policies.kyverno.io/title: Verify Signed Images
|
||||
policies.kyverno.io/category: Security
|
||||
policies.kyverno.io/severity: high
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Validates signed images against specified certificates
|
||||
spec:
|
||||
validationFailureAction: audit
|
||||
failurePolicy: Ignore
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
rules:
|
||||
- name: verify-image-quay-io-gnunn-client
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- image: "quay.io/gnunn/client:*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM
|
||||
gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ==
|
||||
-----END PUBLIC KEY-----
|
||||
- name: verify-image-quay-io-gnunn-server
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- image: "quay.io/gnunn/server:*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWno6IupPFSRi9btNhFtMeS1iQbM
|
||||
gN6OWsfUdhfT5TCf23ESE3vfuMWtX9syvjmemuGpZ+/fRDOyqAbVnAGNpQ==
|
||||
-----END PUBLIC KEY-----
|
||||
Reference in New Issue
Block a user