diff --git a/.github/workflows/helm-lint-test.yaml b/.github/workflows/helm-lint-test.yaml index 5032350..624d8bd 100644 --- a/.github/workflows/helm-lint-test.yaml +++ b/.github/workflows/helm-lint-test.yaml @@ -40,6 +40,13 @@ jobs: if: steps.list-changed.outputs.changed == 'true' uses: helm/kind-action@v1.5.0 + - name: Install Kyverno + id: install-kyverno + if: steps.list-changed.outputs.changed == 'true' + run: | + helm repo add kyverno https://kyverno.github.io/kyverno/ + helm install kyverno kyverno/kyverno --namespace kyverno --create-namespace --version 2.7.2 + - name: Run chart-testing (install) if: steps.list-changed.outputs.changed == 'true' run: ct install --target-branch ${{ github.event.repository.default_branch }} @@ -55,4 +62,3 @@ jobs: - name: Run ah lint working-directory: ./charts/ run: ah lint - diff --git a/charts/test-chart/Chart.yaml b/charts/test-chart/Chart.yaml index 75080a8..6251ab6 100644 --- a/charts/test-chart/Chart.yaml +++ b/charts/test-chart/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/test-chart/README.md b/charts/test-chart/README.md index 18d8c41..f88c6b5 100644 --- a/charts/test-chart/README.md +++ b/charts/test-chart/README.md @@ -1,6 +1,6 @@ # test-chart -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square) A Helm chart for Kubernetes @@ -14,36 +14,48 @@ A Helm chart for Kubernetes | Key | Type | Default | Description | |-----|------|---------|-------------| -| affinity | object | `{}` | | -| autoscaling.enabled | bool | `false` | | -| autoscaling.maxReplicas | int | `100` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| background | bool | `true` | | +| enableAll | bool | `false` | | +| extraManifests | list | `[]` | | +| failurePolicy | string | `"Fail"` | | | fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"nginx"` | | -| image.tag | string | `""` | | -| imagePullSecrets | list | `[]` | | -| ingress.annotations | object | `{}` | | -| ingress.className | string | `""` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | -| ingress.tls | list | `[]` | | | nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| service.port | int | `80` | | -| service.type | string | `"ClusterIP"` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `""` | | -| tolerations | list | `[]` | | +| policies.blockStaleImages.enabled | bool | `false` | | +| policies.checkServiceAccount.enabled | bool | `false` | | +| policies.disableAutomountServiceAccountToken.enabled | bool | `false` | | +| policies.disablePodAutomountServiceAccountToken.enabled | bool | `false` | | +| policies.disableServiceDiscovery.enabled | bool | `false` | | +| policies.disallowAllSecrets.enabled | bool | `false` | | +| policies.disallowCapabilitiesStrict.enabled | bool | `false` | | +| policies.disallowDefaultNamespace.enabled | bool | `false` | | +| policies.disallowEmptyIngressHost.enabled | bool | `false` | | +| policies.disallowHostNamespaces.enabled | bool | `false` | | +| policies.disallowHostPath.enabled | bool | `false` | | +| policies.disallowHostPorts.enabled | bool | `false` | | +| policies.disallowPrivilegeEscalation.enabled | bool | `false` | | +| policies.disallowPrivilegedContainers.enabled | bool | `false` | | +| policies.disallowProcMount.enabled | bool | `false` | | +| policies.disallowSELinux.enabled | bool | `false` | | +| policies.preventNakedPods.enabled | bool | `false` | | +| policies.protectNodeTaints.enabled | bool | `false` | | +| policies.requireEncryptionAwsLoadBalancers.enabled | bool | `false` | | +| policies.requireLabels.enabled | bool | `false` | | +| policies.requireRoRootFs.enabled | bool | `false` | | +| policies.requireRunAsNonRoot.enabled | bool | `false` | | +| policies.requireRunAsNonRootUser.enabled | bool | `false` | | +| policies.restrictAppArmor.enabled | bool | `false` | | +| policies.restrictImageRegistries.enabled | bool | `false` | | +| policies.restrictIngressWildcard.enabled | bool | `false` | | +| policies.restrictNodePort.enabled | bool | `false` | | +| policies.restrictSeccompStrict.enabled | bool | `false` | | +| policies.restrictServiceExternalIps.enabled | bool | `false` | | +| policies.restrictSysctls.enabled | bool | `false` | | +| policies.restrictVolumeTypes.enabled | bool | `false` | | +| policyCategories.other.enabled | bool | `false` | | +| policyCategories.podSecurityBaseline.enabled | bool | `false` | | +| policyCategories.podSecurityRestricted.enabled | bool | `false` | | +| validationFailureAction | string | `"Audit"` | | +| validationFailureActionOverrides | list | `[]` | | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/test-chart/ci/test-values.yaml b/charts/test-chart/ci/test-values.yaml new file mode 100644 index 0000000..8d8ee09 --- /dev/null +++ b/charts/test-chart/ci/test-values.yaml @@ -0,0 +1,3 @@ +policies: + disallowHostNamespaces: + enabled: true diff --git a/charts/test-chart/templates/NOTES.txt b/charts/test-chart/templates/NOTES.txt deleted file mode 100644 index 8e5bcb8..0000000 --- a/charts/test-chart/templates/NOTES.txt +++ /dev/null @@ -1,22 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "test-chart.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "test-chart.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "test-chart.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "test-chart.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- end }} diff --git a/charts/test-chart/templates/_helpers.tpl b/charts/test-chart/templates/_helpers.tpl index 7b311a7..032e22e 100644 --- a/charts/test-chart/templates/_helpers.tpl +++ b/charts/test-chart/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "test-chart.name" -}} +{{- define "kyverno-policies.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "test-chart.fullname" -}} +{{- define "kyverno-policies.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,37 +26,19 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "test-chart.chart" -}} +{{- define "kyverno-policies.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* -Common labels +Renders a value that contains template. Based on https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_tplvalues.tpl +Usage: +{{ include "kyverno-policies.extraManifests" ( dict "value" .Values.path.to.the.Value "context" $) }} */}} -{{- define "test-chart.labels" -}} -helm.sh/chart: {{ include "test-chart.chart" . }} -{{ include "test-chart.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "test-chart.selectorLabels" -}} -app.kubernetes.io/name: {{ include "test-chart.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "test-chart.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "test-chart.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} +{{- define "kyverno-policies.extraManifests" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/test-chart/templates/deployment.yaml b/charts/test-chart/templates/deployment.yaml deleted file mode 100644 index f010543..0000000 --- a/charts/test-chart/templates/deployment.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "test-chart.fullname" . }} - labels: - {{- include "test-chart.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "test-chart.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "test-chart.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "test-chart.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 80 - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/test-chart/templates/extraManifests.yaml b/charts/test-chart/templates/extraManifests.yaml new file mode 100644 index 0000000..dbbbbb0 --- /dev/null +++ b/charts/test-chart/templates/extraManifests.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraManifests }} +--- +{{ include "kyverno-policies.extraManifests" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/test-chart/templates/hpa.yaml b/charts/test-chart/templates/hpa.yaml deleted file mode 100644 index cb4594c..0000000 --- a/charts/test-chart/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "test-chart.fullname" . }} - labels: - {{- include "test-chart.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "test-chart.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/charts/test-chart/templates/ingress.yaml b/charts/test-chart/templates/ingress.yaml deleted file mode 100644 index 6cf62ce..0000000 --- a/charts/test-chart/templates/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "test-chart.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "test-chart.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/test-chart/templates/podSecurityBaseline/disallowHostNamespaces.yaml b/charts/test-chart/templates/podSecurityBaseline/disallowHostNamespaces.yaml new file mode 100644 index 0000000..3c027b3 --- /dev/null +++ b/charts/test-chart/templates/podSecurityBaseline/disallowHostNamespaces.yaml @@ -0,0 +1,60 @@ +{{- $name := "disallowHostNamespaces" }} +{{- $category := "podSecurityBaseline" }} +{{- $policyValues := get .Values.policies $name }} +{{- $categoryValues := get .Values.policyCategories $category }} + +{{- if and (or $policyValues.enabled $categoryValues.enabled .Values.enableAll) (not (or $policyValues.disabled $categoryValues.disabled)) }} +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: {{ kebabcase $name }} + annotations: +{{- with $policyValues.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} +{{- end }} + policies.kyverno.io/title: Disallow Host Namespaces + policies.kyverno.io/category: {{ $category }} + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.23" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Host namespaces (Process ID namespace, Inter-Process Communication namespace, and + network namespace) allow access to shared information and can be used to elevate + privileges. Pods should not be allowed access to host namespaces. This policy ensures + fields which make use of these host namespaces are unset or set to `false`. +spec: + validationFailureAction: {{ coalesce $policyValues.validationFailureAction $categoryValues.validationFailureAction .Values.validationFailureAction }} + validationFailureActionOverrides: {{ toYaml (coalesce $policyValues.validationFailureActionOverrides $categoryValues.validationFailureActionOverrides .Values.validationFailureActionOverrides) | nindent 4 }} +{{- if hasKey $policyValues "background" }} + background: {{ $policyValues.background }} +{{- else if hasKey $categoryValues "background" }} + background: {{ $categoryValues.background }} +{{- else }} + background: {{ .Values.background }} +{{- end }} + failurePolicy: {{ coalesce $policyValues.failurePolicy $categoryValues.failurePolicy .Values.failurePolicy }} + rules: +{{- if $policyValues.rulesOverride }} +{{ toYaml $policyValues.rulesOverride | indent 4 }} +{{- else }} + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod +{{- if $policyValues.exclude }} + exclude: {{ toYaml $policyValues.exclude | nindent 8 }} +{{- end }} + validate: + message: >- + Sharing the host namespaces is disallowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" +{{- end }} +{{- end }} diff --git a/charts/test-chart/templates/service.yaml b/charts/test-chart/templates/service.yaml deleted file mode 100644 index b8d5d51..0000000 --- a/charts/test-chart/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "test-chart.fullname" . }} - labels: - {{- include "test-chart.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "test-chart.selectorLabels" . | nindent 4 }} diff --git a/charts/test-chart/templates/serviceAccount.yaml b/charts/test-chart/templates/serviceAccount.yaml deleted file mode 100644 index 85ea1e1..0000000 --- a/charts/test-chart/templates/serviceAccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "test-chart.serviceAccountName" . }} - labels: - {{- include "test-chart.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/test-chart/values.yaml b/charts/test-chart/values.yaml index 96abad0..8cde8bf 100644 --- a/charts/test-chart/values.yaml +++ b/charts/test-chart/values.yaml @@ -1,82 +1,112 @@ -# Default values for test-chart. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" - -imagePullSecrets: [] +# Default values for kyverno-policies. nameOverride: "" fullnameOverride: "" -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 80 - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi +# Used to enable all policies. Categories or policies with value .disabled will be excluded. +enableAll: false -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 +# Default policy settings according to https://kyverno.io/docs/writing-policies/policy-settings/ +background: true +failurePolicy: Fail +validationFailureAction: Audit +validationFailureActionOverrides: [] -nodeSelector: {} +# Used to enable policies in bulk per category. +# May override policy attributes for the entire category. +policyCategories: +# exampleCategory: +# enabled: false # Set true to enable category. +# disabled: false # Set true to disable all policies in category. Has precedence over .enabled. +# validationFailureAction: Audit # Set validationFailureAction per category. +# failurePolicy: Fail # Set failurePolicy per category. +# background: true # Set background per category. + podSecurityBaseline: + enabled: false + podSecurityRestricted: + enabled: false + other: + enabled: false -tolerations: [] +# Used to enable and override individual policies. +# Policy override takes precedence over category override. +# Policy name matches its filename. +policies: +# examplePolicy: +# enabled: false # Set true to enable policy. Policy will be deployed if .Values.enableAll or .Values.. +# disabled: false # Set true to disable policy. Has precedence over .enabled. +# validationFailureAction: Audit # Set validationFailureAction per policy. +# failurePolicy: Fail # Set failurePolicy per policy. +# background: true # Set background per policy. +# someOtherAttribute: "foobar" # Set any other attribute. +# rulesOverride: [] # Override all rules within a policy. +# exclude: {} # Set exclude block for every rule within a policy. + blockStaleImages: + enabled: false +# imageAge: "4380h" # Images older than imageAge are non-compliant + checkServiceAccount: + enabled: false + disableAutomountServiceAccountToken: + enabled: false + disablePodAutomountServiceAccountToken: + enabled: false + disableServiceDiscovery: + enabled: false + disallowAllSecrets: + enabled: false + disallowCapabilitiesStrict: + enabled: false + disallowDefaultNamespace: + enabled: false + disallowEmptyIngressHost: + enabled: false + disallowHostNamespaces: + enabled: false + disallowHostPath: + enabled: false + disallowHostPorts: + enabled: false + disallowProcMount: + enabled: false + disallowPrivilegedContainers: + enabled: false + disallowPrivilegeEscalation: + enabled: false + disallowSELinux: + enabled: false + preventNakedPods: + enabled: false + protectNodeTaints: + enabled: false + requireEncryptionAwsLoadBalancers: + enabled: false + requireLabels: + enabled: false +# requiredLabels: # Key-value pairs of required labels and their values +# label1: "?*" + requireRoRootFs: + enabled: false + requireRunAsNonRoot: + enabled: false + requireRunAsNonRootUser: + enabled: false + restrictAppArmor: + enabled: false + restrictIngressWildcard: + enabled: false + restrictImageRegistries: + enabled: false +# allowedRegistries: "eu.foo.io/* | bar.io/*" # Pipe separated list of allowed registries + restrictNodePort: + enabled: false + restrictSeccompStrict: + enabled: false + restrictServiceExternalIps: + enabled: false + restrictSysctls: + enabled: false + restrictVolumeTypes: + enabled: false -affinity: {} +# List of extra manifests to deploy. +# Can be used to deploy your custom policies. +extraManifests: []