Merge pull request #6453 from wallrj/read-only-root-filesystem
Enable readOnlyRootFilesystem by default
This commit is contained in:
jetstack-bot
GitHub
commit
dd3fe1fe02
@ -181,7 +181,7 @@ containerSecurityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
|
||||
@ -345,7 +345,7 @@ webhook:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
# Optional additional annotations to add to the webhook Deployment
|
||||
@ -548,7 +548,7 @@ cainjector:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
|
||||
@ -658,7 +658,7 @@ startupapicheck:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
# readOnlyRootFilesystem: true
|
||||
readOnlyRootFilesystem: true
|
||||
# runAsNonRoot: true
|
||||
|
||||
# Timeout for 'kubectl check api' command
|
||||
|
||||
@ -5,9 +5,10 @@
|
||||
#
|
||||
# Use as follows:
|
||||
# kustomize build . > policy.yaml
|
||||
bases:
|
||||
resources:
|
||||
- https://github.com/kyverno/policies/pod-security/enforce
|
||||
- https://raw.githubusercontent.com/kyverno/policies/main/other/restrict_automount_sa_token/restrict_automount_sa_token.yaml
|
||||
- https://raw.githubusercontent.com/kyverno/policies/main/other/res/restrict-automount-sa-token/restrict-automount-sa-token.yaml
|
||||
- https://github.com/kyverno/policies/raw/main//best-practices/require-ro-rootfs/require-ro-rootfs.yaml
|
||||
patches:
|
||||
- patch: |-
|
||||
- op: replace
|
||||
@ -18,6 +19,6 @@ patches:
|
||||
value: cert-manager
|
||||
- op: replace
|
||||
path: /spec/validationFailureAction
|
||||
value: enforce
|
||||
value: Enforce
|
||||
target:
|
||||
kind: ClusterPolicy
|
||||
|
||||
@ -22,6 +22,11 @@ spec:
|
||||
kinds:
|
||||
- Pod
|
||||
name: adding-capabilities
|
||||
preconditions:
|
||||
all:
|
||||
- key: '{{ request.operation || ''BACKGROUND'' }}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
validate:
|
||||
deny:
|
||||
conditions:
|
||||
@ -46,7 +51,7 @@ spec:
|
||||
message: Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN,
|
||||
DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID,
|
||||
SETPCAP, SETUID, SYS_CHROOT) are disallowed.
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -110,7 +115,7 @@ spec:
|
||||
- ""
|
||||
list: request.object.spec.[ephemeralContainers, initContainers, containers][]
|
||||
message: Any capabilities added other than NET_BIND_SERVICE are disallowed.
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -146,7 +151,7 @@ spec:
|
||||
=(hostIPC): "false"
|
||||
=(hostNetwork): "false"
|
||||
=(hostPID): "false"
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -180,7 +185,7 @@ spec:
|
||||
spec:
|
||||
=(volumes):
|
||||
- X(hostPath): "null"
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -221,7 +226,7 @@ spec:
|
||||
containers:
|
||||
- =(ports):
|
||||
- =(hostPort): 0
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -268,7 +273,7 @@ spec:
|
||||
- =(securityContext):
|
||||
=(windowsOptions):
|
||||
=(hostProcess): "false"
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -309,7 +314,7 @@ spec:
|
||||
containers:
|
||||
- securityContext:
|
||||
allowPrivilegeEscalation: "false"
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -350,7 +355,7 @@ spec:
|
||||
containers:
|
||||
- =(securityContext):
|
||||
=(privileged): "false"
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -393,7 +398,7 @@ spec:
|
||||
containers:
|
||||
- =(securityContext):
|
||||
=(procMount): Default
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -476,7 +481,41 @@ spec:
|
||||
=(seLinuxOptions):
|
||||
X(role): "null"
|
||||
X(user): "null"
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
annotations:
|
||||
policies.kyverno.io/category: Best Practices, EKS Best Practices, PSP Migration
|
||||
policies.kyverno.io/description: 'A read-only root file system helps to enforce
|
||||
an immutable infrastructure strategy; the container only needs to write on the
|
||||
mounted volume that persists the state. An immutable root filesystem can also
|
||||
prevent malicious binaries from writing to the host system. This policy validates
|
||||
that containers define a securityContext with `readOnlyRootFilesystem: true`.'
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/title: Require Read-Only Root Filesystem
|
||||
name: require-ro-rootfs
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
background: true
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: validate-readOnlyRootFilesystem
|
||||
validate:
|
||||
message: Root filesystem must be read-only.
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -520,7 +559,7 @@ spec:
|
||||
containers:
|
||||
- =(securityContext):
|
||||
=(runAsUser): '>0'
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -575,7 +614,7 @@ spec:
|
||||
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
|
||||
spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
|
||||
must be set to `true`.
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -612,7 +651,7 @@ spec:
|
||||
=(annotations):
|
||||
=(container.apparmor.security.beta.kubernetes.io/*): runtime/default |
|
||||
localhost/*
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -651,7 +690,7 @@ spec:
|
||||
pattern:
|
||||
spec:
|
||||
automountServiceAccountToken: "false"
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -699,7 +738,7 @@ spec:
|
||||
- =(securityContext):
|
||||
=(seccompProfile):
|
||||
=(type): RuntimeDefault | Localhost
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -763,7 +802,7 @@ spec:
|
||||
spec.containers[*].securityContext.seccompProfile.type, spec.initContainers[*].securityContext.seccompProfile.type,
|
||||
and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be
|
||||
set to `RuntimeDefault` or `Localhost`.
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -802,7 +841,7 @@ spec:
|
||||
=(sysctls):
|
||||
- =(name): kernel.shm_rmid_forced | net.ipv4.ip_local_port_range | net.ipv4.ip_unprivileged_port_start
|
||||
| net.ipv4.tcp_syncookies | net.ipv4.ping_group_range
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
@ -830,6 +869,11 @@ spec:
|
||||
kinds:
|
||||
- Pod
|
||||
name: restricted-volumes
|
||||
preconditions:
|
||||
all:
|
||||
- key: '{{ request.operation || ''BACKGROUND'' }}'
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
validate:
|
||||
deny:
|
||||
conditions:
|
||||
@ -849,4 +893,4 @@ spec:
|
||||
- ""
|
||||
message: 'Only the following types of volumes may be used: configMap, csi, downwardAPI,
|
||||
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.'
|
||||
validationFailureAction: enforce
|
||||
validationFailureAction: Enforce
|
||||
|
||||
Loading…
Reference in New Issue
Block a user