Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

best-practices+karpenter+other: Enhance policies by iterating over all container types #1054

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion best-practices/require-probes/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ readme: |
annotations:
kyverno/category: "Best Practices, EKS Best Practices"
kyverno/subject: "Pod"
digest: 8160370e07d5daa9a9ff342cc1c923015cadd3101e837f47af6fe2361e69993a
digest: 69812a72c0862c71b4d384a2bf048ebda4b46a72fece31ac90bc62605d7c91ab
2 changes: 1 addition & 1 deletion best-practices/require-probes/require-probes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ spec:
validate:
message: "Liveness, readiness, or startup probes are required for all containers."
foreach:
- list: request.object.spec.containers[]
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
deny:
conditions:
all:
Expand Down
2 changes: 1 addition & 1 deletion karpenter/set-karpenter-non-cpu-limits/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ annotations:
kyverno/category: "Karpenter, EKS Best Practices"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Pod"
digest: 93d84f8ba71d2bf87cb84d4174962cc50ecd0b0f9bb29f6fccb8a8a41d11b500
digest: f1e76f16a57f31b55584f2dbd59caa7030d986efb80790147c9810e657840ea4
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
- Pod
mutate:
foreach:
- list: request.object.spec.containers
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
patchStrategicMerge:
spec:
containers:
Expand All @@ -43,7 +43,7 @@ spec:
- Pod
mutate:
foreach:
- list: request.object.spec.containers
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
patchStrategicMerge:
spec:
containers:
Expand Down
2 changes: 1 addition & 1 deletion other/add-certificates-volume/add-certificates-volume.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ spec:
- UPDATE
mutate:
foreach:
- list: "request.object.spec.containers"
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
patchStrategicMerge:
spec:
containers:
Expand Down
2 changes: 1 addition & 1 deletion other/add-certificates-volume/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Pod,Volume"
digest: d0bece92401b5c2c3fe482333fed5c09379d383934cd5bc860e416875a6d6267
digest: f3ceb66ca299c702a2fbc2d709ff7f82c5a3dd82310b856eb0c3b1d5dab57e5d
2 changes: 1 addition & 1 deletion other/add-image-as-env-var/add-image-as-env-var.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ spec:
- Pod
mutate:
foreach:
- list: request.object.spec.containers[]
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
patchesJson6902: |-
- op: add
path: /spec/containers/{{elementIndex}}/env/-
Expand Down
2 changes: 1 addition & 1 deletion other/add-image-as-env-var/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Pod"
digest: a2c5e16677bc0ff1b228b69256ed3cd374df954122cb3c1ef351d36931972136
digest: 6ed53fcc80991a1d34382e66fe91a5fa5464673b64c4d4c88ce82fdbd010d61d
2 changes: 1 addition & 1 deletion other/annotate-base-images/annotate-base-images.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ spec:
value: DELETE
mutate:
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageData
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/annotate-base-images/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 1aa592a7d3d49643b835c56d97220b9a8728ac3e2160d4be83fbe590db252e9a
digest: e9660e4bc65e802d8b5be8c4705a9376cdf5686b699c79e363f9e1ec902d0441
2 changes: 1 addition & 1 deletion other/block-images-with-volumes/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 84345ccd7ae57215dd11b5248f811119d38dcb4648c749146c887ec6c7389940
digest: b22bdab9f37335fe5f010a4ae44252a77aa4b2f72bb7b39a1b48f103e9a85c54
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ spec:
validate:
message: "Images containing built-in volumes are prohibited."
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageData
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/block-large-images/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 3137003b33b29c736e18da96eba3c14b707a825053684304fe8a1f68c3fb7b03
digest: 9b2d29ef8ea57f0da1c868da87866af0d91cbcc5416447e99b0dd581aa580d1c
2 changes: 1 addition & 1 deletion other/block-large-images/block-large-images.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ spec:
validate:
message: "images with size greater than 2Gi not allowed"
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageSize
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/block-stale-images/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 8e0fab0441480492ab506e9401eda165e86156c63b8768953386dffe7a0efc6b
digest: febc775e685b304d83a24be44159ff3c7525d7f7dc2fd1232a8f2c9958be4b2d
2 changes: 1 addition & 1 deletion other/block-stale-images/block-stale-images.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ spec:
validate:
message: "Images built more than 6 months ago are prohibited."
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageData
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/check-nvidia-gpu/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: e5286892d05b3b220ed0b9d8cad3ae4c50e2d394678758e3137661ab8c8b5648
digest: d3b53c4acdf6efa6a3f3c55e62b1bf886c5380e13d01dcf4812577e1a1ae08f0
2 changes: 1 addition & 1 deletion other/check-nvidia-gpu/check-nvidia-gpu.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ spec:
validate:
message: "Images which reserve NVIDIA GPUs must be built to use them."
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageData
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/deny-commands-in-exec-probe/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.26"
kyverno/subject: "Pod"
digest: 3bd86d6873aa7380c01b621c0bfb468a7832ac2d03a5cda4fd8063a432d6d4d1
digest: 7934e90f438fdb191a5e6a543cd579c938108a15fcc2c1323aed39235f6b7312
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ spec:
- Pod
preconditions:
all:
- key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}"
- key: "{{ length(request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[] || `[]`) }}"
operator: GreaterThan
value: 0
- key: "{{ request.operation }}"
Expand All @@ -40,12 +40,12 @@ spec:
- key:
- true
operator: AnyIn
value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}"
value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}"
- key:
- true
operator: AnyIn
value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}"
value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}"
- key:
- true
operator: AnyIn
value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}"
value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}"
2 changes: 1 addition & 1 deletion other/enforce-resources-as-ratio/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: cf12c44542d243f69c182ef98ea13d14cf1761268193410cfbac79408c3c060e
digest: 5dbddbb353688c86721b2f206e02eaf9675e97732c23ba8a488dd4c3342174fd
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ spec:
validate:
message: Limits may not exceed 2.5x the requests.
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
deny:
conditions:
any:
Expand Down
2 changes: 1 addition & 1 deletion other/inject-env-var-from-image-label/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 42f75a6b260b6b537291422dd43cb59492231dd34a4c398b56e13b54fb6d0475
digest: e24260cbe86905615dd55fe220b69ed6b3b82b911e998b5c7b713b630b92f60b
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ spec:
value: DELETE
mutate:
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: maintainer
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/limit-containers-per-pod/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
digest: 375b0ea0b5a26365b69af559cbbda54c352e8a13c838fdbbdcb9d3f01b4941e9
digest: 8818000e91df5bba9115310da780e3cadbe402200aa8309fca49ea54d32afa84
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,6 @@ spec:
deny:
conditions:
any:
- key: "{{request.object.spec.containers[] | length(@)}}"
- key: "{{request.object.spec.[ephemeralContainers, initContainers, containers][] | length(@)}}"
operator: GreaterThan
value: "4"
2 changes: 1 addition & 1 deletion other/memory-requests-equal-limits/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ readme: |
annotations:
kyverno/category: "Sample"
kyverno/subject: "Pod"
digest: 634be7d8371928ed519a4576f84751fd423ae3d3e6e9146bb2280910dc8954c5
digest: f914d76c5f19c1a9bb10edc8fab73472d4813eb600bd4f6ef561b9f21975f068
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,6 @@ spec:
deny:
conditions:
any:
- key: "{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}"
operator: NotEquals
value: 0
- key: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][] | [?resources.requests.memory!=resources.limits.memory] | length(@) }}"
operator: GreaterThanOrEquals
value: 1
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,4 @@ annotations:
kyverno/category: "Other, EKS Best Practices"
kyverno/kubernetesVersion: "1.22-1.23"
kyverno/subject: "Pod"
digest: 4543cc84b584a3a39e4e279cb032ce21e6dde1271bde7a55c0c3351ab4db722c
digest: 38d6e34d41aa7047bfa80e6179a8cd130dd14624abd196417e7eddcadfc330ff
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ spec:
validate:
message: "Images with root user are not allowed to be pulled from any registry other than ghcr.io."
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageData
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/prepend-image-registry/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.21"
kyverno/subject: "Pod"
digest: 6325c3d888d0dcba78dcbe2c29f3fe6730addb8c4dda2e3c97b48ff8d3873943
digest: b87c75b91e96d54d5c6e3356a533295766b37b0175f328d4f2fc703a0def4b38
24 changes: 24 additions & 0 deletions other/prepend-image-registry/prepend-image-registry.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,27 @@ spec:
initContainers:
- name: "{{ element.name }}"
image: registry.io/{{ images.initContainers."{{element.name}}".path}}:{{images.initContainers."{{element.name}}".tag}}
- name: prepend-registry-ephemeralContainers
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.operation || 'BACKGROUND'}}"
operator: AnyIn
value:
- CREATE
- UPDATE
- key: "{{ request.object.spec.ephemeralContainers[] || '' | length(@) }}"
operator: GreaterThanOrEquals
value: 1
mutate:
foreach:
- list: "request.object.spec.ephemeralContainers"
patchStrategicMerge:
spec:
ephemeralContainers:
- name: "{{ element.name }}"
image: registry.io/{{ images.ephemeralContainers."{{element.name}}".path}}:{{images.ephemeralContainers."{{element.name}}".tag}}
2 changes: 1 addition & 1 deletion other/remove-hostpath-volumes/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.25"
kyverno/subject: "Pod,Volume"
digest: ce19781cd972d0f15f3e52a330640d42df9adda5d8cd111ffc2f7b08c8eaf1fd
digest: 65649a85d2f538961c881f7e97dd492f75b71b1ecbc37b1b2aed2b1b14c992b2
2 changes: 1 addition & 1 deletion other/remove-hostpath-volumes/remove-hostpath-volumes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
patchesJson6902: |-
- path: /spec/volumes/{{elementIndex}}
op: remove
- list: request.object.spec.containers[]
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
foreach:
- list: " element.volumeMounts || `[]` "
order: Descending
Expand Down
2 changes: 1 addition & 1 deletion other/remove-serviceaccount-token/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.25"
kyverno/subject: "Pod,ServiceAccount,Volume"
digest: d23bd2501b0c893a15d5d956af131fbaa0d25e6278980e3ba6cce9608841bebd
digest: d45cb1004833009f73346ab46c47bed7f3b4a733b93be43914217defd7002b50
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ spec:
patchesJson6902: |-
- path: /spec/volumes/{{elementIndex}}
op: remove
- list: request.object.spec.containers[]
- list: request.object.spec.[ephemeralContainers, initContainers, containers][]
foreach:
- list: element.volumeMounts
order: Descending
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.27"
kyverno/subject: "Pod"
digest: 8f88cbddbaec89d29c062e6f6c8385b75f46b7d958954e637d686e82e893856c
digest: 489642fcf09dcc59705fa58848796eafc1fa72be670f98e02b3ae3930f157f1d
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,18 @@ spec:
containers:
- name: "{{ element.name }}"
image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}
- list: request.object.spec.ephemeralContainers[]
context:
- name: imageData
imageRegistry:
reference: "{{ element.image }}"
preconditions:
any:
- key: "{{imageData.registry}}"
operator: Equals
value: index.docker.io
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
image: harbor.example.com/k8s/{{imageData.repository}}:{{imageData.identifier}}
2 changes: 1 addition & 1 deletion other/replace-image-registry/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Sample"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 9fde3b8caba3a05c5534b588fcd794975b8c1016004fa4ffdfb5bc4e93997e58
digest: 72ee2c8a17b7232ac21bec317971add1383781c1227f18d279289a10771a7011
19 changes: 19 additions & 0 deletions other/replace-image-registry/replace-image-registry.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,22 @@ spec:
initContainers:
- name: "{{ element.name }}"
image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"
- name: replace-image-registry-pod-ephemeralContainers
match:
any:
- resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
operator: GreaterThanOrEquals
value: 1
mutate:
foreach:
- list: "request.object.spec.ephemeralContainers"
patchStrategicMerge:
spec:
initContainers:
- name: "{{ element.name }}"
image: "{{ regex_replace_all('^(localhost/|(?:[a-z0-9]+\\.)+[a-z0-9]+/)?(.*)$', '{{element.image}}', 'myregistry.corp.com/$2' )}}"
2 changes: 1 addition & 1 deletion other/require-base-image/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 23dcc8f9a56d36ceb6f45b8c7e76b450472e5c22a4a701bea37c25c8df68984e
digest: 36ec28f78945a75ab650893cd252c2fdb80d4893bf6c340d4b68dca41e69d41d
2 changes: 1 addition & 1 deletion other/require-base-image/require-base-image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ spec:
validate:
message: "Images must specify a source/base image from which they are built."
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageData
imageRegistry:
Expand Down
2 changes: 1 addition & 1 deletion other/require-image-source/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Pod"
digest: 439869ce881c7a4eea43180435dad9eb03c5c9c2cfae470822de7b988b2da514
digest: bf8c40ca9999ad6c800c655264acb28313da5e8bd64476b3599e79c5ab410fd7
2 changes: 1 addition & 1 deletion other/require-image-source/require-image-source.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ spec:
validate:
message: "The image source must be specified in a label or annotation."
foreach:
- list: "request.object.spec.containers"
- list: "request.object.spec.[ephemeralContainers, initContainers, containers][]"
context:
- name: imageData
imageRegistry:
Expand Down
Loading
Loading