Skip to content
GitLab
Unverified Commit 0182bab5 authored by Brijesh Shah's avatar Brijesh Shah Committed by GitHub
Browse files

feat: add custom policy examples (security & stability) (#327)

parent b4d5ee25
Hide whitespace changes
Inline Side-by-side
Showing
with 1552 additions and 0 deletions
+1552 -0
examples/cost-reduction-best-practices/README.md 0 → 100644
+ 284
- 0
View file @ 0182bab5
# Policy: cost_reduction_best_practices
Kubernetes resource requests and limits enable engineers to ensure that their workloads are not over or under-utilized. These policies are implemented with multiple property paths to provide adaptation to multiple Kubernetes objects such as Pod, Deployment.
__This policy helps to enforce the following best practices:__
* [Ensure each container has a configured CPU request within range](#ensure-each-container-has-a-configured-cpu-request-within-range)
* [Ensure each container has a configured CPU limit within range](#ensure-each-container-has-a-configured-cpu-limit-within-range)
* [Ensure each container has a configured memory request within range](#ensure-each-container-has-a-configured-memory-request-within-range)
* [Ensure each container has a configured memory limit within range](#ensure-each-container-has-a-configured-memory-limit-within-range)
## Ensure each container has a configured CPU request within range
### When this rule is failing?
If `requests.cpu` is missing:
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value is outside of the configured range (100m-250m):
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
```
## Ensure each container has a configured CPU limit within range
### When this rule is failing?
If `limits.cpu` is missing:
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value is outside of the configured range (500m-1000m):
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
limits:
cpu: "1500m"
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
limits:
cpu: "1500m"
```
## Ensure each container has a configured memory request within range
### When this rule is failing?
If `requests.memory` is missing:
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value is outside of the configured range (512Mi-1024Mi):
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
memory: "256Mi"
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
memory: "256Mi"
```
## Ensure each container has a configured memory limit within range
### When this rule is failing?
If `limits.memory` is missing:
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value is outside of the configured range (2048Mi-4096Mi):
```
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
limits:
memory: "5120Mi"
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
limits:
memory: "5120Mi"
```
## Policy author
Brijesh Shah \\ [brijeshshah13](https://github.com/brijeshshah13)
\ No newline at end of file
examples/cost-reduction-best-practices/fail.yaml 0 → 100755
+ 49
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: fail-resource-quotas-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fail-resource-quotas-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
examples/cost-reduction-best-practices/pass.yaml 0 → 100755
+ 49
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: pass-resource-quotas-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pass-resource-quotas-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
examples/cost-reduction-best-practices/policy.yaml 0 → 100755
+ 143
- 0
View file @ 0182bab5
apiVersion: v1
policies:
- name: cost_reduction_best_practices
isDefault: true
rules:
- identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_REQUEST_VALUE
messageOnFailure: ""
- identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_LIMIT_VALUE
messageOnFailure: ""
- identifier: CUSTOM_CONTAINERS_INCORRECT_MEMORY_REQUEST_VALUE
messageOnFailure: ""
- identifier: CUSTOM_CONTAINERS_INCORRECT_MEMORY_LIMIT_VALUE
messageOnFailure: ""
customRules:
- identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_REQUEST_VALUE
name: Ensure each container has a configured CPU request within range [CUSTOM RULE]
defaultMessageOnFailure: CPU request value should be within the accepted boundaries (100m-250m)
schema:
definitions:
cpuRequestPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
resources:
properties:
requests:
properties:
cpu:
resourceMinimum: 100m
resourceMaximum: 250m
required:
- cpu
required:
- requests
required:
- resources
allOf:
- $ref: "#/definitions/cpuRequestPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_LIMIT_VALUE
name: Ensure each container has a configured CPU limit within range [CUSTOM RULE]
defaultMessageOnFailure: CPU limit value should be within the accepted boundaries (500m-1000m)
schema:
definitions:
cpuLimitPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
resources:
properties:
limits:
properties:
cpu:
resourceMinimum: 500m
resourceMaximum: 1000m
required:
- cpu
required:
- limits
required:
- resources
allOf:
- $ref: "#/definitions/cpuLimitPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- identifier: CUSTOM_CONTAINERS_INCORRECT_MEMORY_REQUEST_VALUE
name: Ensure each container has a configured memory request within range [CUSTOM RULE]
defaultMessageOnFailure: Memory request value should be within the accepted boundaries (512Mi-1024Mi)
schema:
definitions:
memoryRequestPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
resources:
properties:
requests:
properties:
memory:
resourceMinimum: 512Mi
resourceMaximum: 1024Mi
required:
- memory
required:
- requests
required:
- resources
allOf:
- $ref: "#/definitions/memoryRequestPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- identifier: CUSTOM_CONTAINERS_INCORRECT_MEMORY_LIMIT_VALUE
name: Ensure each container has a configured memory limit within range [CUSTOM RULE]
defaultMessageOnFailure: Memory limit value should be within the accepted boundaries (2048Mi-4096Mi)
schema:
definitions:
memoryLimitPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
resources:
properties:
limits:
properties:
memory:
resourceMinimum: 2048Mi
resourceMaximum: 4096Mi
required:
- memory
required:
- limits
required:
- resources
allOf:
- $ref: "#/definitions/memoryLimitPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
examples/governance-best-practices/README.md 0 → 100644
+ 49
- 0
View file @ 0182bab5
# Policy: governance_best_practices
Ingress host name should be a valid organization name. Invalid host names can cause problems with access to the API.
__This policy helps to enforce the following best practices:__
* [Ensure Ingress only uses approved domain names for hostnames](#ensure-ingress-only-uses-approved-domain-names-for-hostnames)
## Ensure Ingress only uses approved domain names for hostnames
### When this rule is failing?
If `host` is missing:
```
apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
rules:
- http:
paths:
- pathType: ImplementationSpecific
path: /
backend:
service:
name: nginx
port:
number: 80
```
__OR__ the value of `host` is not a valid organization name (*.example.com):
```
apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
rules:
- host: test.com
http:
paths:
- pathType: ImplementationSpecific
path: /
backend:
service:
name: nginx
port:
number: 80
```
`--ignore-missing-schemas` will have to be used to ignore the missing schema.
## Policy author
Brijesh Shah \\ [brijeshshah13](https://github.com/brijeshshah13)
\ No newline at end of file
examples/governance-best-practices/fail.yaml 0 → 100755
+ 82
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: fail-governance-best-practices-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: false
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fail-governance-best-practices-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: false
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: fail-governance-best-practices-for-ingress
spec:
rules:
- host: test.datree.io
http:
paths:
- pathType: ImplementationSpecific
path: /
backend:
service:
name: nginx
port:
number: 80
examples/governance-best-practices/pass.yaml 0 → 100755
+ 94
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: pass-governance-best-practices-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
volumeMounts:
- name: test-volume
mountPath: /test/dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pass-governance-best-practices-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- nginx
topologyKey: kubernetes.io/hostname
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
volumeMounts:
- name: test-volume
mountPath: /test/dev
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pass-governance-best-practices-for-ingress
spec:
rules:
- host: test.example.com
http:
paths:
- pathType: ImplementationSpecific
path: /
backend:
service:
name: nginx
port:
number: 80
examples/governance-best-practices/policy.yaml 0 → 100755
+ 31
- 0
View file @ 0182bab5
apiVersion: v1
policies:
- name: governance_best_practices
isDefault: true
rules:
- identifier: CUSTOM_INGRESS_INCORRECT_HOST_VALUE
messageOnFailure: ""
customRules:
- identifier: CUSTOM_INGRESS_INCORRECT_HOST_VALUE
name: Ensure Ingress only uses approved domain names for hostnames [CUSTOM RULE]
defaultMessageOnFailure: host value should contain a valid organization name (*.example.com)
schema:
if:
properties:
kind:
type: string
enum:
- Ingress
then:
properties:
spec:
properties:
rules:
items:
properties:
host:
type: string
pattern: (.*example.com)$
required:
- host
\ No newline at end of file
examples/security-best-practices/README.md 0 → 100644
+ 299
- 0
View file @ 0182bab5
# Policy: security_best_practices
To prevent unwanted changes to root-owned files, privilege escalation that could gain more privileges than its parent process, or issues with sensitive host system files, the following best practices are recommended. These policies are implemented with multiple property paths to provide adaptation to multiple Kubernetes objects such as Pod, Deployment.
__This policy helps to enforce the following best practices:__
* [Prevent containers from running without a read-only root filesystem](#prevent-containers-from-running-without-a-read-only-root-filesystem)
* [Ensure containers do not allow privilege escalation](#ensure-containers-do-not-allow-privilege-escalation)
* [Ensure containers do not run processes with root privileges](#ensure-containers-do-not-run-processes-with-root-privileges)
* [Ensure containers do not expose sensitive host system directories](#ensure-containers-do-not-expose-sensitive-host-system-directories)
## Prevent containers from running without a read-only root filesystem
`readOnlyRootFilesystem` requires that containers must run with a read-only root filesystem.
### When this rule is failing?
If `securityContext.readOnlyRootFilesystem` is missing:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value of `securityContext.readOnlyRootFilesystem` is `false`:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
readOnlyRootFilesystem: false
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
readOnlyRootFilesystem: false
```
## Ensure containers do not allow privilege escalation
`allowPrivilegeEscalation` restricts escalation to root privileges.
### When this rule is failing?
If `securityContext.allowPrivilegeEscalation` is missing:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value of `securityContext.allowPrivilegeEscalation` is `true`:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: true
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
allowPrivilegeEscalation: true
```
## Ensure containers do not run processes with root privileges
`runAsUser` & `runAsNonRoot` restricts root privileges.
### When this rule is failing?
If `securityContext.runAsUser` or `securityContext.runAsNonRoot` is missing:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value of `securityContext.runAsUser` is greater than `0` and `securityContext.runAsNonRoot` is `true`:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
runAsUser: 1000
runAsNonRoot: true
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
securityContext:
runAsUser: 1000
runAsNonRoot: true
```
## Ensure containers do not expose sensitive host system directories
### When this rule is failing?
If `mountPath` is missing:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
__OR__ the value of `mountPath` is one of the directories listed by the organization:
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
```
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
```
## Policy author
Brijesh Shah \\ [brijeshshah13](https://github.com/brijeshshah13)
\ No newline at end of file
examples/security-best-practices/fail.yaml 0 → 100755
+ 65
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: fail-security-best-practices-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: false
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fail-security-best-practices-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: false
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
examples/security-best-practices/pass.yaml 0 → 100755
+ 65
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: pass-security-best-practices-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
volumeMounts:
- name: test-volume
mountPath: /test/dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pass-security-best-practices-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
volumeMounts:
- name: test-volume
mountPath: /test/dev
examples/security-best-practices/policy.yaml 0 → 100755
+ 131
- 0
View file @ 0182bab5
apiVersion: v1
policies:
- name: security_best_practices
isDefault: true
rules:
- identifier: CUSTOM_CONTAINERS_INCORRECT_ROOT_FILESYSTEM_PERMISSION
messageOnFailure: ""
- identifier: CUSTOM_CONTAINERS_INCORRECT_PRIVILEGE_ESCALATION_PERMISSION
messageOnFailure: ""
- identifier: CUSTOM_CONTAINERS_INCORRECT_PROCESS_PERMISSION
messageOnFailure: ""
- identifier: CUSTOM_CONTAINERS_EXPOSED_SENSITIVE_HOST_SYSTEM_DIRECTORY
messageOnFailure: ""
customRules:
- identifier: CUSTOM_CONTAINERS_INCORRECT_ROOT_FILESYSTEM_PERMISSION
name: Prevent containers from running without a read-only root filesystem [CUSTOM RULE]
defaultMessageOnFailure: Set readOnlyRootFilesystem to true in the container securityContext
schema:
definitions:
readOnlyRootFilesystemPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
readOnlyRootFilesystem:
enum:
- true
required:
- readOnlyRootFilesystem
required:
- securityContext
allOf:
- $ref: "#/definitions/readOnlyRootFilesystemPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- identifier: CUSTOM_CONTAINERS_INCORRECT_PRIVILEGE_ESCALATION_PERMISSION
name: Ensure containers do not allow privilege escalation [CUSTOM RULE]
defaultMessageOnFailure: Set allowPrivilegeEscalation to false in the container securityContext
schema:
definitions:
allowPrivilegeEscalationPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
allowPrivilegeEscalation:
enum:
- false
required:
- allowPrivilegeEscalation
required:
- securityContext
allOf:
- $ref: "#/definitions/allowPrivilegeEscalationPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- identifier: CUSTOM_CONTAINERS_INCORRECT_PROCESS_PERMISSION
name: Ensure containers do not run processes with root privileges [CUSTOM RULE]
defaultMessageOnFailure: Set runAsUser to a non-zero number and runAsNonRoot to true in the container securityContext
schema:
definitions:
processPermissionPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
runAsUser:
minimum: 1
runAsNonRoot:
enum:
- true
required:
- runAsUser
- runAsNonRoot
required:
- securityContext
allOf:
- $ref: "#/definitions/processPermissionPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- identifier: CUSTOM_CONTAINERS_EXPOSED_SENSITIVE_HOST_SYSTEM_DIRECTORY
name: Ensure containers do not expose sensitive host system directories [CUSTOM RULE]
defaultMessageOnFailure: Do not expose sensitive host system directories in the container (/dev, /proc, /sys, /boot, /etc, /lib, /usr)
schema:
definitions:
sensitiveHostSystemDirectoryPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
volumeMounts:
type: array
items:
properties:
mountPath:
pattern: ^(?!/(dev|proc|sys|boot|etc|lib|usr)).*$
required:
- mountPath
required:
- volumeMounts
allOf:
- $ref: "#/definitions/sensitiveHostSystemDirectoryPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
examples/stability-best-practices/README.md 0 → 100644
+ 32
- 0
View file @ 0182bab5
# Policy: stability_best_practices
Kubernetes podAntiAffinity is a feature that helps you avoid placing pods on the same node to prevent downtime.
__This policy helps to enforce the following best practices:__
* [Prevent containers from running on the same node if multiple replicas are specified](#prevent-containers-from-running-on-the-same-node-if-multiple-replicas-are-specified)
## Prevent containers from running on the same node if multiple replicas are specified
Inter-pod anti-affinity allow you to constrain which nodes your pod is eligible to be scheduled based on labels on pods that are already running on the node rather than based on labels on nodes. Refer to [documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) for more details.
### When this rule is failing?
If `podAntiAffinity` is missing when multiple replicas are specified:
```
apiVersion: apps/v1
kind: Deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
## Policy author
Brijesh Shah \\ [brijeshshah13](https://github.com/brijeshshah13)
\ No newline at end of file
examples/stability-best-practices/fail.yaml 0 → 100755
+ 65
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: fail-stability-best-practices-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: false
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: fail-stability-best-practices-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "50m"
memory: "256Mi"
limits:
cpu: "1500m"
memory: "5120Mi"
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: false
volumeMounts:
- name: nginx-certs
mountPath: /etc/nginx/certs
examples/stability-best-practices/pass.yaml 0 → 100755
+ 77
- 0
View file @ 0182bab5
---
apiVersion: v1
kind: Pod
metadata:
name: pass-stability-best-practices-for-pod
labels:
environment: prod
app: test
owner: test-at-datree.io
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
volumeMounts:
- name: test-volume
mountPath: /test/dev
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pass-stability-best-practices-for-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- nginx
topologyKey: kubernetes.io/hostname
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
resources:
requests:
cpu: "175m"
memory: "768Mi"
limits:
cpu: "750m"
memory: "3072Mi"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsUser: 1000
runAsNonRoot: true
volumeMounts:
- name: test-volume
mountPath: /test/dev
examples/stability-best-practices/policy.yaml 0 → 100755
+ 37
- 0
View file @ 0182bab5
apiVersion: v1
policies:
- name: stability_best_practices
isDefault: true
rules:
- identifier: CUSTOM_CONTAINERS_MISSING_POD_ANTI_AFFINITY
messageOnFailure: ""
customRules:
- identifier: CUSTOM_CONTAINERS_MISSING_POD_ANTI_AFFINITY
name: Prevent containers from running on the same node if multiple replicas are specified [CUSTOM RULE]
defaultMessageOnFailure: Set podAntiAffinity rules if multiple replicas are specified
schema:
if:
properties:
kind:
type: string
enum:
- Deployment
spec:
properties:
replicas:
type: integer
minimum: 2
then:
properties:
spec:
properties:
template:
properties:
spec:
properties:
affinity:
required:
- podAntiAffinity
required:
- affinity
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

免费DevSecOps平台,让您的项目体验完整的DevSecOps流程,让项目更安全