From 1c919299a892b73f03b50f8acbfd0ed0e304bcb5 Mon Sep 17 00:00:00 2001 From: nataliagranato Date: Mon, 26 Aug 2024 14:52:50 -0300 Subject: [PATCH] chore: Update dependencies and add Kyverno policies for Pod validation --- .github/workflows/chainguard.yml | 2 ++ kyverno/disallow-latest-tag.yaml | 2 +- kyverno/no-root-containers.yaml | 18 ++++++++++++++++ kyverno/require-labels.yaml | 19 +++++++++++++++++ kyverno/require-requests-limits.yaml | 32 ++++++++++++++++++++++++++++ 5 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 kyverno/no-root-containers.yaml create mode 100644 kyverno/require-labels.yaml create mode 100644 kyverno/require-requests-limits.yaml diff --git a/.github/workflows/chainguard.yml b/.github/workflows/chainguard.yml index 447bd6b..9d7995e 100644 --- a/.github/workflows/chainguard.yml +++ b/.github/workflows/chainguard.yml @@ -28,6 +28,7 @@ jobs: run: | wget https://github.com/chainguard-dev/melange/releases/download/v0.11.2/melange_0.11.2_linux_386.tar.gz tar -xzf melange_0.11.2_linux_386.tar.gz + cd melange_0.11.2_linux_386 sudo mv melange /usr/local/bin/ melange version @@ -36,6 +37,7 @@ jobs: run: | wget https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_386.tar.gz tar -xzf apko_0.14.7_linux_386.tar.gz + cd apko_0.14.7_linux_386 sudo mv apko /usr/local/bin/ apko version diff --git a/kyverno/disallow-latest-tag.yaml b/kyverno/disallow-latest-tag.yaml index 3355a3c..0b8f514 100644 --- a/kyverno/disallow-latest-tag.yaml +++ b/kyverno/disallow-latest-tag.yaml @@ -10,7 +10,7 @@ metadata: policies.kyverno.io/subject: Pod policies.kyverno.io/description: "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. " spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: require-image-tag diff --git a/kyverno/no-root-containers.yaml b/kyverno/no-root-containers.yaml new file mode 100644 index 0000000..0f52ec1 --- /dev/null +++ b/kyverno/no-root-containers.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: no-root-containers +spec: + rules: + - name: require-non-root + match: + resources: + kinds: + - Pod + validate: + message: "Containers must not run as root" + pattern: + spec: + containers: + - securityContext: + runAsNonRoot: true diff --git a/kyverno/require-labels.yaml b/kyverno/require-labels.yaml new file mode 100644 index 0000000..f2880f0 --- /dev/null +++ b/kyverno/require-labels.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + validationFailureAction: Audit + rules: + - name: check-for-labels + match: + any: + - resources: + kinds: + - Pod + validate: + message: "label 'app' is required" + pattern: + metadata: + labels: + app: "?*" diff --git a/kyverno/require-requests-limits.yaml b/kyverno/require-requests-limits.yaml new file mode 100644 index 0000000..c6e13cf --- /dev/null +++ b/kyverno/require-requests-limits.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-requests-limits + annotations: + policies.kyverno.io/title: Require Limits and Requests + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-resources + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU and memory resource requests and limits are required." + pattern: + spec: + containers: + - resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*"