diff --git a/README.md b/README.md index 941d42653..47352f084 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ Anyone and everyone is welcome to write and contribute Kyverno policies! We have * Provide test resources (where possible) which allow your policy to be validated using the Kyverno CLI. See an example of a complete policy, resource, and test [here](https://github.com/kyverno/policies/tree/main/pod-security/baseline/disallow-capabilities). If unfamiliar with the Kyverno CLI and its test ability, please see the documentation [here](https://kyverno.io/docs/testing-policies/). -* For `validate` rules, please set `validationFailureAction: Audit` so that should a user download and apply the policy without having a yet full understanding of Kyverno, it will not cause unintended harm to their environment by blocking resources. +* For `validate` rules, please set `failureAction: Audit` so that should a user download and apply the policy without having a yet full understanding of Kyverno, it will not cause unintended harm to their environment by blocking resources. * String values do not need to be quoted nor do values which contain JMESPath expressions such as `{{request.operation}}`. The exception is if a field's value is *only* such an expression. In those cases, the JMESPath expression needs to be double quoted. @@ -59,10 +59,11 @@ metadata: policies.kyverno.io/description: >- Adding capabilities beyond those listed in the policy must be disallowed. spec: - validationFailureAction: Audit background: true rules: - name: my-rule-name + validate: + failureAction: Audit match: any: - resources: diff --git a/argo-cel/application-field-validation/application-field-validation.yaml b/argo-cel/application-field-validation/application-field-validation.yaml index a55686d65..24388388c 100644 --- a/argo-cel/application-field-validation/application-field-validation.yaml +++ b/argo-cel/application-field-validation/application-field-validation.yaml @@ -15,7 +15,6 @@ metadata: Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both. spec: - validationFailureAction: Audit background: true rules: - name: source-path-chart @@ -28,6 +27,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: >- @@ -48,6 +48,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: >- diff --git a/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml b/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml index 7a45796b5..caead010f 100644 --- a/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml +++ b/argo-cel/application-prevent-default-project/application-prevent-default-project.yaml @@ -13,7 +13,6 @@ metadata: policies.kyverno.io/description: >- This policy prevents the use of the default project in an Application. spec: - validationFailureAction: Audit background: true rules: - name: default-project @@ -26,6 +25,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "object.spec.?project.orValue('') != 'default'" diff --git a/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml b/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml index c1d6f50bf..311dd1b01 100644 --- a/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml +++ b/argo-cel/application-prevent-updates-project/application-prevent-updates-project.yaml @@ -12,7 +12,6 @@ metadata: policies.kyverno.io/description: >- This policy prevents updates to the project field after an Application is created. spec: - validationFailureAction: Audit background: true rules: - name: project-updates @@ -25,6 +24,7 @@ spec: - name: "operation-should-be-update" expression: "request.operation == 'UPDATE'" validate: + failureAction: Audit cel: expressions: - expression: "object.spec.project == oldObject.spec.project" diff --git a/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml b/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml index af30a936c..f7f7573e2 100644 --- a/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml +++ b/argo-cel/applicationset-name-matches-project/applicationset-name-matches-project.yaml @@ -14,7 +14,6 @@ metadata: This policy ensures that the name of the ApplicationSet is the same value provided in the project. spec: - validationFailureAction: Audit background: true rules: - name: match-name @@ -27,6 +26,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "object.spec.template.spec.project == object.metadata.name" diff --git a/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml b/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml index 18827a80e..25ebd0348 100644 --- a/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml +++ b/argo-cel/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml @@ -17,7 +17,6 @@ metadata: enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values. spec: - validationFailureAction: Audit background: true rules: - name: has-wildcard-and-validate-clusterresourceblacklist @@ -30,6 +29,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "has(object.spec.clusterResourceBlacklist)" diff --git a/argo/application-field-validation/application-field-validation.yaml b/argo/application-field-validation/application-field-validation.yaml index d71905b2b..b4514c685 100644 --- a/argo/application-field-validation/application-field-validation.yaml +++ b/argo/application-field-validation/application-field-validation.yaml @@ -15,7 +15,6 @@ metadata: Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both. spec: - validationFailureAction: Audit background: true rules: - name: source-path-chart @@ -25,6 +24,7 @@ spec: kinds: - Application validate: + failureAction: Audit message: >- `spec.source.path` OR `spec.source.chart` should be specified but never both. anyPattern: @@ -43,6 +43,7 @@ spec: kinds: - Application validate: + failureAction: Audit message: >- `spec.destination.server` OR `spec.destination.name` should be specified but never both. anyPattern: diff --git a/argo/application-prevent-default-project/application-prevent-default-project.yaml b/argo/application-prevent-default-project/application-prevent-default-project.yaml index 766871740..655a6a002 100644 --- a/argo/application-prevent-default-project/application-prevent-default-project.yaml +++ b/argo/application-prevent-default-project/application-prevent-default-project.yaml @@ -13,7 +13,6 @@ metadata: policies.kyverno.io/description: >- This policy prevents the use of the default project in an Application. spec: - validationFailureAction: Audit background: true rules: - name: default-project @@ -28,6 +27,7 @@ spec: operator: NotEquals value: DELETE validate: + failureAction: Audit message: "The default project may not be used in an Application." pattern: spec: diff --git a/argo/application-prevent-updates-project/application-prevent-updates-project.yaml b/argo/application-prevent-updates-project/application-prevent-updates-project.yaml index f4eac4f05..a4cd1f4c3 100644 --- a/argo/application-prevent-updates-project/application-prevent-updates-project.yaml +++ b/argo/application-prevent-updates-project/application-prevent-updates-project.yaml @@ -13,7 +13,6 @@ metadata: policies.kyverno.io/description: >- This policy prevents updates to the project field after an Application is created. spec: - validationFailureAction: Audit background: true rules: - name: project-updates @@ -28,6 +27,7 @@ spec: operator: Equals value: UPDATE validate: + failureAction: Audit message: "The spec.project cannot be changed once the Application is created." deny: conditions: diff --git a/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml b/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml index 38529a89e..232d8404f 100644 --- a/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml +++ b/argo/applicationset-name-matches-project/applicationset-name-matches-project.yaml @@ -14,7 +14,6 @@ metadata: This policy ensures that the name of the ApplicationSet is the same value provided in the project. spec: - validationFailureAction: Audit background: true rules: - name: match-name @@ -29,6 +28,7 @@ spec: operator: NotEquals value: DELETE validate: + failureAction: Audit message: "The name must match the project." pattern: spec: diff --git a/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml b/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml index 52dc4d289..f899ac933 100644 --- a/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml +++ b/argo/appproject-clusterresourceblacklist/appproject-clusterresourceblacklist.yaml @@ -17,7 +17,6 @@ metadata: enforce that all AppProjects specify clusterResourceBlacklist and that their group and kind have wildcards as values. spec: - validationFailureAction: Audit background: true rules: - name: has-wildcard @@ -32,6 +31,7 @@ spec: operator: AnyIn value: ["CREATE", "UPDATE"] validate: + failureAction: Audit message: "Wildcards must be present in group and kind for clusterResourceBlacklist." foreach: - list: "request.object.spec.clusterResourceBlacklist" @@ -56,6 +56,7 @@ spec: operator: AnyIn value: ["CREATE", "UPDATE"] validate: + failureAction: Audit message: "AppProject must specify clusterResourceBlacklist." deny: conditions: diff --git a/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml index 20c71ab38..9ad898e15 100644 --- a/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml +++ b/aws-cel/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml @@ -15,7 +15,6 @@ metadata: that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value. spec: - validationFailureAction: Audit background: true rules: - name: aws-loadbalancer-has-ssl-cert @@ -31,6 +30,7 @@ spec: - name: "type-should-be-load-balancer" expression: "object.spec.type == 'LoadBalancer'" validate: + failureAction: Audit cel: expressions: - expression: >- diff --git a/aws/require-aws-node-irsa/require-aws-node-irsa.yaml b/aws/require-aws-node-irsa/require-aws-node-irsa.yaml index 48670fa02..3709c902d 100644 --- a/aws/require-aws-node-irsa/require-aws-node-irsa.yaml +++ b/aws/require-aws-node-irsa/require-aws-node-irsa.yaml @@ -19,7 +19,6 @@ metadata: the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount. spec: - validationFailureAction: Audit background: true rules: - name: validate-node-daemonset-irsa @@ -33,6 +32,7 @@ spec: namespaces: - kube-system validate: + failureAction: Audit message: "Update the aws-node daemonset to use IRSA." pattern: spec: diff --git a/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml b/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml index a2b0c4558..6960e26db 100644 --- a/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml +++ b/aws/require-encryption-aws-loadbalancers/require-encryption-aws-loadbalancers.yaml @@ -16,7 +16,6 @@ metadata: that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value. spec: - validationFailureAction: Audit background: true rules: - name: aws-loadbalancer-has-ssl-cert @@ -26,6 +25,7 @@ spec: kinds: - Service validate: + failureAction: Audit message: "Service of type LoadBalancer must carry the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert." pattern: metadata: diff --git a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml index 154c46be8..ba8c032ec 100644 --- a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml +++ b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml @@ -16,7 +16,6 @@ metadata: ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. spec: - validationFailureAction: Audit background: true rules: - name: validate-v1-25-removals @@ -35,6 +34,7 @@ spec: - name: "allowed-api-versions" expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']" validate: + failureAction: Audit cel: expressions: - expression: "false" @@ -53,6 +53,7 @@ spec: - name: "allowed-api-versions" expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']" validate: + failureAction: Audit cel: expressions: - expression: "false" @@ -69,6 +70,7 @@ spec: - name: "allowed-api-versions" expression: "object.apiVersion in ['storage.k8s.io/v1beta1']" validate: + failureAction: Audit cel: expressions: - expression: "false" @@ -86,6 +88,7 @@ spec: - name: "object.apiVersion" expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']" validate: + failureAction: Audit cel: expressions: - expression: "false" diff --git a/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml index b243dd332..45b8b5509 100644 --- a/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml +++ b/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml @@ -17,7 +17,6 @@ metadata: to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts. spec: - validationFailureAction: Audit background: true rules: - name: validate-socket-mounts @@ -30,6 +29,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: variables: - name: hasVolumes diff --git a/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml b/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml index ea58613dc..886788048 100644 --- a/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml +++ b/best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml @@ -19,7 +19,6 @@ metadata: due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level. spec: - validationFailureAction: Audit background: true rules: - name: validate-namespace @@ -32,6 +31,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "namespaceObject.metadata.name != 'default'" @@ -49,6 +49,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "namespaceObject.metadata.name != 'default'" diff --git a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml b/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml index 62df5473d..83d7fba59 100644 --- a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml +++ b/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml @@ -14,7 +14,6 @@ metadata: in order to be valid. This policy ensures that there is a hostname for each rule defined. spec: - validationFailureAction: Audit background: false rules: - name: disallow-empty-ingress-host @@ -27,6 +26,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: >- diff --git a/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml index a9f5c8338..9964b1881 100644 --- a/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml +++ b/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml @@ -16,7 +16,6 @@ metadata: Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. spec: - validationFailureAction: Audit background: true rules: - name: validate-helm-tiller @@ -29,6 +28,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "object.spec.containers.all(container, !container.image.contains('tiller'))" diff --git a/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml index 4c467efb7..de2c1a1cb 100644 --- a/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml @@ -15,7 +15,6 @@ metadata: a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. spec: - validationFailureAction: Audit background: true rules: - name: require-and-validate-image-tag @@ -28,6 +27,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "object.spec.containers.all(container, container.image.contains(':'))" diff --git a/best-practices-cel/require-drop-all/require-drop-all.yaml b/best-practices-cel/require-drop-all/require-drop-all.yaml index c46cf43e0..bfa59e567 100644 --- a/best-practices-cel/require-drop-all/require-drop-all.yaml +++ b/best-practices-cel/require-drop-all/require-drop-all.yaml @@ -16,7 +16,6 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: Audit background: true rules: - name: require-drop-all @@ -29,6 +28,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: variables: - name: allContainers diff --git a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index 80e3c955f..3da5c5bce 100644 --- a/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices-cel/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -17,7 +17,6 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: Audit background: true rules: - name: require-drop-cap-net-raw @@ -30,6 +29,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: variables: - name: mustDropCapabilities diff --git a/best-practices-cel/require-labels/require-labels.yaml b/best-practices-cel/require-labels/require-labels.yaml index 12a2062e6..a0324281a 100644 --- a/best-practices-cel/require-labels/require-labels.yaml +++ b/best-practices-cel/require-labels/require-labels.yaml @@ -15,7 +15,6 @@ metadata: all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. spec: - validationFailureAction: Audit background: true rules: - name: check-for-labels @@ -28,6 +27,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: >- diff --git a/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml b/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml index 35e0fca07..ffbb6da28 100644 --- a/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml +++ b/best-practices-cel/require-pod-requests-limits/require-pod-requests-limits.yaml @@ -17,7 +17,6 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: Audit background: true rules: - name: validate-resources @@ -30,6 +29,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: >- diff --git a/best-practices-cel/require-probes/require-probes.yaml b/best-practices-cel/require-probes/require-probes.yaml index cf14da6f9..b59dab77f 100644 --- a/best-practices-cel/require-probes/require-probes.yaml +++ b/best-practices-cel/require-probes/require-probes.yaml @@ -19,7 +19,6 @@ metadata: This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. spec: - validationFailureAction: Audit background: true rules: - name: validate-probes @@ -32,6 +31,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: >- diff --git a/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml b/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml index fcb7473d5..79facb851 100644 --- a/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml +++ b/best-practices-cel/require-ro-rootfs/require-ro-rootfs.yaml @@ -16,7 +16,6 @@ metadata: host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`. spec: - validationFailureAction: Audit background: true rules: - name: validate-readOnlyRootFilesystem @@ -29,6 +28,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: >- diff --git a/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml b/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml index 91db27a80..1e744df68 100644 --- a/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml +++ b/best-practices-cel/restrict-image-registries/restrict-image-registries.yaml @@ -16,7 +16,6 @@ metadata: policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries. spec: - validationFailureAction: Audit background: true rules: - name: validate-registries @@ -29,6 +28,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: variables: - name: allContainers diff --git a/best-practices-cel/restrict-node-port/restrict-node-port.yaml b/best-practices-cel/restrict-node-port/restrict-node-port.yaml index 9ea76c4b4..1b7252c28 100644 --- a/best-practices-cel/restrict-node-port/restrict-node-port.yaml +++ b/best-practices-cel/restrict-node-port/restrict-node-port.yaml @@ -16,7 +16,6 @@ metadata: with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. spec: - validationFailureAction: Audit background: true rules: - name: validate-nodeport @@ -29,6 +28,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "has(object.spec.type) ? (object.spec.type != 'NodePort') : true" diff --git a/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml index 4d75de9da..8d6d56510 100644 --- a/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml +++ b/best-practices-cel/restrict-service-external-ips/restrict-service-external-ips.yaml @@ -15,7 +15,6 @@ metadata: See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service. spec: - validationFailureAction: Audit background: true rules: - name: check-ips @@ -28,6 +27,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit cel: expressions: - expression: "!has(object.spec.externalIPs)" diff --git a/best-practices/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices/check-deprecated-apis/check-deprecated-apis.yaml index 7394f06de..f85a6ea55 100644 --- a/best-practices/check-deprecated-apis/check-deprecated-apis.yaml +++ b/best-practices/check-deprecated-apis/check-deprecated-apis.yaml @@ -21,7 +21,6 @@ metadata: so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly. spec: - validationFailureAction: Audit background: true rules: - name: validate-v1-25-removals @@ -50,6 +49,7 @@ spec: - policy/v1beta1 - node.k8s.io/v1beta1 validate: + failureAction: Audit message: >- {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ @@ -73,6 +73,7 @@ spec: - flowcontrol.apiserver.k8s.io/v1beta1 - autoscaling/v2beta2 validate: + failureAction: Audit message: >- {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ @@ -93,6 +94,7 @@ spec: value: - storage.k8s.io/v1beta1 validate: + failureAction: Audit message: >- {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ @@ -114,6 +116,7 @@ spec: value: - flowcontrol.apiserver.k8s.io/v1beta2 validate: + failureAction: Audit message: >- {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ diff --git a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml index b23b555e0..345aad7ce 100644 --- a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml +++ b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml @@ -16,7 +16,6 @@ metadata: to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts. spec: - validationFailureAction: Audit background: true rules: - name: validate-docker-sock-mount @@ -26,6 +25,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Use of the Docker Unix socket is not allowed." pattern: spec: @@ -39,6 +39,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Use of the Containerd Unix socket is not allowed." pattern: spec: @@ -52,6 +53,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Use of the CRI-O Unix socket is not allowed." pattern: spec: @@ -65,6 +67,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Use of the Docker CRI socket is not allowed." pattern: spec: diff --git a/best-practices/disallow-default-namespace/disallow-default-namespace.yaml b/best-practices/disallow-default-namespace/disallow-default-namespace.yaml index 10aa9a6d5..5c14f214c 100644 --- a/best-practices/disallow-default-namespace/disallow-default-namespace.yaml +++ b/best-practices/disallow-default-namespace/disallow-default-namespace.yaml @@ -18,7 +18,6 @@ metadata: due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level. spec: - validationFailureAction: Audit background: true rules: - name: validate-namespace @@ -28,6 +27,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Using 'default' namespace is not allowed." pattern: metadata: @@ -42,6 +42,7 @@ spec: - Job - StatefulSet validate: + failureAction: Audit message: "Using 'default' namespace is not allowed for pod controllers." pattern: metadata: diff --git a/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml b/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml index daf459b8c..520bd5197 100644 --- a/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml +++ b/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml @@ -13,7 +13,6 @@ metadata: in order to be valid. This policy ensures that there is a hostname for each rule defined. spec: - validationFailureAction: Audit background: false rules: - name: disallow-empty-ingress-host @@ -23,6 +22,7 @@ spec: kinds: - Ingress validate: + failureAction: Audit message: "The Ingress host name must be defined, not empty." deny: conditions: diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml index 1ab0c4f4b..be89996e9 100644 --- a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml +++ b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml @@ -15,7 +15,6 @@ metadata: Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. spec: - validationFailureAction: Audit background: true rules: - name: validate-helm-tiller @@ -25,6 +24,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Helm Tiller is not allowed" foreach: - list: "request.object.spec.containers" diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index 2f64e7a3c..311972220 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -14,7 +14,6 @@ metadata: a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. spec: - validationFailureAction: Audit background: true rules: - name: require-image-tag @@ -24,6 +23,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "An image tag is required." foreach: - list: "request.object.spec.containers" @@ -42,6 +42,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Using a mutable image tag e.g. 'latest' is not allowed." foreach: - list: "request.object.spec.containers" diff --git a/best-practices/require-drop-all/require-drop-all.yaml b/best-practices/require-drop-all/require-drop-all.yaml index 1a8750ee5..52c87e333 100644 --- a/best-practices/require-drop-all/require-drop-all.yaml +++ b/best-practices/require-drop-all/require-drop-all.yaml @@ -15,7 +15,6 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: Audit background: true rules: - name: require-drop-all @@ -30,6 +29,7 @@ spec: operator: NotEquals value: DELETE validate: + failureAction: Audit message: >- Containers must drop `ALL` capabilities. foreach: diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index c6615b546..de4c42c3b 100644 --- a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -16,7 +16,6 @@ metadata: ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards. spec: - validationFailureAction: Audit background: true rules: - name: require-drop-cap-net-raw @@ -31,6 +30,7 @@ spec: operator: NotEquals value: DELETE validate: + failureAction: Audit message: >- Containers must drop the `CAP_NET_RAW` capability. foreach: diff --git a/best-practices/require-labels/require-labels.yaml b/best-practices/require-labels/require-labels.yaml index 11b03c038..31f673f93 100644 --- a/best-practices/require-labels/require-labels.yaml +++ b/best-practices/require-labels/require-labels.yaml @@ -14,7 +14,6 @@ metadata: all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. spec: - validationFailureAction: Audit background: true rules: - name: check-for-labels @@ -24,6 +23,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "The label `app.kubernetes.io/name` is required." pattern: metadata: diff --git a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml index b36c4b8de..31153b1c3 100644 --- a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml +++ b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml @@ -16,7 +16,6 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: Audit background: true rules: - name: validate-resources @@ -26,6 +25,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "CPU and memory resource requests and memory limits are required for containers." pattern: spec: diff --git a/best-practices/require-probes/require-probes.yaml b/best-practices/require-probes/require-probes.yaml index b79b64003..ae9eb02cc 100644 --- a/best-practices/require-probes/require-probes.yaml +++ b/best-practices/require-probes/require-probes.yaml @@ -17,7 +17,6 @@ metadata: This policy validates that all containers have one of livenessProbe, readinessProbe, or startupProbe defined. spec: - validationFailureAction: Audit background: true rules: - name: validate-probes @@ -34,6 +33,7 @@ spec: - CREATE - UPDATE validate: + failureAction: Audit message: "Liveness, readiness, or startup probes are required for all containers." foreach: - list: request.object.spec.containers[] diff --git a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml index 099ee450f..a3593a463 100644 --- a/best-practices/require-ro-rootfs/require-ro-rootfs.yaml +++ b/best-practices/require-ro-rootfs/require-ro-rootfs.yaml @@ -15,7 +15,6 @@ metadata: host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`. spec: - validationFailureAction: Audit background: true rules: - name: validate-readOnlyRootFilesystem @@ -25,6 +24,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Root filesystem must be read-only." pattern: spec: diff --git a/best-practices/restrict-image-registries/restrict-image-registries.yaml b/best-practices/restrict-image-registries/restrict-image-registries.yaml index db32beb68..855ca0257 100644 --- a/best-practices/restrict-image-registries/restrict-image-registries.yaml +++ b/best-practices/restrict-image-registries/restrict-image-registries.yaml @@ -16,7 +16,6 @@ metadata: policy validates that container images only originate from the registry `eu.foo.io` or `bar.io`. Use of this policy requires customization to define your allowable registries. spec: - validationFailureAction: Audit background: true rules: - name: validate-registries @@ -26,6 +25,7 @@ spec: kinds: - Pod validate: + failureAction: Audit message: "Unknown image registry." pattern: spec: diff --git a/best-practices/restrict-node-port/restrict-node-port.yaml b/best-practices/restrict-node-port/restrict-node-port.yaml index 7fad2977b..350f3eb4a 100644 --- a/best-practices/restrict-node-port/restrict-node-port.yaml +++ b/best-practices/restrict-node-port/restrict-node-port.yaml @@ -15,7 +15,6 @@ metadata: with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. spec: - validationFailureAction: Audit background: true rules: - name: validate-nodeport @@ -25,6 +24,7 @@ spec: kinds: - Service validate: + failureAction: Audit message: "Services of type NodePort are not allowed." pattern: spec: diff --git a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml index 78fd6bd89..35ee93840 100644 --- a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml +++ b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml @@ -14,7 +14,6 @@ metadata: See: https://github.com/kyverno/kyverno/issues/1367. This policy validates that the `externalIPs` field is not set on a Service. spec: - validationFailureAction: Audit background: true rules: - name: check-ips @@ -24,6 +23,7 @@ spec: kinds: - Service validate: + failureAction: Audit message: "externalIPs are not allowed." pattern: spec: