kyverno-policies values.yaml
π
enabledπ
Type: bool
true
Description: Enable policy deployments
validationFailureActionπ
Type: string
""
Description: Override all policies’ validation failure action with “Audit” or “Enforce”. If blank, uses policy setting.
failurePolicyπ
Type: string
"Fail"
Description: API server behavior if the webhook fails to respond (‘Ignore’, ‘Fail’) For more info: https://kyverno.io/docs/writing-policies/policy-settings/
backgroundπ
Type: bool
true
Description: Policies background mode
kyvernoVersionπ
Type: string
"autodetect"
Description: Kyverno version The default of “autodetect” will try to determine the currently installed version from the deployment
webhookTimeoutSecondsπ
Type: int
30
Description: Override all policies’ time to wait for admission webhook to respond. If blank, uses policy setting or default (10). Range is 1 to 30.
excludeπ
Type: object
any:
- resources:
namespaces:
- kube-system
Description: Adds an exclusion to all policies. This is merged with any policy-specific excludes. See https://kyverno.io/docs/writing-policies/match-exclude for fields.
excludeContainersπ
Type: list
[]
Description: Adds an excludeContainers to all policies. This is merged with any policy-specific excludeContainers.
autogenControllersπ
Type: string
"Deployment,ReplicaSet,DaemonSet,StatefulSet"
Description: Customize the target Pod controllers for the auto-generated rules. (Eg. none
, Deployment
, DaemonSet,Deployment,StatefulSet
) For more info https://kyverno.io/docs/writing-policies/autogen/.
customLabelsπ
Type: object
{}
Description: Additional labels to apply to all policies.
policyPreconditionsπ
Type: object
{}
Description: Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the policyPreconditions
map.
waitforready.enabledπ
Type: bool
false
Description: Controls wait for ready deployment
waitforready.imageπ
Type: object
repository: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
tag: v1.29.4
Description: Image to use in wait for ready job. This must contain kubectl.
waitforready.imagePullSecretsπ
Type: list
[]
Description: Pull secret for wait for ready job
policies.sampleπ
Type: object
enabled: false
exclude: {}
match: {}
parameters:
excludeContainers: []
validationFailureAction: Audit
webhookTimeoutSeconds: ''
Description: Sample policy showing values that can be added to any policy
policies.sample.enabledπ
Type: bool
false
Description: Controls policy deployment
policies.sample.validationFailureActionπ
Type: string
"Audit"
Description: Controls if a validation policy rule failure should disallow (Enforce) or allow (Audit) the admission
policies.sample.webhookTimeoutSecondsπ
Type: string
""
Description: Specifies the maximum time in seconds allowed to apply this policy. Default is 10. Range is 1 to 30.
policies.sample.matchπ
Type: object
{}
Description: Defines when this policy’s rules should be applied. This completely overrides any default matches.
policies.sample.excludeπ
Type: object
{}
Description: Defines when this policy’s rules should not be applied. This completely overrides any default excludes.
policies.sample.parametersπ
Type: object
excludeContainers: []
Description: Policy specific parameters that are added to the configMap for the policy rules
policies.sample.parameters.excludeContainersπ
Type: list
[]
Description: Adds a container exclusion (by name) to a specific policy. This is merged with any global excludeContainers.
policies.clone-configsπ
Type: object
enabled: false
parameters:
clone: []
Description: Clone existing configMap or secret in new Namespaces
policies.clone-configs.parameters.cloneπ
Type: list
[]
Description: ConfigMap or Secrets that should be cloned. Each item requres the kind, name, and namespace of the resource to clone
policies.disallow-annotationsπ
Type: object
enabled: false
parameters:
disallow: []
validationFailureAction: Audit
Description: Prevent specified annotations on pods
policies.disallow-annotations.parameters.disallowπ
Type: list
[]
Description: List of annotations disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.disallow-deprecated-apisπ
Type: object
enabled: false
validationFailureAction: Audit
Description: Prevent resources that use deprecated or removed APIs (through Kubernetes 1.26)
policies.disallow-host-namespacesπ
Type: object
enabled: true
validationFailureAction: Enforce
Description: Prevent use of the host namespace (PID, IPC, Network) by pods
policies.disallow-image-tagsπ
Type: object
enabled: false
parameters:
disallow:
- latest
validationFailureAction: Audit
Description: Prevent container images with specified tags. Also, requires images to have a tag.
policies.disallow-istio-injection-bypassπ
Type: object
enabled: false
validationFailureAction: Audit
Description: Prevent the sidecar.istio.io/inject: false
label on pods.
policies.disallow-labelsπ
Type: object
enabled: false
parameters:
disallow: []
validationFailureAction: Audit
Description: Prevent specified labels on pods
policies.disallow-labels.parameters.disallowπ
Type: list
[]
Description: List of labels disallowed on pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.disallow-namespacesπ
Type: object
enabled: false
parameters:
disallow:
- default
validationFailureAction: Audit
Description: Prevent pods from using the listed namespaces
policies.disallow-namespaces.parameters.disallowπ
Type: list
- default
Description: List of namespaces to deny pod deployment
policies.disallow-nodeport-servicesπ
Type: object
enabled: true
validationFailureAction: Audit
Description: Prevent services of the type NodePort
policies.disallow-pod-execπ
Type: object
enabled: false
validationFailureAction: Audit
Description: Prevent the use of exec
or attach
on pods
policies.disallow-privilege-escalationπ
Type: object
enabled: true
validationFailureAction: Enforce
Description: Prevent privilege escalation on pods
policies.disallow-auto-mount-service-account-tokenπ
Type: object
enabled: true
validationFailureAction: Audit
Description: Prevent Automounting of Kubernetes API Credentials on Pods and Service Accounts
policies.disallow-privileged-containersπ
Type: object
enabled: true
validationFailureAction: Enforce
Description: Prevent containers that run as privileged
policies.disallow-selinux-optionsπ
Type: object
enabled: true
parameters:
disallow:
- user
- role
validationFailureAction: Enforce
Description: Prevent specified SELinux options from being used on pods.
policies.disallow-selinux-options.parameters.disallowπ
Type: list
- user
- role
Description: List of selinux options that are not allowed. Valid values include level
, role
, type
, and user
. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.disallow-tolerationsπ
Type: object
enabled: false
parameters:
disallow:
- key: node-role.kubernetes.io/master
validationFailureAction: Audit
Description: Prevent tolerations that bypass specified taints
policies.disallow-tolerations.parameters.disallowπ
Type: list
- key: node-role.kubernetes.io/master
Description: List of taints to protect from toleration. Each entry can have key
, value
, and/or effect
. Wildcards ‘*’ and ‘?’ can be used If key, value, or effect are not defined, they are ignored in the policy rule
policies.disallow-rbac-on-default-serviceaccountsπ
Type: object
enabled: false
exclude:
any:
- resources:
name: system:service-account-issuer-discovery
validationFailureAction: Audit
Description: Prevent additional RBAC permissions on default service accounts
policies.require-annotationsπ
Type: object
enabled: false
parameters:
require: []
validationFailureAction: Audit
Description: Require specified annotations on all pods
policies.require-annotations.parameters.requireπ
Type: list
[]
Description: List of annotations required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported.
policies.require-cpu-limitπ
Type: object
enabled: false
parameters:
require:
- <10
validationFailureAction: Audit
Description: Require containers have CPU limits defined and within the specified range
policies.require-drop-all-capabilitiesπ
Type: object
enabled: true
validationFailureAction: Enforce
Description: Requires containers to drop all Linux capabilities
policies.require-image-signatureπ
Type: object
enabled: true
parameters:
require:
- attestors:
- count: 1
entries:
- keys:
ctlog:
ignoreSCT: true
publicKeys: '-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----'
rekor:
ignoreTlog: true
url: ''
imageReferences:
- registry1.dso.mil/ironbank/*
mutateDigest: false
verifyDigest: false
validationFailureAction: Enforce
Description: Require specified images to be signed and verified
policies.require-image-signature.parameters.requireπ
Type: list
- attestors:
- count: 1
entries:
- keys:
ctlog:
ignoreSCT: true
publicKeys: '-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----'
rekor:
ignoreTlog: true
url: ''
imageReferences:
- registry1.dso.mil/ironbank/*
mutateDigest: false
verifyDigest: false
Description: List of images that must be signed and the public key to verify. Use kubectl explain clusterpolicy.spec.rules.verifyImages
for fields.
policies.require-istio-on-namespacesπ
Type: object
enabled: false
validationFailureAction: Audit
Description: Require Istio sidecar injection label on namespaces
policies.require-labelsπ
Type: object
enabled: false
parameters:
require:
- app.kubernetes.io/name
- app.kubernetes.io/instance
- app.kubernetes.io/version
validationFailureAction: Audit
Description: Require specified labels to be on all pods
policies.require-labels.parameters.requireπ
Type: list
- app.kubernetes.io/name
- app.kubernetes.io/instance
- app.kubernetes.io/version
Description: List of labels required on all pods. Entries can be just a “key”, or a quoted “key: value”. Wildcards ‘*’ and ‘?’ are supported. See https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels See https://helm.sh/docs/chart_best_practices/labels/#standard-labels
policies.require-memory-limitπ
Type: object
enabled: false
parameters:
require:
- <64Gi
validationFailureAction: Audit
Description: Require containers have memory limits defined and within the specified range
policies.require-non-root-groupπ
Type: object
enabled: true
validationFailureAction: Enforce
Description: Require containers to run with non-root group
policies.require-non-root-userπ
Type: object
enabled: true
validationFailureAction: Enforce
Description: Require containers to run as non-root user
policies.require-probesπ
Type: object
enabled: false
parameters:
require:
- readinessProbe
- livenessProbe
validationFailureAction: Audit
Description: Require specified probes on pods
policies.require-probes.parameters.requireπ
Type: list
- readinessProbe
- livenessProbe
Description: List of probes that are required on pods. Valid values are readinessProbe
, livenessProbe
, and startupProbe
.
policies.require-requests-equal-limitsπ
Type: object
enabled: false
validationFailureAction: Audit
Description: Require CPU and memory requests equal limits for guaranteed quality of service
policies.require-ro-rootfsπ
Type: object
enabled: false
validationFailureAction: Audit
Description: Require containers set root filesystem to read-only
policies.restrict-apparmorπ
Type: object
enabled: true
parameters:
allow:
- runtime/default
- localhost/*
validationFailureAction: Enforce
Description: Restricts pods that use AppArmor to specified profiles
policies.restrict-apparmor.parameters.allowπ
Type: list
- runtime/default
- localhost/*
Description: List of allowed AppArmor profiles Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
policies.restrict-external-ipsπ
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict services with External IPs to a specified list (CVE-2020-8554)
policies.restrict-external-ips.parameters.allowπ
Type: list
[]
Description: List of external IPs allowed in services. Must be an IP address. Use the wildcard ?*
to support subnets (e.g. 192.168.0.?*
)
policies.restrict-external-namesπ
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict services with External Names to a specified list (CVE-2020-8554)
policies.restrict-external-names.parameters.allowπ
Type: list
[]
Description: List of external names allowed in services. Must be a lowercase RFC-1123 hostname.
policies.restrict-capabilitiesπ
Type: object
enabled: true
parameters:
allow:
- NET_BIND_SERVICE
validationFailureAction: Enforce
Description: Restrict Linux capabilities added to containers to the specified list
policies.restrict-capabilities.parameters.allowπ
Type: list
- NET_BIND_SERVICE
Description: List of capabilities that are allowed to be added Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted See https://man7.org/linux/man-pages/man7/capabilities.7.html for list of capabilities. The CAP_
prefix is removed in Kubernetes names.
policies.restrict-group-idπ
Type: object
enabled: false
parameters:
allow:
- '>=1000'
validationFailureAction: Audit
Description: Restrict container group IDs to specified ranges NOTE: Using require-non-root-group will force runAsGroup to be defined
policies.restrict-host-path-mountπ
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Audit
Description: Restrict the paths that can be mounted by hostPath volumes to the allowed list. HostPath volumes are normally disallowed. If exceptions are made, the path(s) should be restricted.
policies.restrict-host-path-mount.parameters.allowπ
Type: list
[]
Description: List of allowed paths for hostPath volumes to mount
policies.restrict-host-path-mount-pv.enabledπ
Type: bool
true
policies.restrict-host-path-mount-pv.validationFailureActionπ
Type: string
"Audit"
policies.restrict-host-path-mount-pv.parameters.allowπ
Type: list
[]
Description: List of allowed paths for hostPath volumes to mount
policies.restrict-host-path-writeπ
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Audit
Description: Restrict the paths that can be mounted as read/write by hostPath volumes to the allowed list. HostPath volumes, if allowed, should normally be mounted as read-only. If exceptions are made, the path(s) should be restricted.
policies.restrict-host-path-write.parameters.allowπ
Type: list
[]
Description: List of allowed paths for hostPath volumes to mount as read/write
policies.restrict-host-portsπ
Type: object
enabled: true
parameters:
allow: []
validationFailureAction: Enforce
Description: Restrict host ports in containers to the specified list
policies.restrict-host-ports.parameters.allowπ
Type: list
[]
Description: List of allowed host ports
policies.restrict-image-registriesπ
Type: object
enabled: true
parameters:
allow:
- registry1.dso.mil
validationFailureAction: Audit
Description: Restricts container images to registries in the specified list
policies.restrict-image-registries.parameters.allowπ
Type: list
- registry1.dso.mil
Description: List of allowed registries that images may use
policies.restrict-proc-mountπ
Type: object
enabled: true
parameters:
allow:
- Default
validationFailureAction: Enforce
Description: Restrict mounting /proc to the specified mask
policies.restrict-proc-mount.parameters.allowπ
Type: list
- Default
Description: List of allowed proc mount values. Valid values are Default
and Unmasked
. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-seccompπ
Type: object
enabled: true
parameters:
allow:
- RuntimeDefault
- Localhost
validationFailureAction: Enforce
Description: Restrict seccomp profiles to the specified list
policies.restrict-seccomp.parameters.allowπ
Type: list
- RuntimeDefault
- Localhost
Description: List of allowed seccomp profiles. Valid values are Localhost
, RuntimeDefault
, and Unconfined
Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
policies.restrict-selinux-typeπ
Type: object
enabled: true
parameters:
allow:
- container_t
- container_init_t
- container_kvm_t
validationFailureAction: Enforce
Description: Restrict SELinux types to the specified list.
policies.restrict-selinux-type.parameters.allowπ
Type: list
- container_t
- container_init_t
- container_kvm_t
Description: List of allowed values for the type
field Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-sysctlsπ
Type: object
enabled: true
parameters:
allow:
- kernel.shm_rmid_forced
- net.ipv4.ip_local_port_range
- net.ipv4.ip_unprivileged_port_start
- net.ipv4.tcp_syncookies
- net.ipv4.ping_group_range
- net.ipv4.ip_local_reserved_ports
- net.ipv4.tcp_keepalive_time
- net.ipv4.tcp_fin_timeout
- net.ipv4.tcp_keepalive_intvl
- net.ipv4.tcp_keepalive_probes
validationFailureAction: Enforce
Description: Restrict sysctls to the specified list
policies.restrict-sysctls.parameters.allowπ
Type: list
- kernel.shm_rmid_forced
- net.ipv4.ip_local_port_range
- net.ipv4.ip_unprivileged_port_start
- net.ipv4.tcp_syncookies
- net.ipv4.ping_group_range
- net.ipv4.ip_local_reserved_ports
- net.ipv4.tcp_keepalive_time
- net.ipv4.tcp_fin_timeout
- net.ipv4.tcp_keepalive_intvl
- net.ipv4.tcp_keepalive_probes
Description: List of allowed sysctls. Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards
policies.restrict-user-idπ
Type: object
enabled: false
parameters:
allow:
- '>=1000'
validationFailureAction: Audit
Description: Restrict user IDs to the specified ranges NOTE: Using require-non-root-user will force runAsUser to be defined
policies.restrict-volume-typesπ
Type: object
enabled: true
parameters:
allow:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
validationFailureAction: Enforce
Description: Restrict the volume types to the specified list
policies.restrict-volume-types.parameters.allowπ
Type: list
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
Description: List of allowed Volume types. Valid values are the volume types listed here: https://kubernetes.io/docs/concepts/storage/volumes/#volume-types Defaults pulled from https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
policies.update-image-pull-policyπ
Type: object
enabled: false
parameters:
update:
- to: Always
Description: Updates the image pull policy on containers
policies.update-image-pull-policy.parameters.updateπ
Type: list
- to: Always
Description: List of image pull policy updates. from
contains the pull policy value to replace. If from
is blank, it matches everything. to
contains the new pull policy to use. Must be one of Always
, Never
, or IfNotPresent
.
policies.update-image-registryπ
Type: object
enabled: false
parameters:
update: []
Description: Updates an existing image registry with a new registry in containers (e.g. proxy)
policies.update-image-registry.parameters.updateπ
Type: list
[]
Description: List of registry updates. from
contains the registry to replace. to
contains the new registry to use.
policies.update-automountserviceaccounttokens-defaultπ
Type: object
enabled: false
Description: List of namespaces to explictly disable mounting the serviceaccount token
policies.update-automountserviceaccounttokensπ
Type: object
enabled: false
Description: List pods to explictly enable mounting the serviceaccount token
additionalPoliciesπ
Type: object
samplePolicy:
annotations:
policies.kyverno.io/category: Examples
policies.kyverno.io/description: This sample policy blocks pods from deploying
into the 'default' namespace.
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Sample Policy
enabled: false
kind: ClusterPolicy
namespace: ''
spec:
rules:
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Adds custom policies. See https://kyverno.io/docs/writing-policies/.
additionalPolicies.samplePolicyπ
Type: object
annotations:
policies.kyverno.io/category: Examples
policies.kyverno.io/description: This sample policy blocks pods from deploying into
the 'default' namespace.
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Sample Policy
enabled: false
kind: ClusterPolicy
namespace: ''
spec:
rules:
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Name of the policy. Addtional policies can be added by adding a key.
additionalPolicies.samplePolicy.enabledπ
Type: bool
false
Description: Controls policy deployment
additionalPolicies.samplePolicy.kindπ
Type: string
"ClusterPolicy"
Description: Kind of policy. Currently, “ClusterPolicy” and “Policy” are supported.
additionalPolicies.samplePolicy.namespaceπ
Type: string
""
Description: If kind is “Policy”, which namespace to target. The namespace must already exist.
additionalPolicies.samplePolicy.annotationsπ
Type: object
policies.kyverno.io/category: Examples
policies.kyverno.io/description: This sample policy blocks pods from deploying into
the 'default' namespace.
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/title: Sample Policy
Description: Policy annotations to add
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/title”π
Type: string
"Sample Policy"
Description: Human readable name of policy
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/category”π
Type: string
"Examples"
Description: Category of policy. Arbitrary.
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/severity”π
Type: string
"low"
Description: Severity of policy if a violation occurs. Choose “critical”, “high”, “medium”, “low”.
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/subject”π
Type: string
"Pod"
Description: Type of resource policy applies to (e.g. Pod, Service, Namespace)
additionalPolicies.samplePolicy.annotations.”policies.kyverno.io/description”π
Type: string
"This sample policy blocks pods from deploying into the 'default' namespace."
Description: Description of what the policy does, why it is important, and what items are allowed or unallowed.
additionalPolicies.samplePolicy.specπ
Type: object
rules:
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Policy specification. See kubectl explain clusterpolicies.spec
additionalPolicies.samplePolicy.spec.rulesπ
Type: list
- match:
any:
- resources:
kinds:
- Pods
name: sample-rule
validate:
message: Using 'default' namespace is not allowed.
pattern:
metadata:
namespace: '!default'
Description: Policy rules. At least one is required
istioπ
Type: object
enabled: false
Description: BigBang Istio Toggle and Configuration
bbtestsπ
Type: object
enabled: false
imagePullSecret: private-registry
scripts:
additionalVolumeMounts:
- mountPath: /yaml
name: kyverno-policies-bbtest-manifests
- mountPath: /.kube/cache
name: kyverno-policies-bbtest-kube-cache
additionalVolumes:
- configMap:
name: kyverno-policies-bbtest-manifests
name: kyverno-policies-bbtest-manifests
- emptyDir: {}
name: kyverno-policies-bbtest-kube-cache
envs:
ENABLED_POLICIES: '{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if
$v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join " " $p }}'
IMAGE_PULL_SECRET: '{{ .Values.bbtests.imagePullSecret }}'
image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.4
Description: Reserved values for Big Bang test automation