diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml index e2b85aea5..37c6850cd 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-deploy.yaml @@ -19,3 +19,8 @@ spec: name: busybox - image: docker.io/tiller:latest name: helm-tiller + initContainers: + - image: busybox + name: busyboxinit + - image: docker.io/tiller:latest + name: helm-tillerinit diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml index 56caf1bbb..3c6000019 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-fail-first.yaml @@ -8,3 +8,8 @@ spec: image: docker.io/tiller:latest - name: somebox image: busybox:1.35 + initContainers: + - name: helm-tillerinit + image: docker.io/tiller:latest + - name: someboxinit + image: busybox:1.35 diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml index ba3bc5292..9b09e550d 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod-success-first.yaml @@ -7,4 +7,9 @@ spec: - name: somebox image: busybox:1.35 - name: helm-tiller - image: docker.io/tiller:latest \ No newline at end of file + image: docker.io/tiller:latest + initContainers: + - name: someboxinit + image: busybox:1.35 + - name: helm-tillerinit + image: docker.io/tiller:latest diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml index 447689170..e35960061 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml @@ -5,4 +5,7 @@ metadata: spec: containers: - name: helm-tiller - image: docker.io/tiller:latest \ No newline at end of file + image: docker.io/tiller:latest + initContainers: + - name: helm-tillerinit + image: docker.io/tiller:latest diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml index 915bbaf8c..687ebc84c 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-deploy.yaml @@ -17,4 +17,8 @@ spec: containers: - image: busybox:v1.35 name: busybox - command: ["sleep", "3600"] \ No newline at end of file + command: ["sleep", "3600"] + initContainers: + - image: busybox:v1.35 + name: busyboxinit + command: ["sleep", "3600"] diff --git a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml index 0743299d4..f0c0a6913 100644 --- a/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-helm-tiller/.chainsaw-test/good-pod.yaml @@ -7,4 +7,9 @@ spec: - name: busybox image: busybox:v1.35 - name: nothelmbox - image: busybox:v1.35 \ No newline at end of file + image: busybox:v1.35 + initContainers: + - name: busyboxinit + image: busybox:v1.35 + - name: nothelmboxinit + image: busybox:v1.35 diff --git a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml index c015402a8..08dcde836 100644 --- a/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml +++ b/best-practices/disallow-helm-tiller/.kyverno-test/resource.yaml @@ -6,6 +6,10 @@ spec: containers: - name: helm-tiller image: docker.io/tiller:latest + initContainers: + - name: helm-tillerinit + image: docker.io/tiller:latest + --- apiVersion: v1 kind: Pod @@ -17,6 +21,11 @@ spec: image: busybox:1.28 - name: helm-tiller image: docker.io/tiller:latest + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: helm-tillerinit + image: docker.io/tiller:latest --- apiVersion: v1 kind: Pod @@ -26,6 +35,9 @@ spec: containers: - name: busybox image: busybox + initContainers: + - name: busyboxinit + image: busybox --- apiVersion: v1 kind: Pod @@ -37,6 +49,11 @@ spec: image: busybox - name: nginx image: nginx + initContainers: + - name: busyboxinit + image: busybox + - name: nginxinit + image: nginx --- apiVersion: apps/v1 kind: Deployment @@ -59,6 +76,10 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:1.28 + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -80,3 +101,6 @@ spec: containers: - image: docker.io/tiller:latest name: helm-tiller + initContainers: + - image: docker.io/tiller:latest + name: helm-tillerinit diff --git a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml index e34f3355c..1d47fd83a 100644 --- a/best-practices/disallow-helm-tiller/artifacthub-pkg.yml +++ b/best-practices/disallow-helm-tiller/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Pod" -digest: 6de64a4a8d611c250dc0190b28b6c757db531063161531e4f68202c0fbda5be4 +digest: 3d92f3a2949283ad6d9baa99565e407c5cd78d015e0220750de522ac40ce1de2 diff --git a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml index 61dd8c74d..ef1bb41fa 100644 --- a/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml +++ b/best-practices/disallow-helm-tiller/disallow-helm-tiller.yaml @@ -11,7 +11,7 @@ metadata: policies.kyverno.io/description: >- Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as - restricted users can impact other users. It is recommend to use Helm v3+ which does not contain + restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`. spec: @@ -26,8 +26,13 @@ spec: - Pod validate: message: "Helm Tiller is not allowed" - pattern: - spec: - containers: - - name: "*" - image: "!*tiller*" + foreach: + - list: "request.object.spec.containers" + pattern: + image: "!*tiller*" + - list: "request.object.spec.initContainers" + pattern: + image: "!*tiller*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*tiller*" diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml index 2184f875b..44ba9c0fb 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-fail-first.yaml @@ -7,4 +7,9 @@ spec: - name: busybox image: busybox:latest - name: nginx - image: nginx:1.35 \ No newline at end of file + image: nginx:1.35 + initContainers: + - name: busyboxinit + image: busybox:latest + - name: nginxinit + image: nginx:1.35 diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml index 43e17164c..f565170f5 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-latest-success-first.yaml @@ -7,4 +7,9 @@ spec: - name: nginx image: nginx:1.35 - name: busybox - image: busybox:latest \ No newline at end of file + image: busybox:latest + initContainers: + - name: nginxinit + image: nginx:1.35 + - name: busyboxinit + image: busybox:latest diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml index 7a599f75c..3418076ae 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/bad-pod-no-tag.yaml @@ -8,6 +8,11 @@ spec: image: busybox - name: nginx image: nginx:1.35 + initContainers: + - name: busyboxinit + image: busybox + - name: nginxinit + image: nginx:1.35 --- apiVersion: v1 kind: Pod @@ -19,6 +24,11 @@ spec: image: nginx:1.35 - name: busybox image: busybox + initContainers: + - name: nginxinit + image: nginx:1.35 + - name: busyboxinit + image: busybox --- apiVersion: v1 kind: Pod @@ -29,4 +39,9 @@ spec: - name: busybox image: busybox - name: nginx - image: nginx:latest \ No newline at end of file + image: nginx:latest + initContainers: + - name: busyboxinit + image: busybox + - name: nginxinit + image: nginx:latest diff --git a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml index 679a87f5c..505688d3d 100644 --- a/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml +++ b/best-practices/disallow-latest-tag/.chainsaw-test/good-pod.yaml @@ -5,4 +5,7 @@ metadata: spec: containers: - name: busybox - image: busybox:v1.35 \ No newline at end of file + image: busybox:v1.35 + initContainers: + - name: busyboxinit + image: busybox:v1.35 diff --git a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml index 873a0d251..03ed91c15 100644 --- a/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml +++ b/best-practices/disallow-latest-tag/.kyverno-test/resource.yaml @@ -8,6 +8,9 @@ spec: containers: - name: nginx image: nginx:1.12 + initContainers: + - name: nginxinit + image: nginx:1.12 --- apiVersion: v1 kind: Pod @@ -19,6 +22,9 @@ spec: containers: - name: nginx image: nginx + initContainers: + - name: nginxinit + image: nginx --- apiVersion: v1 kind: Pod @@ -32,6 +38,11 @@ spec: image: busybox:1.28 - name: nginx image: nginx + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: nginxinit + image: nginx --- apiVersion: v1 kind: Pod @@ -43,6 +54,9 @@ spec: containers: - name: nginx image: nginx:latest + initContainers: + - name: nginxinit + image: nginx:latest --- apiVersion: v1 kind: Pod @@ -56,6 +70,11 @@ spec: image: busybox:1.28 - name: nginx image: nginx:latest + initContainers: + - name: busyboxinit + image: busybox:1.28 + - name: nginxinit + image: nginx:latest --- apiVersion: apps/v1 kind: Deployment @@ -77,6 +96,10 @@ spec: - image: busybox:1.28 name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:1.28 + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -98,6 +121,10 @@ spec: - image: busybox name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox + name: busyboxinit + command: ["sleep", "9999"] --- apiVersion: apps/v1 kind: Deployment @@ -119,3 +146,7 @@ spec: - image: busybox:latest name: busybox command: ["sleep", "9999"] + initContainers: + - image: busybox:latest + name: busyboxinit + command: ["sleep", "9999"] diff --git a/best-practices/disallow-latest-tag/artifacthub-pkg.yml b/best-practices/disallow-latest-tag/artifacthub-pkg.yml index cfd7a6095..24d3bf026 100644 --- a/best-practices/disallow-latest-tag/artifacthub-pkg.yml +++ b/best-practices/disallow-latest-tag/artifacthub-pkg.yml @@ -1,6 +1,6 @@ name: disallow-latest-tag version: 1.0.0 -displayName: Disallow Latest Tag +displayName: Disallow Latest Tags createdAt: "2023-04-10T19:47:15.000Z" description: >- The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application Pod. This policy validates that the image specifies a tag and that it is not called `latest`. @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 3d19e0d8f2637eca9ad1d700f4fbf556aaa31221ff6c40698b9aadda1f41adb4 +digest: 2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a diff --git a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml index c83cd565e..2f40ef15c 100644 --- a/best-practices/disallow-latest-tag/disallow-latest-tag.yaml +++ b/best-practices/disallow-latest-tag/disallow-latest-tag.yaml @@ -25,10 +25,16 @@ spec: - Pod validate: message: "An image tag is required." - pattern: - spec: - containers: - - image: "*:*" + foreach: + - list: "request.object.spec.containers" + pattern: + image: "*:*" + - list: "request.object.spec.initContainers" + pattern: + image: "*:*" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "*:*" - name: validate-image-tag match: any: @@ -37,7 +43,13 @@ spec: - Pod validate: message: "Using a mutable image tag e.g. 'latest' is not allowed." - pattern: - spec: - containers: - - image: "!*:latest" \ No newline at end of file + foreach: + - list: "request.object.spec.containers" + pattern: + image: "!*:latest" + - list: "request.object.spec.initContainers" + pattern: + image: "!*:latest" + - list: "request.object.spec.ephemeralContainers" + pattern: + image: "!*:latest"