Update default Kyverno policy settings to remove most audit policies
During beta testing, audit policies have shown a significant impact on clusters with large numbers of pods. CPU/memory spikes on the Kyverno pod and API requests significantly increase, which can cause denial-of-service for admission into the K8S cluster if hammered hard enough. Until we have a suitable workaround for this, the recommendation is to minimize the number of Kyverno policies in audit mode.
For this issue ...
- Leave the policies set to enforce alone
- Disable all policies in audit mode except
- require-non-root-user
- require-non-root-group
The guidance going forward will be to audit policies that we are actively working on moving to enforce mode.
Activity
added kindbug kyverno priority5 teamcore/security + 1 deleted label
changed milestone to %1.34.0
changed iteration to Big Bang Iterations May 3, 2022 - May 16, 2022
assigned to @brettcharrier
added statusdoing label
created branch
1172-update-default-kyverno-policy-settings-to-remove-most-audit-policiesto address this issue
Kubectl get clusterpolicyoriginally resulted in:Click to expand
NAME BACKGROUND ACTION READY restrict-proc-mount true enforce true restrict-apparmor true enforce true disallow-nodeport-services true audit true disallow-image-tags true enforce true require-istio-on-namespaces true audit true restrict-image-registries true enforce true require-non-root-group true audit true disallow-tolerations true audit true disallow-shared-subpath-volume-writes true enforce true require-memory-limit true audit true restrict-group-id true audit true disallow-selinux-options true enforce true restrict-volume-types false enforce true disallow-rbac-on-default-serviceaccountstrue audit true restrict-seccomp true enforce true require-ro-rootfs true audit true require-non-root-user true audit true require-cpu-limit true audit true restrict-host-ports true enforce true restrict-selinux-type true enforce true restrict-host-path-mount true enforce true disallow-namespaces true enforce true disallow-privileged-containers true enforce true restrict-external-names true enforce true disallow-istio-injection-bypass true audit true require-drop-all-capabilities false audit true disallow-deprecated-apis true audit true restrict-capabilities true audit true disallow-privilege-escalation true enforce true disallow-host-namespaces true enforce true restrict-external-ips true enforce true restrict-sysctls true enforce true restrict-host-path-write true enforce truekeubectl get clusterpolicynow dispalys:Click to expand
NAME BACKGROUND ACTION READY disallow-privilege-escalation true enforce true disallow-image-tags true enforce true restrict-apparmor true enforce true restrict-seccomp true enforce true restrict-selinux-type true enforce true restrict-sysctls true enforce true restrict-proc-mount true enforce true require-non-root-user true audit true restrict-external-ips true enforce true disallow-shared-subpath-volume-writes true enforce true disallow-selinux-options true enforce true restrict-host-ports true enforce true disallow-host-namespaces true enforce true restrict-host-path-write true enforce true disallow-namespaces true enforce true require-non-root-group true audit true restrict-volume-types false enforce true restrict-external-names true enforce true restrict-image-registries true enforce true restrict-host-path-mount true enforce true disallow-privileged-containers true enforce truecreated branch
1172-update-default-kyverno-policy-settings-to-remove-most-audit-policies-2to address this issuementioned in merge request !1662 (closed)
removed statusdoing label
added statusreview label
created branch
1172-update-default-kyverno-policy-settings-to-remove-most-audit-policies-3to address this issuementioned in merge request !1663 (merged)
created branch
1172-update-default-kyverno-policy-settings-to-remove-most-audit-policies-4to address this issuementioned in issue #1171 (closed)
mentioned in merge request !1664 (merged)
closed with merge request !1664 (merged)
mentioned in commit 43e63f1a
removed statusreview label