UNCLASSIFIED - NO CUI

Skip to content

batCAVE: First set of best practice policies arranged for use with the batCAVE

Benjamin Garman requested to merge batcave-best-practice-policies-1a into batcave

This version of the policies, brings in all the unit tests from Kyverno Policies release 1.7, for the pos-security and best-practices folders. It adds to README.md and testing.md, separating the instructions for Helm Unit Testing and Kyverno CLI Unit Testing, and supplies full instructions and samples for testing using the Kyverno CLI. Those instructions also serve as the base for incorporating policies into a pipeline using the Kyverno CLI. We also compared all of the best-practice and pod-security policies that Kyverno Policies release 1.7 had, to the Big Bang ones, and added templates for the ones we thought might be missing. For all new added policies, we tried to organize them in fsubolders within the chart templates folder, to keep things more organized (will probably group the existing templates similarly in future merge requests). We added entries to the chart values.yaml and the tests/test-values.yaml for any added templates. All added templates were added in audit only defaults (which we will probably change in future merge requests, since some will want or should be enforced). We also added a .gitignore file, and allow for ignoring an optional output folder, and a tests/test-values-custom.yaml, in order to help facilitate future testing.

Once this merge request is approved and merged into the batcave branch (and batCAVE is also updated from main), we will add the following release tag to the batcave: "1.0.1-bb.1-batcave.1" . We will then look at submitting a merge request to Big Bang under "1.0.1-bb.1" as well.

The following are the policies that were added: disallow-cri-sock-mount.yaml disallow-default-namespace.yaml disallow-empty-ingress-host.yaml disallow-helm-tiller.yaml disallow-host-path.yaml disallow-host-process.yaml

We also correct typos in the following policies: disallow-privileged-containers.yaml

Edited by Benjamin Garman

Merge request reports

Loading