UNCLASSIFIED - NO CUI

Skip to content

Added Policies, Kyverno CLI Unit Testing, and development and testing support

Benjamin Garman requested to merge batcave into main

This version of the policies, brings in all the unit tests from Kyverno Policies release 1.7, for the pos-security and best-practices folders. It adds to README.md and testing.md, separating the instructions for Helm Unit Testing and Kyverno CLI Unit Testing, and supplies full instructions and samples for testing using the Kyverno CLI. Those instructions also serve as the base for incorporating policies into a pipeline using the Kyverno CLI. We also compared all of the best-practice and pod-security policies that Kyverno Policies release 1.7 had, to the Big Bang ones, and added templates for the ones we thought might be missing. For all new added policies, we tried to organize them in fsubolders within the chart templates folder, to keep things more organized (will probably group the existing templates similarly in future merge requests). We added entries to the chart values.yaml and the tests/test-values.yaml for any added templates. All added templates were added in audit only defaults (which we will probably change in future merge requests, since some will want or should be enforced). We also added a .gitignore file, and allow for ignoring an optional output folder, and a tests/test-values-custom.yaml, in order to help facilitate future testing.

The following are the policies that were added: disallow-cri-sock-mount.yaml disallow-default-namespace.yaml disallow-empty-ingress-host.yaml disallow-helm-tiller.yaml disallow-host-path.yaml disallow-host-process.yaml

We also correct typos in the following policies: disallow-privileged-containers.yaml

Merge request reports

Loading