Collection of Kyverno security and best-practice policies for Kyverno
Upstream References
Learn More
- Kubernetes Cluster deployed
- Kubernetes config installed in
- Helm installed
Install Helm
- Clone down the repository
- cd into directory
helm install kyverno-policies chart/
Key | Type | Default | Description |
enabled | bool | true |
Enable policy deployments |
validationFailureAction | string | "" |
Override all policies' validation failure action with "Audit" or "Enforce". If blank, uses policy setting. |
failurePolicy | string | "Fail" |
API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: |
background | bool | true |
Policies background mode |
kyvernoVersion | string | "autodetect" |
Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
webhookTimeoutSeconds | int | 30 |
Override all policies' time to wait for admission webhook to respond. If blank, uses policy setting or default (10). Range is 1 to 30. |
exclude | object | {"any":[{"resources":{"namespaces":["kube-system"]}}]} |
Adds an exclusion to all policies. This is merged with any policy-specific excludes. See for fields. |
excludeContainers | list | [] |
Adds an excludeContainers to all policies. This is merged with any policy-specific excludeContainers. |
autogenControllers | string | "none" |
Customize the target Pod controllers for the auto-generated rules. (Eg. none , Deployment , DaemonSet,Deployment,StatefulSet ) For more info |
customLabels | object | {} |
Additional labels to apply to all policies. |
policyPreconditions | object | {} |
Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the policyPreconditions map. |
waitforready.enabled | bool | false |
Controls wait for ready deployment |
waitforready.image | object | {"repository":"","tag":"v1.29.4"} |
Image to use in wait for ready job. This must contain kubectl. |
waitforready.imagePullSecrets | list | [] |
Pull secret for wait for ready job |
policies.sample | object | {"enabled":false,"exclude":{},"match":{},"parameters":{"excludeContainers":[]},"validationFailureAction":"Audit","webhookTimeoutSeconds":""} |
Sample policy showing values that can be added to any policy |
policies.sample.enabled | bool | false |
Controls policy deployment |
policies.sample.validationFailureAction | string | "Audit" |
Controls if a validation policy rule failure should disallow (Enforce) or allow (Audit) the admission |
policies.sample.webhookTimeoutSeconds | string | "" |
Specifies the maximum time in seconds allowed to apply this policy. Default is 10. Range is 1 to 30. |
policies.sample.match | object | {} |
Defines when this policy's rules should be applied. This completely overrides any default matches. |
policies.sample.exclude | object | {} |
Defines when this policy's rules should not be applied. This completely overrides any default excludes. |
policies.sample.parameters | object | {"excludeContainers":[]} |
Policy specific parameters that are added to the configMap for the policy rules |
policies.sample.parameters.excludeContainers | list | [] |
Adds a container exclusion (by name) to a specific policy. This is merged with any global excludeContainers. |
policies.clone-configs | object | {"enabled":false,"parameters":{"clone":[]}} |
Clone existing configMap or secret in new Namespaces |
policies.clone-configs.parameters.clone | list | [] |
ConfigMap or Secrets that should be cloned. Each item requres the kind, name, and namespace of the resource to clone |
policies.disallow-annotations | object | {"enabled":false,"parameters":{"disallow":[]},"validationFailureAction":"Audit"} |
Prevent specified annotations on pods |
policies.disallow-annotations.parameters.disallow | list | [] |
List of annotations disallowed on pods. Entries can be just a "key", or a quoted "key: value". Wildcards '*' and '?' are supported. |
policies.disallow-deprecated-apis | object | {"enabled":false,"validationFailureAction":"Audit"} |
Prevent resources that use deprecated or removed APIs (through Kubernetes 1.26) |
policies.disallow-host-namespaces | object | {"enabled":true,"validationFailureAction":"Enforce"} |
Prevent use of the host namespace (PID, IPC, Network) by pods |
policies.disallow-image-tags | object | {"enabled":false,"parameters":{"disallow":["latest"]},"validationFailureAction":"Audit"} |
Prevent container images with specified tags. Also, requires images to have a tag. |
policies.disallow-istio-injection-bypass | object | {"enabled":false,"validationFailureAction":"Audit"} |
Prevent the false label on pods. |
policies.disallow-labels | object | {"enabled":false,"parameters":{"disallow":[]},"validationFailureAction":"Audit"} |
Prevent specified labels on pods |
policies.disallow-labels.parameters.disallow | list | [] |
List of labels disallowed on pods. Entries can be just a "key", or a quoted "key: value". Wildcards '*' and '?' are supported. |
policies.disallow-namespaces | object | {"enabled":false,"parameters":{"disallow":["default"]},"validationFailureAction":"Audit"} |
Prevent pods from using the listed namespaces |
policies.disallow-namespaces.parameters.disallow | list | ["default"] |
List of namespaces to deny pod deployment |
policies.disallow-nodeport-services | object | {"enabled":true,"validationFailureAction":"Audit"} |
Prevent services of the type NodePort |
policies.disallow-pod-exec | object | {"enabled":false,"validationFailureAction":"Audit"} |
Prevent the use of exec or attach on pods |
policies.disallow-privilege-escalation | object | {"enabled":true,"validationFailureAction":"Enforce"} |
Prevent privilege escalation on pods |
policies.disallow-auto-mount-service-account-token | object | {"enabled":true,"validationFailureAction":"Audit"} |
Prevent Automounting of Kubernetes API Credentials on Pods and Service Accounts |
policies.disallow-privileged-containers | object | {"enabled":true,"validationFailureAction":"Enforce"} |
Prevent containers that run as privileged |
policies.disallow-selinux-options | object | {"enabled":true,"parameters":{"disallow":["user","role"]},"validationFailureAction":"Enforce"} |
Prevent specified SELinux options from being used on pods. |
policies.disallow-selinux-options.parameters.disallow | list | ["user","role"] |
List of selinux options that are not allowed. Valid values include level , role , type , and user . Defaults pulled from
policies.disallow-tolerations | object | {"enabled":false,"parameters":{"disallow":[{"key":""}]},"validationFailureAction":"Audit"} |
Prevent tolerations that bypass specified taints |
policies.disallow-tolerations.parameters.disallow | list | [{"key":""}] |
List of taints to protect from toleration. Each entry can have key , value , and/or effect . Wildcards '*' and '?' can be used If key, value, or effect are not defined, they are ignored in the policy rule |
policies.disallow-rbac-on-default-serviceaccounts | object | {"enabled":false,"exclude":{"any":[{"resources":{"name":"system:service-account-issuer-discovery"}}]},"validationFailureAction":"Audit"} |
Prevent additional RBAC permissions on default service accounts |
policies.require-annotations | object | {"enabled":false,"parameters":{"require":[]},"validationFailureAction":"Audit"} |
Require specified annotations on all pods |
policies.require-annotations.parameters.require | list | [] |
List of annotations required on all pods. Entries can be just a "key", or a quoted "key: value". Wildcards '*' and '?' are supported. |
policies.require-cpu-limit | object | {"enabled":false,"parameters":{"require":["<10"]},"validationFailureAction":"Audit"} |
Require containers have CPU limits defined and within the specified range |
policies.require-cpu-limit.parameters.require | list | ["<10"] |
CPU limitations (only one required condition needs to be met). The following operators are valid: >, <, >=, <=, !, |
policies.require-drop-all-capabilities | object | {"enabled":true,"validationFailureAction":"Enforce"} |
Requires containers to drop all Linux capabilities |
policies.require-image-signature | object | {"enabled":true,"parameters":{"require":[{"attestors":[{"count":1,"entries":[{"keys":{"ctlog":{"ignoreSCT":true},"publicKeys":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL\nUfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==\n-----END PUBLIC KEY-----","rekor":{"ignoreTlog":true,"url":""}}}]}],"imageReferences":["*"],"mutateDigest":false,"verifyDigest":false}]},"validationFailureAction":"Enforce"} |
Require specified images to be signed and verified |
policies.require-image-signature.parameters.require | list | [{"attestors":[{"count":1,"entries":[{"keys":{"ctlog":{"ignoreSCT":true},"publicKeys":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL\nUfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==\n-----END PUBLIC KEY-----","rekor":{"ignoreTlog":true,"url":""}}}]}],"imageReferences":["*"],"mutateDigest":false,"verifyDigest":false}] |
List of images that must be signed and the public key to verify. Use kubectl explain clusterpolicy.spec.rules.verifyImages for fields. |
policies.require-istio-on-namespaces | object | {"enabled":false,"validationFailureAction":"Audit"} |
Require Istio sidecar injection label on namespaces |
policies.require-labels | object | {"enabled":false,"parameters":{"require":["","",""]},"validationFailureAction":"Audit"} |
Require specified labels to be on all pods |
policies.require-labels.parameters.require | list | ["","",""] |
List of labels required on all pods. Entries can be just a "key", or a quoted "key: value". Wildcards '*' and '?' are supported. See See |
policies.require-memory-limit | object | {"enabled":false,"parameters":{"require":["<64Gi"]},"validationFailureAction":"Audit"} |
Require containers have memory limits defined and within the specified range |
policies.require-memory-limit.parameters.require | list | ["<64Gi"] |
Memory limitations (only one required condition needs to be met). Can use standard Kubernetes resource units (e.g. Mi, Gi). The following operators are valid: >, <, >=, <=, !, |
policies.require-non-root-group | object | {"enabled":true,"validationFailureAction":"Enforce"} |
Require containers to run with non-root group |
policies.require-non-root-user | object | {"enabled":true,"validationFailureAction":"Enforce"} |
Require containers to run as non-root user |
policies.require-probes | object | {"enabled":false,"parameters":{"require":["readinessProbe","livenessProbe"]},"validationFailureAction":"Audit"} |
Require specified probes on pods |
policies.require-probes.parameters.require | list | ["readinessProbe","livenessProbe"] |
List of probes that are required on pods. Valid values are readinessProbe , livenessProbe , and startupProbe . |
policies.require-requests-equal-limits | object | {"enabled":false,"validationFailureAction":"Audit"} |
Require CPU and memory requests equal limits for guaranteed quality of service |
policies.require-ro-rootfs | object | {"enabled":false,"validationFailureAction":"Audit"} |
Require containers set root filesystem to read-only |
policies.restrict-apparmor | object | {"enabled":true,"parameters":{"allow":["runtime/default","localhost/*"]},"validationFailureAction":"Enforce"} |
Restricts pods that use AppArmor to specified profiles |
policies.restrict-apparmor.parameters.allow | list | ["runtime/default","localhost/*"] |
List of allowed AppArmor profiles Defaults pulled from |
policies.restrict-external-ips | object | {"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Enforce"} |
Restrict services with External IPs to a specified list (CVE-2020-8554) |
policies.restrict-external-ips.parameters.allow | list | [] |
List of external IPs allowed in services. Must be an IP address. Use the wildcard ?* to support subnets (e.g. 192.168.0.?* ) |
policies.restrict-external-names | object | {"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Enforce"} |
Restrict services with External Names to a specified list (CVE-2020-8554) |
policies.restrict-external-names.parameters.allow | list | [] |
List of external names allowed in services. Must be a lowercase RFC-1123 hostname. |
policies.restrict-capabilities | object | {"enabled":true,"parameters":{"allow":["NET_BIND_SERVICE"]},"validationFailureAction":"Enforce"} |
Restrict Linux capabilities added to containers to the specified list |
policies.restrict-capabilities.parameters.allow | list | ["NET_BIND_SERVICE"] |
List of capabilities that are allowed to be added Defaults pulled from See for list of capabilities. The CAP_ prefix is removed in Kubernetes names. |
policies.restrict-group-id | object | {"enabled":false,"parameters":{"allow":[">=1000"]},"validationFailureAction":"Audit"} |
Restrict container group IDs to specified ranges NOTE: Using require-non-root-group will force runAsGroup to be defined |
policies.restrict-group-id.parameters.allow | list | [">=1000"] |
Allowed group IDs / ranges. The following operators are valid: >, <, >=, <=, !, |
policies.restrict-host-path-mount | object | {"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Audit"} |
Restrict the paths that can be mounted by hostPath volumes to the allowed list. HostPath volumes are normally disallowed. If exceptions are made, the path(s) should be restricted. |
policies.restrict-host-path-mount.parameters.allow | list | [] |
List of allowed paths for hostPath volumes to mount |
policies.restrict-host-path-mount-pv.enabled | bool | true |
policies.restrict-host-path-mount-pv.validationFailureAction | string | "Audit" |
policies.restrict-host-path-mount-pv.parameters.allow | list | [] |
List of allowed paths for hostPath volumes to mount |
policies.restrict-host-path-write | object | {"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Audit"} |
Restrict the paths that can be mounted as read/write by hostPath volumes to the allowed list. HostPath volumes, if allowed, should normally be mounted as read-only. If exceptions are made, the path(s) should be restricted. |
policies.restrict-host-path-write.parameters.allow | list | [] |
List of allowed paths for hostPath volumes to mount as read/write |
policies.restrict-host-ports | object | {"enabled":true,"parameters":{"allow":[]},"validationFailureAction":"Enforce"} |
Restrict host ports in containers to the specified list |
policies.restrict-host-ports.parameters.allow | list | [] |
List of allowed host ports |
policies.restrict-image-registries | object | {"enabled":true,"parameters":{"allow":[""]},"validationFailureAction":"Audit"} |
Restricts container images to registries in the specified list |
policies.restrict-image-registries.parameters.allow | list | [""] |
List of allowed registries that images may use |
policies.restrict-proc-mount | object | {"enabled":true,"parameters":{"allow":["Default"]},"validationFailureAction":"Enforce"} |
Restrict mounting /proc to the specified mask |
policies.restrict-proc-mount.parameters.allow | list | ["Default"] |
List of allowed proc mount values. Valid values are Default and Unmasked . Defaults pulled from
policies.restrict-seccomp | object | {"enabled":true,"parameters":{"allow":["RuntimeDefault","Localhost"]},"validationFailureAction":"Enforce"} |
Restrict seccomp profiles to the specified list |
policies.restrict-seccomp.parameters.allow | list | ["RuntimeDefault","Localhost"] |
List of allowed seccomp profiles. Valid values are Localhost , RuntimeDefault , and Unconfined Defaults pulled from
policies.restrict-selinux-type | object | {"enabled":true,"parameters":{"allow":["container_t","container_init_t","container_kvm_t"]},"validationFailureAction":"Enforce"} |
Restrict SELinux types to the specified list. |
policies.restrict-selinux-type.parameters.allow | list | ["container_t","container_init_t","container_kvm_t"] |
List of allowed values for the type field Defaults pulled from
policies.restrict-sysctls | object | {"enabled":true,"parameters":{"allow":["kernel.shm_rmid_forced","net.ipv4.ip_local_port_range","net.ipv4.ip_unprivileged_port_start","net.ipv4.tcp_syncookies","net.ipv4.ping_group_range","net.ipv4.ip_local_reserved_ports","net.ipv4.tcp_keepalive_time","net.ipv4.tcp_fin_timeout","net.ipv4.tcp_keepalive_intvl","net.ipv4.tcp_keepalive_probes"]},"validationFailureAction":"Enforce"} |
Restrict sysctls to the specified list |
policies.restrict-sysctls.parameters.allow | list | ["kernel.shm_rmid_forced","net.ipv4.ip_local_port_range","net.ipv4.ip_unprivileged_port_start","net.ipv4.tcp_syncookies","net.ipv4.ping_group_range","net.ipv4.ip_local_reserved_ports","net.ipv4.tcp_keepalive_time","net.ipv4.tcp_fin_timeout","net.ipv4.tcp_keepalive_intvl","net.ipv4.tcp_keepalive_probes"] |
List of allowed sysctls. Defaults pulled from |
policies.restrict-user-id | object | {"enabled":false,"parameters":{"allow":[">=1000"]},"validationFailureAction":"Audit"} |
Restrict user IDs to the specified ranges NOTE: Using require-non-root-user will force runAsUser to be defined |
policies.restrict-user-id.parameters.allow | list | [">=1000"] |
Allowed user IDs / ranges. The following operators are valid: >, <, >=, <=, !, |
policies.restrict-volume-types | object | {"enabled":true,"parameters":{"allow":["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]},"validationFailureAction":"Enforce"} |
Restrict the volume types to the specified list |
policies.restrict-volume-types.parameters.allow | list | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"] |
List of allowed Volume types. Valid values are the volume types listed here: Defaults pulled from |
policies.update-image-pull-policy | object | {"enabled":false,"parameters":{"update":[{"to":"Always"}]}} |
Updates the image pull policy on containers |
policies.update-image-pull-policy.parameters.update | list | [{"to":"Always"}] |
List of image pull policy updates. from contains the pull policy value to replace. If from is blank, it matches everything. to contains the new pull policy to use. Must be one of Always , Never , or IfNotPresent . |
policies.update-image-registry | object | {"enabled":false,"parameters":{"update":[]}} |
Updates an existing image registry with a new registry in containers (e.g. proxy) |
policies.update-image-registry.parameters.update | list | [] |
List of registry updates. from contains the registry to replace. to contains the new registry to use. |
policies.update-automountserviceaccounttokens-default | object | {"enabled":false} |
List of namespaces to explictly disable mounting the serviceaccount token |
policies.update-automountserviceaccounttokens | object | {"enabled":false} |
List pods to explictly enable mounting the serviceaccount token |
additionalPolicies | object | {"samplePolicy":{"annotations":{"":"Examples","":"This sample policy blocks pods from deploying into the 'default' namespace.","":"low","":"Pod","":"Sample Policy"},"enabled":false,"kind":"ClusterPolicy","namespace":"","spec":{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}}} |
Adds custom policies. See |
additionalPolicies.samplePolicy | object | {"annotations":{"":"Examples","":"This sample policy blocks pods from deploying into the 'default' namespace.","":"low","":"Pod","":"Sample Policy"},"enabled":false,"kind":"ClusterPolicy","namespace":"","spec":{"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]}} |
Name of the policy. Addtional policies can be added by adding a key. |
additionalPolicies.samplePolicy.enabled | bool | false |
Controls policy deployment |
additionalPolicies.samplePolicy.kind | string | "ClusterPolicy" |
Kind of policy. Currently, "ClusterPolicy" and "Policy" are supported. |
additionalPolicies.samplePolicy.namespace | string | "" |
If kind is "Policy", which namespace to target. The namespace must already exist. |
additionalPolicies.samplePolicy.annotations | object | {"":"Examples","":"This sample policy blocks pods from deploying into the 'default' namespace.","":"low","":"Pod","":"Sample Policy"} |
Policy annotations to add |
additionalPolicies.samplePolicy.annotations."" | string | "Sample Policy" |
Human readable name of policy |
additionalPolicies.samplePolicy.annotations."" | string | "Examples" |
Category of policy. Arbitrary. |
additionalPolicies.samplePolicy.annotations."" | string | "low" |
Severity of policy if a violation occurs. Choose "critical", "high", "medium", "low". |
additionalPolicies.samplePolicy.annotations."" | string | "Pod" |
Type of resource policy applies to (e.g. Pod, Service, Namespace) |
additionalPolicies.samplePolicy.annotations."" | string | "This sample policy blocks pods from deploying into the 'default' namespace." |
Description of what the policy does, why it is important, and what items are allowed or unallowed. |
additionalPolicies.samplePolicy.spec | object | {"rules":[{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}]} |
Policy specification. See kubectl explain clusterpolicies.spec
additionalPolicies.samplePolicy.spec.rules | list | [{"match":{"any":[{"resources":{"kinds":["Pods"]}}]},"name":"sample-rule","validate":{"message":"Using 'default' namespace is not allowed.","pattern":{"metadata":{"namespace":"!default"}}}}] |
Policy rules. At least one is required |
istio | object | {"enabled":false} |
BigBang Istio Toggle and Configuration |
bbtests | object | {"enabled":false,"imagePullSecret":"private-registry","scripts":{"additionalVolumeMounts":[{"mountPath":"/yaml","name":"kyverno-policies-bbtest-manifests"},{"mountPath":"/.kube/cache","name":"kyverno-policies-bbtest-kube-cache"}],"additionalVolumes":[{"configMap":{"name":"kyverno-policies-bbtest-manifests"},"name":"kyverno-policies-bbtest-manifests"},{"emptyDir":{},"name":"kyverno-policies-bbtest-kube-cache"}],"envs":{"ENABLED_POLICIES":"{{ $p := list }}{{ range $k, $v := .Values.policies }}{{ if $v.enabled }}{{ $p = append $p $k }}{{ end }}{{ end }}{{ join \" \" $p }}","IMAGE_PULL_SECRET":"{{ .Values.bbtests.imagePullSecret }}"},"image":""}} |
Reserved values for Big Bang test automation |
Please see the contributing guide if you are interested in contributing.