Skip to content

Instantly share code, notes, and snippets.

@Vyom-Yadav
Created April 5, 2023 17:00
Show Gist options
  • Save Vyom-Yadav/9f2cd8be0d5d2053d8eb4f731df2d648 to your computer and use it in GitHub Desktop.
Save Vyom-Yadav/9f2cd8be0d5d2053d8eb4f731df2d648 to your computer and use it in GitHub Desktop.
Generic Policies Recommendation

Generic Policies For Enhancing Security Posture

  1. check-deprecated-apis
  2. disallow-container-sock-mounts
  3. disallow-empty-ingress-host
  4. disallow-latest-tag
  5. restrict-nodeport
  6. require-requests-limits
  7. require-pod-probes
  8. drop-cap-net-raw
  9. restrict-external-ips (might be dynamic too!)
  10. Pod Security Standard Baseline (multiple policies)
  11. restrict-wildcard-verbs
  12. restrict-wildcard-resources
  13. prevent-naked-pods

High Severity:

  1. restrict-ingress-defaultbackend
  2. Restrict NGINX Ingress annotation values
  3. Restrict NGINX Ingress path values
  4. Check Node for CVE-2022-0185
  5. Prevent cr8escape (CVE-2022-0811)
  6. Restrict Deprecated Registry (v1.27 k8s change)
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
 name: restrict-deprecated-registry
 annotations:
   policies.kyverno.io/title: "Restrict Deprecated Registry"
   policies.kyverno.io/category: Best Practices, EKS Best Practices
   policies.kyverno.io/severity: high
   policies.kyverno.io/minversion: 1.9.0
   policies.kyverno.io/subject: Pod
   policies.kyverno.io/description: >-
     Legacy k8s.gcr.io container image registry will be frozen in early April 2023
     k8s.gcr.io image registry will be frozen from the 3rd of April 2023.  
     Images for Kubernetes 1.27 will not be available in the k8s.gcr.io image registry.
     Please read our announcement for more details.
     https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/     
spec:
 validationFailureAction: Enforce
 background: true
 rules:
 - name: restrict-deprecated-registry
   match:
     any:
     - resources:
         kinds:
         - Pod
   validate:
       message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used."
       foreach:
         - list: "request.object.spec.[initContainers, ephemeralContainers, containers][]"
           deny:
             conditions:
               all:
                 - key: "{{ element.image }}"
                   operator: Equals
                   value: "k8s.gcr.io/*"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment