Merge pull request #41 from portefaix/feat/kyverno-subject

Add policies.kyverno.io/subject annotation
portefaix · Jun 29, 2021 · 0f1798f · 0f1798f
2 parents fb4d304 + 1cc0a30
commit 0f1798f
Show file tree

Hide file tree

Showing 14 changed files with 14 additions and 0 deletions.
diff --git a/kyverno/C0001-container-image-tag/policy-C0001.yaml b/kyverno/C0001-container-image-tag/policy-C0001.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Container must not use latest image tag
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Container
     policies.kyverno.io/description: >-
       The ':latest' tag is mutable and can lead to unexpected errors if the
       image changes. A best practice is to use an immutable tag that maps to

diff --git a/kyverno/C0002-container-liveness-probe/policy-C0002.yaml b/kyverno/C0002-container-liveness-probe/policy-C0002.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Container must set liveness probe
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Container
     policies.kyverno.io/description: >-
       Liveness probe need to be configured to correctly manage a pods
       lifecycle during deployments, restarts, and upgrades. For each pod,

diff --git a/kyverno/C0003-container-readiness-probe/policy-C0003.yaml b/kyverno/C0003-container-readiness-probe/policy-C0003.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Container must set readiness probe
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Container
     policies.kyverno.io/description: >-
       Readiness probe need to be configured to correctly manage a pods
       lifecycle during deployments, restarts, and upgrades. For each pod, a

diff --git a/kyverno/C0004-container-secret-not-env/policy-C0004.yaml b/kyverno/C0004-container-secret-not-env/policy-C0004.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Container must mount secrets as volumes, not enviroment variables
     policies.kyverno.io/category: BestPractices
     policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Container
     policies.kyverno.io/description: >-
       Disallow using secrets from environment variables which are visible
       in resource definitions.

diff --git a/kyverno/C0005-container-capabilities/policy-C0005.yaml b/kyverno/C0005-container-capabilities/policy-C0005.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Container must drop all capabilities
     policies.kyverno.io/category: BestPractices
     policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Container
     policies.kyverno.io/description: >-
       Capabilities permit privileged actions without giving full root access. All
       capabilities should be dropped from a pod, with only those required added back.

diff --git a/kyverno/C0006-container-escalation/policy-C0006.yaml b/kyverno/C0006-container-escalation/policy-C0006.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Container must not allow for privilege escalation
     policies.kyverno.io/category: BestPractices
     policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Container
     policies.kyverno.io/description: >-
       Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
 spec:

diff --git a/kyverno/C0008-container-resources/policy-C0008.yaml b/kyverno/C0008-container-resources/policy-C0008.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Container resource constraints must be specified
     policies.kyverno.io/category: BestPractices
     policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Container
     policies.kyverno.io/description: >-
       It is important to limit resources requested and consumed by each pod.
 spec:

diff --git a/kyverno/M0001-metadata-labels/policy-M0001.yaml b/kyverno/M0001-metadata-labels/policy-M0001.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Metadata must set recommanded Kubernetes labels
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Metadata
     policies.kyverno.io/description: >-
       Metadata must set recommanded Kubernetes labels
       See: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels

diff --git a/kyverno/M0002-metadata-annotations/policy-M0002.yaml b/kyverno/M0002-metadata-annotations/policy-M0002.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Metadata should have a8r.io annotations
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Metadata
     policies.kyverno.io/description: >-
       Metadata should have all the expected a8r.io annotations
       See: https://ambassadorlabs.github.io/k8s-for-humans/

diff --git a/kyverno/M0003-metadata-portefaix-labels/policy-M0003.yaml b/kyverno/M0003-metadata-portefaix-labels/policy-M0003.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Metadata should have portefaix.xyz labels
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: low
+    policies.kyverno.io/subject: Metadata
     policies.kyverno.io/description: >-
       Metadata should have Portefaix labels:
       Labels are:

diff --git a/kyverno/P0002-pod-host-ipc/policy-P0002.yaml b/kyverno/P0002-pod-host-ipc/policy-P0002.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Pod must run without access to the host IPC
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: high
+    policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Pods that are allowed to access the host IPC can read memory of
       the other containers, breaking that security boundary.

diff --git a/kyverno/P0003-pod-host-network/policy-P0003.yaml b/kyverno/P0003-pod-host-network/policy-P0003.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Pod must run without access to the host networking
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: high
+    policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Sharing the host’s network namespace permits processes in the pod to
       communicate with processes bound to the host’s loopback adapter

diff --git a/kyverno/P0004-pod-without-runasnonroot/policy-P0004.yaml b/kyverno/P0004-pod-without-runasnonroot/policy-P0004.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Pod must run as non-root
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: high
+    policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Force the running image to run as a non-root user to ensure least
       privilege

diff --git a/kyverno/P0005-pod-host-pid/policy-P0005.yaml b/kyverno/P0005-pod-host-pid/policy-P0005.yaml
@@ -20,6 +20,7 @@ metadata:
     policies.kyverno.io/title: Pod must run without access to the host PID
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: high
+    policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Sharing the host’s PID namespace allows visibility of processes on
       the host, potentially leaking information such as environment variables