ghndrx/homelab-gitops
1
0
Fork 0
mirror of https://github.com/ghndrx/homelab-gitops.git synced 2026-02-10 06:44:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
homelab-gitops/infrastructure/kyverno/policies/add-default-securitycontext.yaml
Greg Hendrickson 3752fd0386 feat(kyverno): add policy engine with security baseline 
- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas)
- Validation policies:
  - disallow-privileged-containers (Enforce)
  - require-resource-limits (Enforce)
  - require-labels (Audit - standard k8s labels)
  - require-run-as-non-root (Audit)
  - disallow-latest-tag (Enforce - GitOps reproducibility)
- Mutating policy:
  - add-default-securitycontext (seccomp, drop caps, read-only fs)
- System namespaces excluded (kube-system, kyverno, istio-system)
- Auto-discovered by ArgoCD ApplicationSet

Reference: CIS Kubernetes Benchmark, Pod Security Standards
2026-02-09 18:02:21 +00:00

69 lines
2.2 KiB
YAML
Raw Permalink Blame History

# infrastructure/kyverno/policies/add-default-securitycontext.yaml
# Mutating policy: adds secure defaults to pods missing securityContext
# Implements defense-in-depth by setting secure defaults
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-securitycontext
annotations:
policies.kyverno.io/title: Add Default Security Context
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Mutating policy that adds secure default securityContext to pods
that don't specify one. Reduces attack surface by dropping
capabilities and making filesystem read-only where possible.
pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,Job,StatefulSet,ReplicaSet
spec:
# Mutate rules apply during admission
rules:
- name: add-pod-security-context
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- istio-system
mutate:
patchStrategicMerge:
spec:
# Add pod-level securityContext if missing
+(securityContext):
seccompProfile:
type: RuntimeDefault
# Don't allow privilege escalation by default
runAsNonRoot: true
- name: add-container-security-context
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- kube-system
- kyverno
- istio-system
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
+(securityContext):
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
Reference in New Issue View Git Blame Copy Permalink