Policies

The policies repository

Portefaix Policies contains Kubernetes policies for Kyverno or Open Policy Agent.

Kyverno

  • PORTEFAIX-C0001 - Container must not use latest image tag
  • PORTEFAIX-C0002 - Container must set liveness probe
  • PORTEFAIX-C0003 - Container must set readiness probe
  • PORTEFAIX-C0004 - Container must mount secrets as volumes, not enviroment variables
  • PORTEFAIX-C0005 - Container must drop all capabilities
  • PORTEFAIX-C0006 - Container must not allow for privilege escalation
  • PORTEFAIX-C0008 - Container resource constraints must be specified
  • PORTEFAIX-M0001 - Metadata must set recommanded Kubernetes labels
  • PORTEFAIX-M0002 - Metadata should have a8r.io annotations
  • PORTEFAIX-M0003 - Metadata should have portefaix.xyz annotations
  • PORTEFAIX-P0002 - Pod must run without access to the host IPC
  • PORTEFAIX-P0003 - Pod must run without access to the host networking
  • PORTEFAIX-P0004 - Pod must run as non-root
  • PORTEFAIX-P0005 - Pod must run without access to the host PID

Open Policy Agent

  • PORTEFAIX-C0001: Container must not use latest image tag
  • PORTEFAIX-C0002: Container must set liveness probe
  • PORTEFAIX-C0003: Container must set readiness probe
  • PORTEFAIX-C0004: Container must mount secrets as volumes, not enviroment variables
  • PORTEFAIX-C0006: Container must not allow for privilege escalation
  • PORTEFAIX-C0008: Container must define resource contraintes
  • PORTEFAIX-M0001: Metadata should contain all recommanded Kubernetes labels
  • PORTEFAIX-M0002: Metadata should have a8r.io annotations
  • PORTEFAIX-M0003: Metadata should have portefaix.xyz annotations
  • PORTEFAIX-N0001: Disallow Default Namespace

Last modified February 23, 2024: feat(hugo): refactoring to fresh Hugo (cf7d6fc)