This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Policies

The Portefaix policies

    Portefaix Policies contains Kubernetes policies for Kyverno or Open Policy Agent.

    Kyverno

    • PORTEFAIX-C0001 - Container must not use latest image tag
    • PORTEFAIX-C0002 - Container must set liveness probe
    • PORTEFAIX-C0003 - Container must set readiness probe
    • PORTEFAIX-C0004 - Container must mount secrets as volumes, not enviroment variables
    • PORTEFAIX-C0005 - Container must drop all capabilities
    • PORTEFAIX-C0006 - Container must not allow for privilege escalation
    • PORTEFAIX-C0008 - Container resource constraints must be specified
    • PORTEFAIX-M0001 - Metadata must set recommanded Kubernetes labels
    • PORTEFAIX-M0002 - Metadata should have a8r.io annotations
    • PORTEFAIX-M0003 - Metadata should have portefaix.xyz annotations
    • PORTEFAIX-P0002 - Pod must run without access to the host IPC
    • PORTEFAIX-P0003 - Pod must run without access to the host networking
    • PORTEFAIX-P0004 - Pod must run as non-root
    • PORTEFAIX-P0005 - Pod must run without access to the host PID

    Open Policy Agent

    • PORTEFAIX-C0001: Container must not use latest image tag
    • PORTEFAIX-C0002: Container must set liveness probe
    • PORTEFAIX-C0003: Container must set readiness probe
    • PORTEFAIX-C0004: Container must mount secrets as volumes, not enviroment variables
    • PORTEFAIX-C0006: Container must not allow for privilege escalation
    • PORTEFAIX-C0008: Container must define resource contraintes
    • PORTEFAIX-M0001: Metadata should contain all recommanded Kubernetes labels
    • PORTEFAIX-M0002: Metadata should have a8r.io annotations
    • PORTEFAIX-M0003: Metadata should have portefaix.xyz annotations
    • PORTEFAIX-N0001: Disallow Default Namespace