Portefaix Policies contains Kubernetes policies for Kyverno or Open Policy Agent.
Kyverno
PORTEFAIX-C0001
- Container must not use latest image tagPORTEFAIX-C0002
- Container must set liveness probePORTEFAIX-C0003
- Container must set readiness probePORTEFAIX-C0004
- Container must mount secrets as volumes, not enviroment variablesPORTEFAIX-C0005
- Container must drop all capabilitiesPORTEFAIX-C0006
- Container must not allow for privilege escalationPORTEFAIX-C0008
- Container resource constraints must be specifiedPORTEFAIX-M0001
- Metadata must set recommanded Kubernetes labelsPORTEFAIX-M0002
- Metadata should have a8r.io annotationsPORTEFAIX-M0003
- Metadata should have portefaix.xyz annotationsPORTEFAIX-P0002
- Pod must run without access to the host IPCPORTEFAIX-P0003
- Pod must run without access to the host networkingPORTEFAIX-P0004
- Pod must run as non-rootPORTEFAIX-P0005
- Pod must run without access to the host PID
Open Policy Agent
PORTEFAIX-C0001
: Container must not use latest image tagPORTEFAIX-C0002
: Container must set liveness probePORTEFAIX-C0003
: Container must set readiness probePORTEFAIX-C0004
: Container must mount secrets as volumes, not enviroment variablesPORTEFAIX-C0006
: Container must not allow for privilege escalationPORTEFAIX-C0008
: Container must define resource contraintesPORTEFAIX-M0001
: Metadata should contain all recommanded Kubernetes labelsPORTEFAIX-M0002
: Metadata should have a8r.io annotationsPORTEFAIX-M0003
: Metadata should have portefaix.xyz annotationsPORTEFAIX-N0001
: Disallow Default Namespace