- Enforce etcd encryption on OpenShift ApiServer
- Disallow the use of OpenShift RBAC API groups. Functionality has been upstreamed to Kubernetes RBAC
- Disallow Jenkins Pipeline Build Strategy for OpenShift Builds. Deprecated in favor of Tekton.
- Disallow binding to the self-provisioners ClusterRoleBinding
- Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID
- Disallow the use of non HTTPS OpenShift Routes
- Install the Kyverno CLI.
- Clone this repo and
cdto it. - Run
kyverno-kubectl test ..