\ No newline at end of file
diff --git a/main/search/search_index.json b/main/search/search_index.json
index 3d4c58d9..4931684c 100644
--- a/main/search/search_index.json
+++ b/main/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"install/","title":"Install","text":"
You can install the pre-compiled binary (in several ways), or compile from source. We also provide a GitHub action to easily install Kyverno-JSON in your workflows.
"},{"location":"install/#install-the-pre-compiled-binary","title":"Install the pre-compiled binary","text":""},{"location":"install/#homebrew-tap","title":"Homebrew tap","text":"
add tap:
brew tap kyverno/kyverno-json https://github.com/kyverno/kyverno-json\n
Since kyverno-JSON relies on files for its operation (like ValidatingPolicy definitions), you will need to bind mount the necessary directories when running it via Docker.
kyverno-json extends Kyverno policies to perform simple and efficient validation of data in JSON or YAML format. With kyverno-json, you can now use Kyverno policies to validate:
Terraform files
Dockerfiles
Cloud configurations
Authorization requests
Simply convert your runtime or configuration data to JSON, and use Kyverno to audit or enforce policies for security and best practices compliance.
kyverno-json can be run as a:
A Command Line Interface (CLI)
A web application with a REST API
A Golang library
"},{"location":"jp/","title":"Overview","text":"
kyverno-json uses JMESPath community edition, a modern JMESPath implementation with lexical scopes support.
The current payload, policy and rule are always available using the following builtin bindings:
Binding Usage $payload Current payload being analysed $policy Current policy being executed $rule Current rule being evaluated
Warning
No protection is made to prevent you from overriding those bindings.
This is a simple Pod with one container running the busybox latest docker image.
Using the latest tag of an image is a bad practice. Let's write a policy to detect this.
"},{"location":"quick-start/#create-the-policy_1","title":"Create the policy","text":"
Create a policy.yaml file and paste the content below to block latest images:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: pod-policy\nspec:\n rules:\n - name: no-latest\n # Match payloads corresponding to pods\n match:\n any:\n - apiVersion: v1\n kind: Pod\n assert:\n all:\n - message: Pod `{{ metadata.name }}` uses an image with tag `latest`\n check:\n spec:\n # Iterate over pod containers\n # Note the `~.` modifier, it means we want to iterate over array elements in descendants\n ~.containers:\n image:\n # Check that an image tag is present\n (contains(@, ':')): true\n # Check that the image tag is not `:latest`\n (ends_with(@, ':latest')): false\n
This policy iterates over pod containers, checking that the container image has a tag specified and that the tag being used is not latest.
"},{"location":"quick-start/#scan-the-payload_1","title":"Scan the payload","text":"
With the payload and policy above, we can invoke kyverno-json with the command below:
ValidatingPolicyList is a list of ValidatingPolicy instances.
Field Type Required Inline Description apiVersionstringjson.kyverno.io/v1alpha1kindstringValidatingPolicyListmetadatameta/v1.ListMeta No description provided. items[]ValidatingPolicy No description provided."},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Any","title":"Any","text":"
Name is a label to identify the rule, It must be unique within the policy.
context[]ContextEntry
Context defines variables and data sources that can be used during rule execution.
matchMatch
Match defines when this policy rule should be applied.
excludeMatch
Exclude defines when this policy rule should not be applied.
identifierstring
Identifier declares a JMESPath expression to extract a name from the payload.
assertAssert
Assert is used to validate matching resources.
"},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/","title":"Dockerfile expose port 22 not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#description","title":"Description","text":"
This Policy ensures that port 22 is not exposed in Dockerfile.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that port 22 is not exposed\n in Dockerfile.\n title.policy.kyverno.io: Dockerfile expose port 22 not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-expose-port-22\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].Commands[?Name=='EXPOSE'][]):\n (contains(Ports, '22') || contains(Ports, '22/TCP')): false\n message: Port 22 exposure is not allowed\n name: check-port-exposure\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/","title":"Dockerfile latest image tag not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#description","title":"Description","text":"
This Policy ensures that no image uses the latest tag in Dockerfile.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that no image uses the latest\n tag in Dockerfile.\n title.policy.kyverno.io: Dockerfile latest image tag not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-latest-image-tag\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].From.Image):\n (contains(@, ':latest')): false\n message: Latest tag is not allowed\n name: check-latest-tag\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/","title":"Ensure apt is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#description","title":"Description","text":"
This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get\n can be used as apt interface is less stable than apt-get and so this preferred.\n title.policy.kyverno.io: Ensure apt is not used in Dockerfile\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-apt\nspec:\n rules:\n - assert:\n any:\n - check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'apt ')): false\n message: apt not allowed\n name: dockerfile-disallow-apt\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/","title":"Dockerfile last user is not allowed to be root","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#description","title":"Description","text":"
This Policy ensures that last user in Dockerfile is not root.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that last user in Dockerfile\n is not root.\n title.policy.kyverno.io: Dockerfile last user is not allowed to be root\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-last-user-root\nspec:\n rules:\n - assert:\n all:\n - check:\n ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false\n message: Last user root not allowed\n name: check-disallow-last-user-root\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/","title":"Ensure sudo is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#description","title":"Description","text":"
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS clusters have container\n insights enabled.\n title.policy.kyverno.io: ECS requires container insights\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-cluster\n name: required-container-insights\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.setting:\n name: containerInsights\n value: enabled\n message: Container insights should be enabled on ECS cluster\n match:\n any:\n - type: aws_ecs_cluster\n name: required-container-insights\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/","title":"ECS public IP","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#description","title":"Description","text":"
This Policy ensures that ECS services do not have public IP addresses assigned to them automatically.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS services do not have\n public IP addresses assigned to them automatically.\n title.policy.kyverno.io: ECS public IP\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-service\n name: ecs-public-ip\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.network_configuration:\n (contains('$allowed-values', @.assign_public_ip)): false\n message: ECS services should not have public IP addresses assigned to them\n automatically\n context:\n - name: allowed-values\n variable:\n - false\n match:\n any:\n - type: aws_ecs_service\n name: ecs-public-ip\n
Generate the autocompletion script for kyverno-json for the specified shell. See each sub-command's help for details on how to use the generated script.
--autogenTag Determines if the generated docs should contain a timestamp (default true)\n -h, --help help for docs\n -o, --output string Output path (default \".\")\n --website Website version\n
-c, --compact Produce compact JSON output that omits non essential whitespace\n -h, --help help for query\n -i, --input string Read input from a JSON or YAML file instead of stdin\n -q, --query strings Read JMESPath expression from the specified file\n -u, --unquoted If the final result is a string, it will be printed without quotes\n
--gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for playground\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
--bindings string Bindings file (json or yaml file). Top level keys will be interpreted as bindings names.\n -h, --help help for scan\n --labels strings Labels selectors for policies\n --output string Output format (text or json) (default \"text\")\n --payload string Path to payload (json or yaml file)\n --policy strings Path to kyverno-json policies\n --pre-process strings JMESPath expression used to pre process payload\n
--gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for serve\n --kube-as string Username to impersonate for the operation\n --kube-as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.\n --kube-as-uid string UID to impersonate for the operation\n --kube-certificate-authority string Path to a cert file for the certificate authority\n --kube-client-certificate string Path to a client certificate file for TLS\n --kube-client-key string Path to a client key file for TLS\n --kube-cluster string The name of the kubeconfig cluster to use\n --kube-context string The name of the kubeconfig context to use\n --kube-disable-compression If true, opt-out of response compression for all requests to the server\n --kube-insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure\n -n, --kube-namespace string If present, the namespace scope for this CLI request\n --kube-password string Password for basic authentication to the API server\n --kube-proxy-url string If provided, this URL will be used to connect via proxy\n --kube-request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default \"0\")\n --kube-server string The address and port of the Kubernetes API server\n --kube-tls-server-name string If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.\n --kube-token string Bearer token for authentication to the API server\n --kube-user string The name of the kubeconfig user to use\n --kube-username string Username for basic authentication to the API server\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
An assert declaration contains an any or all list in which each entry contains a:
check: the assertion check
message: an optional message
A check can contain one or more JMESPath expressions. Expressions represent projections of selected data in the JSON payload and the result of this projection is passed to descendants for further analysis.
All comparisons happen in the leaves of the assertion tree.
A simple example:
This policy checks that a pod does not use the default service account:
It is possible to write a validation rule like this:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar-4\n validate:\n assert:\n all:\n - message: \"...\"\n check:\n # project field `foo` onto itself, the content of `foo` becomes the current object for descendants\n foo:\n\n # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants\n # the `true` leaf is compared with the current value `true`\n (bar > `3`): true\n\n # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants\n # the leaf `false` is compared with the current value `false`\n (!baz): false\n\n # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants\n # the leaf `10` is compared with the current value `10`\n (bar + bat): 10\n
"},{"location":"policies/asserts/#iterating-with-projection-modifiers","title":"Iterating with Projection Modifiers","text":"
Assertion tree expressions support modifiers to influence the way projected values are processed.
The ~ modifier applies to arrays and maps, it mean the input array or map elements will be processed individually by descendants.
When the ~ modifier is not used, descendants receive the whole array, not each individual element.
Consider the following input document:
foo:\n bar:\n - 1\n - 2\n - 3\n
The policy below does not use the ~ modifier and foo.bar array is compared against the expected array:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # the content of the `bar` field will be compared against `[1, 2, 3]`\n bar:\n - 1\n - 2\n - 3\n
With the ~ modifier, we can apply descendant assertions to all elements in the array individually. The policy below ensures that all elements in the input array are < 5:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # with the `~` modifier all elements in the `[1, 2, 3]` array are processed individually and passed to descendants\n ~.bar:\n # the expression `(@ < `5`)` is evaluated for every element and the result is expected to be `true`\n (@ < `5`): true\n
The ~ modifier supports binding the index of the element being processed to a named binding with the following syntax ~index_name.bar. When this is used, we can access the element index in descendants with $index_name.
When used with a map, the named binding receives the key of the element being processed.
Sometimes it can be useful to refer to a parent node in the assertion tree.
This is possible to add an explicit binding at every node in the tree by appending the ->binding_name to the key.
Given the input document:
foo:\n bar: 4\n bat: 6\n
The following policy will compute a sum and bind the result to the sum binding. A descendant can then use $sum and use it:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # evaluate expression `(bar + bat)` and bind it to `sum`\n (bar + bat)->sum:\n # get the `$sum` binding and compare it against `10`\n ($sum): 10\n
All binding are available to descendants, if a descendant creates a binding with a name that already exists the binding will be overridden for descendants only and it doesn't affect the bindings at upper levels in the tree.
In other words, a node in the tree always sees bindings that are defined in the parents and if a name is reused, the first binding with the given name wins when winding up the tree.
As a consequence, the policy below will evaluate to true:
Finally, we can always access the current payload, policy and rule being evaluated using the built-in $payload, $policy and $rule bindings. No protection is made to prevent you from overriding those bindings though.
It can be necessary to prevent a projection under certain circumstances.
Consider the following document:
foo:\n (bar): 4\n (baz):\n - 1\n - 2\n - 3\n
Here the (bar) key conflict with the projection syntax. To workaround this situation, you can escape a projection by surrounding it with \\ characters like this:
A policy rule can contain optional context entries that are made available to the rule via bindings:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: required-s3-tags\nspec:\n rules:\n - name: require-team-tag\n match:\n any:\n - type: aws_s3_bucket\n context:\n # creates a `expectedTeam` binding automatically\n - name: expectedTeam\n variable: Kyverno\n validate:\n message: Bucket `{{ name }}` does not have the required Team tag {{ $expectedTeam }}\n assert:\n all:\n - values:\n tags:\n # use the `$expectedTeam` binding coming from the context\n Team: ($expectedTeam)\n
"},{"location":"policies/policies/#no-foreach-pattern-operators-anchors-or-wildcards","title":"No forEach, pattern operators, anchors, or wildcards","text":"
The use of assertion trees addresses some features of Kyverno policies that apply to Kubernetes resources.
Specifically, forEach, pattern operators, anchors, or wildcards are not supported for policies that apply to JSON resources. Instead, assertion trees with JMESPath expressions are used to achieve the same powerful features.
"},{"location":"webapp/","title":"Usage","text":"
kyverno-json can be deployed as a web application with a REST API. This is useful for deployments when a long running service that processes policy requests is desired.
With kyverno-json policies are managed as Kubernetes resources. This means that you can use Kubernetes APIs, kubectl, GitOps, or any other Kubernetes management tool to manage policies.
"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"install/","title":"Install","text":"
You can install the pre-compiled binary (in several ways), or compile from source. We also provide a GitHub action to easily install Kyverno-JSON in your workflows.
"},{"location":"install/#install-the-pre-compiled-binary","title":"Install the pre-compiled binary","text":""},{"location":"install/#homebrew-tap","title":"Homebrew tap","text":"
add tap:
brew tap kyverno/kyverno-json https://github.com/kyverno/kyverno-json\n
Since kyverno-JSON relies on files for its operation (like ValidatingPolicy definitions), you will need to bind mount the necessary directories when running it via Docker.
kyverno-json extends Kyverno policies to perform simple and efficient validation of data in JSON or YAML format. With kyverno-json, you can now use Kyverno policies to validate:
Terraform files
Dockerfiles
Cloud configurations
Authorization requests
Simply convert your runtime or configuration data to JSON, and use Kyverno to audit or enforce policies for security and best practices compliance.
kyverno-json can be run as a:
A Command Line Interface (CLI)
A web application with a REST API
A Golang library
"},{"location":"jp/","title":"Overview","text":"
kyverno-json uses JMESPath community edition, a modern JMESPath implementation with lexical scopes support.
The current payload, policy and rule are always available using the following builtin bindings:
Binding Usage $payload Current payload being analysed $policy Current policy being executed $rule Current rule being evaluated
Warning
No protection is made to prevent you from overriding those bindings.
This is a simple Pod with one container running the busybox latest docker image.
Using the latest tag of an image is a bad practice. Let's write a policy to detect this.
"},{"location":"quick-start/#create-the-policy_1","title":"Create the policy","text":"
Create a policy.yaml file and paste the content below to block latest images:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: pod-policy\nspec:\n rules:\n - name: no-latest\n # Match payloads corresponding to pods\n match:\n any:\n - apiVersion: v1\n kind: Pod\n assert:\n all:\n - message: Pod `{{ metadata.name }}` uses an image with tag `latest`\n check:\n spec:\n # Iterate over pod containers\n # Note the `~.` modifier, it means we want to iterate over array elements in descendants\n ~.containers:\n image:\n # Check that an image tag is present\n (contains(@, ':')): true\n # Check that the image tag is not `:latest`\n (ends_with(@, ':latest')): false\n
This policy iterates over pod containers, checking that the container image has a tag specified and that the tag being used is not latest.
"},{"location":"quick-start/#scan-the-payload_1","title":"Scan the payload","text":"
With the payload and policy above, we can invoke kyverno-json with the command below:
ValidatingPolicyList is a list of ValidatingPolicy instances.
Field Type Required Inline Description apiVersionstringjson.kyverno.io/v1alpha1kindstringValidatingPolicyListmetadatameta/v1.ListMeta No description provided. items[]ValidatingPolicy No description provided."},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Any","title":"Any","text":"
Name is a label to identify the rule, It must be unique within the policy.
context[]ContextEntry
Context defines variables and data sources that can be used during rule execution.
matchMatch
Match defines when this policy rule should be applied.
excludeMatch
Exclude defines when this policy rule should not be applied.
identifierstring
Identifier declares a JMESPath expression to extract a name from the payload.
feedback[]Feedback
Feedback declares rule feedback entries.
assertAssert
Assert is used to validate matching resources.
"},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/","title":"Dockerfile expose port 22 not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#description","title":"Description","text":"
This Policy ensures that port 22 is not exposed in Dockerfile.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that port 22 is not exposed\n in Dockerfile.\n title.policy.kyverno.io: Dockerfile expose port 22 not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-expose-port-22\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].Commands[?Name=='EXPOSE'][]):\n (contains(Ports, '22') || contains(Ports, '22/TCP')): false\n message: Port 22 exposure is not allowed\n name: check-port-exposure\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/","title":"Dockerfile latest image tag not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#description","title":"Description","text":"
This Policy ensures that no image uses the latest tag in Dockerfile.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that no image uses the latest\n tag in Dockerfile.\n title.policy.kyverno.io: Dockerfile latest image tag not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-latest-image-tag\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].From.Image):\n (contains(@, ':latest')): false\n message: Latest tag is not allowed\n name: check-latest-tag\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/","title":"Ensure apt is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#description","title":"Description","text":"
This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get\n can be used as apt interface is less stable than apt-get and so this preferred.\n title.policy.kyverno.io: Ensure apt is not used in Dockerfile\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-apt\nspec:\n rules:\n - assert:\n any:\n - check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'apt ')): false\n message: apt not allowed\n name: dockerfile-disallow-apt\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/","title":"Dockerfile last user is not allowed to be root","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#description","title":"Description","text":"
This Policy ensures that last user in Dockerfile is not root.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that last user in Dockerfile\n is not root.\n title.policy.kyverno.io: Dockerfile last user is not allowed to be root\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-last-user-root\nspec:\n rules:\n - assert:\n all:\n - check:\n ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false\n message: Last user root not allowed\n name: check-disallow-last-user-root\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/","title":"Ensure sudo is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#description","title":"Description","text":"
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS clusters have container\n insights enabled.\n title.policy.kyverno.io: ECS requires container insights\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-cluster\n name: required-container-insights\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.setting:\n name: containerInsights\n value: enabled\n message: Container insights should be enabled on ECS cluster\n match:\n any:\n - type: aws_ecs_cluster\n name: required-container-insights\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/","title":"ECS public IP","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#description","title":"Description","text":"
This Policy ensures that ECS services do not have public IP addresses assigned to them automatically.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS services do not have\n public IP addresses assigned to them automatically.\n title.policy.kyverno.io: ECS public IP\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-service\n name: ecs-public-ip\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.network_configuration:\n (contains('$allowed-values', @.assign_public_ip)): false\n message: ECS services should not have public IP addresses assigned to them\n automatically\n context:\n - name: allowed-values\n variable:\n - false\n match:\n any:\n - type: aws_ecs_service\n name: ecs-public-ip\n
Generate the autocompletion script for kyverno-json for the specified shell. See each sub-command's help for details on how to use the generated script.
--autogenTag Determines if the generated docs should contain a timestamp (default true)\n -h, --help help for docs\n -o, --output string Output path (default \".\")\n --website Website version\n
-c, --compact Produce compact JSON output that omits non essential whitespace\n -h, --help help for query\n -i, --input string Read input from a JSON or YAML file instead of stdin\n -q, --query strings Read JMESPath expression from the specified file\n -u, --unquoted If the final result is a string, it will be printed without quotes\n
--gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for playground\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
--bindings string Bindings file (json or yaml file). Top level keys will be interpreted as bindings names.\n -h, --help help for scan\n --labels strings Labels selectors for policies\n --output string Output format (text or json) (default \"text\")\n --payload string Path to payload (json or yaml file)\n --policy strings Path to kyverno-json policies\n --pre-process strings JMESPath expression used to pre process payload\n
--gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for serve\n --kube-as string Username to impersonate for the operation\n --kube-as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.\n --kube-as-uid string UID to impersonate for the operation\n --kube-certificate-authority string Path to a cert file for the certificate authority\n --kube-client-certificate string Path to a client certificate file for TLS\n --kube-client-key string Path to a client key file for TLS\n --kube-cluster string The name of the kubeconfig cluster to use\n --kube-context string The name of the kubeconfig context to use\n --kube-disable-compression If true, opt-out of response compression for all requests to the server\n --kube-insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure\n -n, --kube-namespace string If present, the namespace scope for this CLI request\n --kube-password string Password for basic authentication to the API server\n --kube-proxy-url string If provided, this URL will be used to connect via proxy\n --kube-request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default \"0\")\n --kube-server string The address and port of the Kubernetes API server\n --kube-tls-server-name string If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.\n --kube-token string Bearer token for authentication to the API server\n --kube-user string The name of the kubeconfig user to use\n --kube-username string Username for basic authentication to the API server\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
An assert declaration contains an any or all list in which each entry contains a:
check: the assertion check
message: an optional message
A check can contain one or more JMESPath expressions. Expressions represent projections of selected data in the JSON payload and the result of this projection is passed to descendants for further analysis.
All comparisons happen in the leaves of the assertion tree.
A simple example:
This policy checks that a pod does not use the default service account:
It is possible to write a validation rule like this:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar-4\n validate:\n assert:\n all:\n - message: \"...\"\n check:\n # project field `foo` onto itself, the content of `foo` becomes the current object for descendants\n foo:\n\n # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants\n # the `true` leaf is compared with the current value `true`\n (bar > `3`): true\n\n # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants\n # the leaf `false` is compared with the current value `false`\n (!baz): false\n\n # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants\n # the leaf `10` is compared with the current value `10`\n (bar + bat): 10\n
"},{"location":"policies/asserts/#iterating-with-projection-modifiers","title":"Iterating with Projection Modifiers","text":"
Assertion tree expressions support modifiers to influence the way projected values are processed.
The ~ modifier applies to arrays and maps, it mean the input array or map elements will be processed individually by descendants.
When the ~ modifier is not used, descendants receive the whole array, not each individual element.
Consider the following input document:
foo:\n bar:\n - 1\n - 2\n - 3\n
The policy below does not use the ~ modifier and foo.bar array is compared against the expected array:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # the content of the `bar` field will be compared against `[1, 2, 3]`\n bar:\n - 1\n - 2\n - 3\n
With the ~ modifier, we can apply descendant assertions to all elements in the array individually. The policy below ensures that all elements in the input array are < 5:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # with the `~` modifier all elements in the `[1, 2, 3]` array are processed individually and passed to descendants\n ~.bar:\n # the expression `(@ < `5`)` is evaluated for every element and the result is expected to be `true`\n (@ < `5`): true\n
The ~ modifier supports binding the index of the element being processed to a named binding with the following syntax ~index_name.bar. When this is used, we can access the element index in descendants with $index_name.
When used with a map, the named binding receives the key of the element being processed.
Sometimes it can be useful to refer to a parent node in the assertion tree.
This is possible to add an explicit binding at every node in the tree by appending the ->binding_name to the key.
Given the input document:
foo:\n bar: 4\n bat: 6\n
The following policy will compute a sum and bind the result to the sum binding. A descendant can then use $sum and use it:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # evaluate expression `(bar + bat)` and bind it to `sum`\n (bar + bat)->sum:\n # get the `$sum` binding and compare it against `10`\n ($sum): 10\n
All binding are available to descendants, if a descendant creates a binding with a name that already exists the binding will be overridden for descendants only and it doesn't affect the bindings at upper levels in the tree.
In other words, a node in the tree always sees bindings that are defined in the parents and if a name is reused, the first binding with the given name wins when winding up the tree.
As a consequence, the policy below will evaluate to true:
Finally, we can always access the current payload, policy and rule being evaluated using the built-in $payload, $policy and $rule bindings. No protection is made to prevent you from overriding those bindings though.
It can be necessary to prevent a projection under certain circumstances.
Consider the following document:
foo:\n (bar): 4\n (baz):\n - 1\n - 2\n - 3\n
Here the (bar) key conflict with the projection syntax. To workaround this situation, you can escape a projection by surrounding it with \\ characters like this:
A policy rule can contain optional context entries that are made available to the rule via bindings:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: required-s3-tags\nspec:\n rules:\n - name: require-team-tag\n match:\n any:\n - type: aws_s3_bucket\n context:\n # creates a `expectedTeam` binding automatically\n - name: expectedTeam\n variable: Kyverno\n validate:\n message: Bucket `{{ name }}` does not have the required Team tag {{ $expectedTeam }}\n assert:\n all:\n - values:\n tags:\n # use the `$expectedTeam` binding coming from the context\n Team: ($expectedTeam)\n
"},{"location":"policies/policies/#no-foreach-pattern-operators-anchors-or-wildcards","title":"No forEach, pattern operators, anchors, or wildcards","text":"
The use of assertion trees addresses some features of Kyverno policies that apply to Kubernetes resources.
Specifically, forEach, pattern operators, anchors, or wildcards are not supported for policies that apply to JSON resources. Instead, assertion trees with JMESPath expressions are used to achieve the same powerful features.
"},{"location":"webapp/","title":"Usage","text":"
kyverno-json can be deployed as a web application with a REST API. This is useful for deployments when a long running service that processes policy requests is desired.
With kyverno-json policies are managed as Kubernetes resources. This means that you can use Kubernetes APIs, kubectl, GitOps, or any other Kubernetes management tool to manage policies.
