diff --git a/main/go-library/index.html b/main/go-library/index.html index 2d266411..e72c048a 100644 --- a/main/go-library/index.html +++ b/main/go-library/index.html @@ -56,7 +56,7 @@ Policies: policies, } - // create a J + // create a new json engine engine := jsonengine.New() responses := engine.Run(context.Background(), request) diff --git a/main/search/search_index.json b/main/search/search_index.json index 2a2f00f6..62f75721 100644 --- a/main/search/search_index.json +++ b/main/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"install/","title":"Install","text":"
You can install the pre-compiled binary (in several ways), or compile from source. We also provide a GitHub action to easily install Kyverno-JSON in your workflows.
"},{"location":"install/#install-the-pre-compiled-binary","title":"Install the pre-compiled binary","text":""},{"location":"install/#homebrew-tap","title":"Homebrew tap","text":"add tap:
brew tap kyverno/kyverno-json https://github.com/kyverno/kyverno-json\n
install kyverno-json:
brew install kyverno/kyverno-json/kyverno-json\n
"},{"location":"install/#manually","title":"Manually","text":"Download the pre-compiled binaries for your system from the releases page and copy them to the desired location.
"},{"location":"install/#using-go-install","title":"Usinggo install
","text":"You can install with go install
with:
go install github.com/kyverno/kyverno-json@latest\n
"},{"location":"install/#build-from-the-source-code","title":"Build from the source code","text":"clone the repository:
git clone https://github.com/kyverno/kyverno-json.git\n
build the binaries:
cd kyverno-json\ngo mod tidy\nmake build\n
verify the build:
./kyverno-json version\n
"},{"location":"intro/","title":"Introduction","text":"kyverno-json
extends Kyverno policies to perform simple and efficient validation of data in JSON or YAML format. With kyverno-json
, you can now use Kyverno policies to validate:
Simply convert your runtime or configuration data to JSON, and use Kyverno to audit or enforce policies for security and best practices compliance.
kyverno-json
can be run as a:
kyverno-json
uses JMESPath community edition, a modern JMESPath implementation with lexical scopes support.
The current payload, policy and rule are always available using the following builtin bindings:
Binding Usage$payload
Current payload being analysed $policy
Current policy being executed $rule
Current rule being evaluated Warning
No protection is made to prevent you from overriding those bindings.
"},{"location":"playground/","title":"Playground","text":"The kyverno-json
playground can be used to test kyverno-json
directly in your web browser.
See Install for the available options to install the CLI.
"},{"location":"quick-start/#validate-a-terraform-plan","title":"Validate a Terraform Plan","text":"In this example we will use a Kyverno policy to validate a Terraform plan:
"},{"location":"quick-start/#create-the-payload","title":"Create the payload","text":"Here is a Terraform plan that creates an AWS S3 bucket:
terraform {\n required_providers {\n aws = {\n source = \"hashicorp/aws\"\n version = \"~> 4.16\"\n }\n }\n\n required_version = \">= 1.2.0\"\n}\n\nprovider \"aws\" {\n region = \"us-west-2\"\n}\n\nresource \"aws_s3_bucket\" \"example\" {\n bucket = \"my-tf-test-bucket\"\n\n tags = {\n Name = \"My bucket\"\n Environment = \"Dev\"\n }\n}\n
You can convert this to JSON using the following commands:
output the plan:
terraform plan -out tfplan.binary\n
convert to JSON: terraform show -json tfplan.binary | jq > payload.json\n
"},{"location":"quick-start/#create-the-policy","title":"Create the policy","text":"Create a policy.yaml
file and paste the content below that checks for required labels:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: s3\nspec:\n rules:\n - name: check-tags\n assert:\n all:\n - check:\n planned_values:\n root_module:\n ~.resources:\n values:\n (keys(tags_all)):\n (contains(@, 'Environment')): true\n (contains(@, 'Name')): true\n (contains(@, 'Team')): true\n
"},{"location":"quick-start/#scan-the-payload","title":"Scan the payload","text":"With the payload and policy above, we can invoke kyverno-json
with the command below:
kyverno-json scan --payload payload.json --policy policy.yaml\n
The plan shown above will fail as it does not contain the Team
tag.
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags / FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"quick-start/#validate-a-kubernetes-resource","title":"Validate a Kubernetes Resource","text":"For this example we will use a Kubernetes Pod
payload.
Create a payload.yaml
file and paste the Pod declaration below in it:
apiVersion: v1\nkind: Pod\nmetadata:\n name: pods-simple-pod\nspec:\n containers:\n - command:\n - sleep\n - \"3600\"\n image: busybox:latest\n name: pods-simple-container\n
This is a simple Pod
with one container running the busybox
latest docker image.
Using the latest
tag of an image is a bad practice. Let's write a policy to detect this.
Create a policy.yaml
file and paste the content below to block latest
images:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: pod-policy\nspec:\n rules:\n - name: no-latest\n # Match payloads corresponding to pods\n match:\n any:\n - apiVersion: v1\n kind: Pod\n assert:\n all:\n - message: Pod `{{ metadata.name }}` uses an image with tag `latest`\n check:\n spec:\n # Iterate over pod containers\n # Note the `~.` modifier, it means we want to iterate over array elements in descendants\n ~.containers:\n image:\n # Check that an image tag is present\n (contains(@, ':')): true\n # Check that the image tag is not `:latest`\n (ends_with(@, ':latest')): false\n
This policy iterates over pod containers, checking that the container image has a tag specified and that the tag being used is not latest
.
With the payload and policy above, we can invoke kyverno-json
with the command below:
kyverno-json scan --payload payload.yaml --policy policy.yaml\n
This produces the output:
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- pod-policy / no-latest / FAILED: Pod `pods-simple-pod` uses an image with tag `latest`\nDone\n
"},{"location":"apis/kyverno-json.v1alpha1/","title":"KyvernoJson (v1alpha1)","text":"Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
"},{"location":"apis/kyverno-json.v1alpha1/#resource-types","title":"Resource Types","text":"ValidatingPolicy
","text":"Appears in:
ValidatingPolicy is the resource that contains the policy definition.
Field Type Required Inline DescriptionapiVersion
string
json.kyverno.io/v1alpha1
kind
string
ValidatingPolicy
metadata
meta/v1.ObjectMeta
Standard object's metadata.
spec
ValidatingPolicySpec
Policy spec.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicyList","title":"ValidatingPolicyList
","text":"ValidatingPolicyList is a list of ValidatingPolicy instances.
Field Type Required Inline DescriptionapiVersion
string
json.kyverno.io/v1alpha1
kind
string
ValidatingPolicyList
metadata
meta/v1.ListMeta
No description provided. items
[]ValidatingPolicy
No description provided."},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Any","title":"Any
","text":"Appears in:
Any can be any type.
Field Type Required Inline DescriptionValue
any
Value contains the value of the Any object.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assert","title":"Assert
","text":"Appears in:
Assert defines collections of assertions.
Field Type Required Inline Descriptionany
[]Assertion
Any allows specifying assertions which will be ORed.
all
[]Assertion
All allows specifying assertions which will be ANDed.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assertion","title":"Assertion
","text":"Appears in:
Assertion contains an assertion tree associated with a message.
Field Type Required Inline Descriptionmessage
string
Message is the message associated message.
check
Any
Check is the assertion check definition.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ContextEntry","title":"ContextEntry
","text":"Appears in:
ContextEntry adds variables and data sources to a rule context.
Field Type Required Inline Descriptionname
string
Name is the entry name.
variable
Any
Variable defines an arbitrary variable.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Match","title":"Match
","text":"Appears in:
Match defines collections of assertion trees.
Field Type Required Inline Descriptionany
[]Any
Any allows specifying assertion trees which will be ORed.
all
[]Any
All allows specifying assertion trees which will be ANDed.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicySpec","title":"ValidatingPolicySpec
","text":"Appears in:
ValidatingPolicySpec contains the policy spec.
Field Type Required Inline Descriptionrules
[]ValidatingRule
Rules is a list of ValidatingRule instances.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingRule","title":"ValidatingRule
","text":"Appears in:
ValidatingRule defines a validating rule.
Field Type Required Inline Descriptionname
string
Name is a label to identify the rule, It must be unique within the policy.
context
[]ContextEntry
Context defines variables and data sources that can be used during rule execution.
match
Match
Match defines when this policy rule should be applied.
exclude
Match
Exclude defines when this policy rule should not be applied.
identifier
string
Identifier declares a JMESPath expression to extract a name from the payload.
assert
Assert
Assert is used to validate matching resources.
"},{"location":"catalog/","title":"Policy catalog","text":"The kyverno-json
policy catalog contains curated policies to be reused.
You can share your policies with the community by opening a pull request here.
"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":"This Policy ensures that port 22 is not exposed in Dockerfile.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that port 22 is not exposed\n in Dockerfile.\n title.policy.kyverno.io: Dockerfile expose port 22 not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-expose-port-22\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].Commands[?Name=='EXPOSE'][]):\n (contains(Ports, '22') || contains(Ports, '22/TCP')): false\n message: Port 22 exposure is not allowed\n name: check-port-exposure\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/","title":"Dockerfile latest image tag not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#description","title":"Description","text":"This Policy ensures that no image uses the latest tag in Dockerfile.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that no image uses the latest\n tag in Dockerfile.\n title.policy.kyverno.io: Dockerfile latest image tag not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-latest-image-tag\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].From.Image):\n (contains(@, ':latest')): false\n message: Latest tag is not allowed\n name: check-latest-tag\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/","title":"Ensure apt is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#description","title":"Description","text":"This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get\n can be used as apt interface is less stable than apt-get and so this preferred.\n title.policy.kyverno.io: Ensure apt is not used in Dockerfile\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-apt\nspec:\n rules:\n - assert:\n any:\n - check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'apt ')): false\n message: apt not allowed\n name: dockerfile-disallow-apt\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/","title":"Dockerfile last user is not allowed to be root","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#description","title":"Description","text":"This Policy ensures that last user in Dockerfile is not root.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that last user in Dockerfile\n is not root.\n title.policy.kyverno.io: Dockerfile last user is not allowed to be root\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-last-user-root\nspec:\n rules:\n - assert:\n all:\n - check:\n ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false\n message: Last user root not allowed\n name: check-disallow-last-user-root\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/","title":"Ensure sudo is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#description","title":"Description","text":"This Policy ensures that sudo isn\u2019t used.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that sudo isn\u2019t used.\n title.policy.kyverno.io: Ensure sudo is not used in Dockerfile\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-sudo\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'sudo')): false\n message: sudo not allowed\n name: dockerfile-disallow-sudo\n
","tags":["dockerfile"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/","title":"ECS cluster enable logging","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#description","title":"Description","text":"This Policy ensures that ECS clusters have logging enabled.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS clusters have logging\n enabled.\n title.policy.kyverno.io: ECS cluster enable logging\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-cluster\n name: ecs-cluster-enable-logging\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.configuration:\n ~.execute_command_configuration:\n (contains($forbidden_values, @.logging)): false\n message: ECS Cluster should enable logging of ECS Exec\n context:\n - name: forbidden_values\n variable:\n - NONE\n match:\n any:\n - type: aws_ecs_cluster\n name: ecs-cluster-enable-logging\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/","title":"ECS requires container insights","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#description","title":"Description","text":"This Policy ensures that ECS clusters have container insights enabled.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS clusters have container\n insights enabled.\n title.policy.kyverno.io: ECS requires container insights\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-cluster\n name: required-container-insights\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.setting:\n name: containerInsights\n value: enabled\n message: Container insights should be enabled on ECS cluster\n match:\n any:\n - type: aws_ecs_cluster\n name: required-container-insights\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/","title":"ECS public IP","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#description","title":"Description","text":"This Policy ensures that ECS services do not have public IP addresses assigned to them automatically.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS services do not have\n public IP addresses assigned to them automatically.\n title.policy.kyverno.io: ECS public IP\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-service\n name: ecs-public-ip\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.network_configuration:\n (contains('$allowed-values', @.assign_public_ip)): false\n message: ECS services should not have public IP addresses assigned to them\n automatically\n context:\n - name: allowed-values\n variable:\n - false\n match:\n any:\n - type: aws_ecs_service\n name: ecs-public-ip\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/","title":"ECS require latest platform fargate","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#description","title":"Description","text":"This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n on the latest Fargate platform version.\n title.policy.kyverno.io: ECS require latest platform fargate\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-service\n name: required-latest-platform-fargate\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n platform_version: LATEST\n message: ECS Fargate services should run on the latest Fargate platform version\n context:\n - name: pv\n variable: platform_version\n match:\n any:\n - type: aws_ecs_service\n values:\n launch_type: FARGATE\n name: required-latest-platform\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/","title":"ECS require filesystem read only","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#description","title":"Description","text":"This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n on the latest Fargate platform version.\n title.policy.kyverno.io: ECS require filesystem read only\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-task-definition\n name: fs-read-only\nspec:\n rules:\n - assert:\n any:\n - check:\n values:\n ~.(json_parse(container_definitions)):\n readonlyRootFilesystem: true\n message: ECS containers should only have read-only access to root filesystems\n match:\n any:\n - type: aws_ecs_task_definition\n name: require-fs-read-only\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/policy-1/","title":"policy-1","text":""},{"location":"catalog/policies/ecs/policy-1/#description","title":"Description","text":"None
"},{"location":"catalog/policies/ecs/policy-1/#install","title":"Install","text":""},{"location":"catalog/policies/ecs/policy-1/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n creationTimestamp: null\n name: test\nspec:\n rules:\n - assert:\n all:\n - check:\n foo:\n /(bar)/: 10\n name: foo-bar\n
"},{"location":"cli/","title":"Overview","text":"The kyverno-json
Command Line Interface (CLI) can be used to:
Here is an example of scanning an Terraform plan that creates an S3 bucket:
./kyverno-json scan --policy test/commands/scan/tf-s3/policy.yaml --payload test/commands/scan/tf-s3/payload.json\n
The output looks like:
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags / FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"cli/#installation","title":"Installation","text":"See Install for the available options to install the CLI.
"},{"location":"cli/#pre-processing-payloads","title":"Pre-processing payloads","text":"You can provide preprocessing queries in jmespath format to pre-process the input payload before evaluating resources against policies.
This is necessary if the input payload is not what you want to directly analyze.
For example, here is a partial JSON which was produced by converting a Terraform plan that creates an EC2 instance:
kyverno/kyverno-json/main/test/commands/scan/tf-ec2/payload.json
{\n \"format_version\": \"1.2\",\n \"terraform_version\": \"1.5.7\",\n \"planned_values\": {\n \"root_module\": {\n \"resources\": [\n {\n \"address\": \"aws_instance.app_server\",\n \"mode\": \"managed\",\n \"type\": \"aws_instance\",\n \"name\": \"app_server\",\n \"provider_name\": \"registry.terraform.io/hashicorp/aws\",\n \"schema_version\": 1,\n \"values\": {\n \"ami\": \"ami-830c94e3\",\n \"credit_specification\": [],\n \"get_password_data\": false,\n \"hibernation\": null,\n \"instance_type\": \"t2.micro\",\n \"launch_template\": [],\n \"source_dest_check\": true,\n \"tags\": {\n \"Name\": \"ExampleAppServerInstance\"\n },\n \"tags_all\": {\n \"Name\": \"ExampleAppServerInstance\"\n },\n \"timeouts\": null,\n \"user_data_replace_on_change\": false,\n \"volume_tags\": null\n },\n\n ...\n
To directly scan the resources
element use --pre-process planned_values.root_module.resources
as follows:
./kyverno-json scan --policy test/commands/scan/tf-ec2/policy.yaml --payload test/commands/scan/tf-ec2/payload.json --pre-process planned_values.root_module.resources\n
This command will produce the output:
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- required-ec2-tags / require-team-tag / PASSED\nDone\n
"},{"location":"cli/commands/kyverno-json/","title":"Kyverno json","text":""},{"location":"cli/commands/kyverno-json/#kyverno-json","title":"kyverno-json","text":"kyverno-json is a CLI tool to apply policies to json resources.
"},{"location":"cli/commands/kyverno-json/#synopsis","title":"Synopsis","text":"kyverno-json is a CLI tool to apply policies to json resources.
kyverno-json [flags]\n
"},{"location":"cli/commands/kyverno-json/#options","title":"Options","text":" -h, --help help for kyverno-json\n
"},{"location":"cli/commands/kyverno-json/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for the specified shell
"},{"location":"cli/commands/kyverno-json_completion/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for kyverno-json for the specified shell. See each sub-command's help for details on how to use the generated script.
"},{"location":"cli/commands/kyverno-json_completion/#options","title":"Options","text":" -h, --help help for completion\n
"},{"location":"cli/commands/kyverno-json_completion/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for bash
"},{"location":"cli/commands/kyverno-json_completion_bash/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for the bash shell.
This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:
source <(kyverno-json completion bash)\n
To load completions for every new session, execute once:
"},{"location":"cli/commands/kyverno-json_completion_bash/#linux","title":"Linux:","text":"kyverno-json completion bash > /etc/bash_completion.d/kyverno-json\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#macos","title":"macOS:","text":"kyverno-json completion bash > $(brew --prefix)/etc/bash_completion.d/kyverno-json\n
You will need to start a new shell for this setup to take effect.
kyverno-json completion bash\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#options","title":"Options","text":" -h, --help help for bash\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for fish
"},{"location":"cli/commands/kyverno-json_completion_fish/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for the fish shell.
To load completions in your current shell session:
kyverno-json completion fish | source\n
To load completions for every new session, execute once:
kyverno-json completion fish > ~/.config/fish/completions/kyverno-json.fish\n
You will need to start a new shell for this setup to take effect.
kyverno-json completion fish [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#options","title":"Options","text":" -h, --help help for fish\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for powershell
"},{"location":"cli/commands/kyverno-json_completion_powershell/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for powershell.
To load completions in your current shell session:
kyverno-json completion powershell | Out-String | Invoke-Expression\n
To load completions for every new session, add the output of the above command to your powershell profile.
kyverno-json completion powershell [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#options","title":"Options","text":" -h, --help help for powershell\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for zsh
"},{"location":"cli/commands/kyverno-json_completion_zsh/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:
echo \"autoload -U compinit; compinit\" >> ~/.zshrc\n
To load completions in your current shell session:
source <(kyverno-json completion zsh)\n
To load completions for every new session, execute once:
"},{"location":"cli/commands/kyverno-json_completion_zsh/#linux","title":"Linux:","text":"kyverno-json completion zsh > \"${fpath[1]}/_kyverno-json\"\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#macos","title":"macOS:","text":"kyverno-json completion zsh > $(brew --prefix)/share/zsh/site-functions/_kyverno-json\n
You will need to start a new shell for this setup to take effect.
kyverno-json completion zsh [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#options","title":"Options","text":" -h, --help help for zsh\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#see-also","title":"SEE ALSO","text":"Generates reference documentation.
"},{"location":"cli/commands/kyverno-json_docs/#synopsis","title":"Synopsis","text":"Generates reference documentation.
The docs command generates CLI reference documentation. It can be used to generate simple markdown files or markdown to be used for the website.
kyverno-json docs [flags]\n
"},{"location":"cli/commands/kyverno-json_docs/#examples","title":"Examples","text":" # Generate simple markdown documentation\n kyverno-json docs -o . --autogenTag=false\n\n # Generate website documentation\n kyverno-json docs -o . --website\n
"},{"location":"cli/commands/kyverno-json_docs/#options","title":"Options","text":" --autogenTag Determines if the generated docs should contain a timestamp (default true)\n -h, --help help for docs\n -o, --output string Output path (default \".\")\n --website Website version\n
"},{"location":"cli/commands/kyverno-json_docs/#see-also","title":"SEE ALSO","text":"Provides a command-line interface to JMESPath, enhanced with custom functions.
"},{"location":"cli/commands/kyverno-json_jp/#synopsis","title":"Synopsis","text":"Provides a command-line interface to JMESPath, enhanced with custom functions.
kyverno-json jp [flags]\n
"},{"location":"cli/commands/kyverno-json_jp/#examples","title":"Examples","text":" # List functions\n kyverno-json jp function\n\n # Evaluate query\n kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n # Parse expression\n kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp/#options","title":"Options","text":" -h, --help help for jp\n
"},{"location":"cli/commands/kyverno-json_jp/#see-also","title":"SEE ALSO","text":"Provides function informations.
"},{"location":"cli/commands/kyverno-json_jp_function/#synopsis","title":"Synopsis","text":"Provides function informations.
kyverno-json jp function [function_name]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_function/#examples","title":"Examples","text":" # List functions\n kyverno-json jp function\n\n # Get function infos\n kyverno-json jp function truncate\n
"},{"location":"cli/commands/kyverno-json_jp_function/#options","title":"Options","text":" -h, --help help for function\n
"},{"location":"cli/commands/kyverno-json_jp_function/#see-also","title":"SEE ALSO","text":"Parses jmespath expression and prints corresponding AST.
"},{"location":"cli/commands/kyverno-json_jp_parse/#synopsis","title":"Synopsis","text":"Parses jmespath expression and prints corresponding AST.
kyverno-json jp parse [-f file|expression]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#examples","title":"Examples","text":" # Parse expression\n kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n\n # Parse expression from a file\n kyverno-json jp parse -f my-file\n\n # Parse expression from stdin\n kyverno-json jp parse\n\n # Parse multiple expressionxs\n kyverno-json jp parse -f my-file1 -f my-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#options","title":"Options","text":" -f, --file strings Read input from a JSON or YAML file instead of stdin\n -h, --help help for parse\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#see-also","title":"SEE ALSO","text":"Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
"},{"location":"cli/commands/kyverno-json_jp_query/#synopsis","title":"Synopsis","text":"Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
kyverno-json jp query [-i input] [-q query|query]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_query/#examples","title":"Examples","text":" # Evaluate query\n kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n # Evaluate query\n kyverno-json jp query -i object.yaml -q query-file\n\n # Evaluate multiple queries\n kyverno-json jp query -i object.yaml -q query-file-1 -q query-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_query/#options","title":"Options","text":" -c, --compact Produce compact JSON output that omits non essential whitespace\n -h, --help help for query\n -i, --input string Read input from a JSON or YAML file instead of stdin\n -q, --query strings Read JMESPath expression from the specified file\n -u, --unquoted If the final result is a string, it will be printed without quotes\n
"},{"location":"cli/commands/kyverno-json_jp_query/#see-also","title":"SEE ALSO","text":"playground
"},{"location":"cli/commands/kyverno-json_playground/#synopsis","title":"Synopsis","text":"Serve playground
kyverno-json playground [flags]\n
"},{"location":"cli/commands/kyverno-json_playground/#options","title":"Options","text":" --gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for playground\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_playground/#see-also","title":"SEE ALSO","text":"scan
"},{"location":"cli/commands/kyverno-json_scan/#synopsis","title":"Synopsis","text":"Apply policies to json resources
kyverno-json scan [flags]\n
"},{"location":"cli/commands/kyverno-json_scan/#options","title":"Options","text":" -h, --help help for scan\n --labels strings Labels selectors for policies\n --output string Output format (text or json) (default \"text\")\n --payload string Path to payload (json or yaml file)\n --policy strings Path to kyverno-json policies\n --pre-process strings JMESPath expression used to pre process payload\n
"},{"location":"cli/commands/kyverno-json_scan/#see-also","title":"SEE ALSO","text":"serve
"},{"location":"cli/commands/kyverno-json_serve/#synopsis","title":"Synopsis","text":"Serve API
kyverno-json serve [flags]\n
"},{"location":"cli/commands/kyverno-json_serve/#options","title":"Options","text":" --gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for serve\n --kube-as string Username to impersonate for the operation\n --kube-as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.\n --kube-as-uid string UID to impersonate for the operation\n --kube-certificate-authority string Path to a cert file for the certificate authority\n --kube-client-certificate string Path to a client certificate file for TLS\n --kube-client-key string Path to a client key file for TLS\n --kube-cluster string The name of the kubeconfig cluster to use\n --kube-context string The name of the kubeconfig context to use\n --kube-disable-compression If true, opt-out of response compression for all requests to the server\n --kube-insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure\n -n, --kube-namespace string If present, the namespace scope for this CLI request\n --kube-password string Password for basic authentication to the API server\n --kube-proxy-url string If provided, this URL will be used to connect via proxy\n --kube-request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default \"0\")\n --kube-server string The address and port of the Kubernetes API server\n --kube-tls-server-name string If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.\n --kube-token string Bearer token for authentication to the API server\n --kube-user string The name of the kubeconfig user to use\n --kube-username string Username for basic authentication to the API server\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_serve/#see-also","title":"SEE ALSO","text":"Print the version informations
"},{"location":"cli/commands/kyverno-json_version/#synopsis","title":"Synopsis","text":"Print the version informations
kyverno-json version [flags]\n
"},{"location":"cli/commands/kyverno-json_version/#examples","title":"Examples","text":" # Print version infos\n kyverno-json version\n
"},{"location":"cli/commands/kyverno-json_version/#options","title":"Options","text":" -h, --help help for version\n
"},{"location":"cli/commands/kyverno-json_version/#see-also","title":"SEE ALSO","text":"The Go API provides a way to embed the Kyverno JSON engine in Go programs that validate JSON payloads using Kyverno policies.
The Go API can be added to a program's dependencies as follows:
go get github.com/kyverno/kyverno-json/pkg/jsonengine\ngo get github.com/kyverno/kyverno-json/pkg/policy\n
Here is a sample program that shows the overall flow for programatically using the Kyverno JSON Engine:
package main\n\nimport (\n \"context\"\n \"encoding/json\"\n \"log\"\n\n jsonengine \"github.com/kyverno/kyverno-json/pkg/json-engine\"\n \"github.com/kyverno/kyverno-json/pkg/policy\"\n)\n\nconst policyYAML = `\napiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: authz\nspec:\n rules:\n - name: delete-checks\n identifier: \"name\"\n match:\n all:\n (input.method): \"DELETE\"\n assert:\n all:\n - check:\n role: \"admin\"\n`\n\nfunc main() {\n policies, err := policy.Parse([]byte(policyYAML))\n if err != nil {\n panic(err)\n }\n\n // load payloads\n requestJSON := `{\n \"name\": \"Annie\",\n \"role\": \"admin\",\n \"input\": {\n \"method\": \"DELETE\",\n \"path\": \"/red-files\"\n }\n }`\n\n var payload any\n if err := json.Unmarshal([]byte(requestJSON), &payload); err != nil {\n panic(err)\n }\n\n // create a JsonEngineRequest\n request := jsonengine.JsonEngineRequest{\n Resources: []any{payload},\n Policies: policies,\n }\n\n // create a J\n engine := jsonengine.New()\n\n responses := engine.Run(context.Background(), request)\n\n logger := log.Default()\n for _, resp := range responses {\n if resp.Error != nil {\n // ...handle execution error\n logger.Printf(\"policy error: %v\", resp.Error)\n }\n\n if resp.Failure != nil {\n // ...handle policy failure\n logger.Printf(\"policy failure: %v\", resp.Failure)\n }\n }\n}\n
"},{"location":"jp/functions/","title":"Functions","text":""},{"location":"jp/functions/#built-in-functions","title":"built-in functions","text":"Name Signature abs abs(number)
avg avg(array[number])
ceil ceil(number)
contains contains(array\\|string, any)
ends_with ends_with(string, string)
find_first find_first(string, string, number, number)
find_last find_last(string, string, number, number)
floor floor(number)
from_items from_items(array[array])
group_by group_by(array, expref)
items items(object)
join join(string, array[string])
keys keys(object)
length length(string\\|array\\|object)
lower lower(string)
map map(expref, array)
max max(array[number]\\|array[string])
max_by max_by(array, expref)
merge merge(object)
min min(array[number]\\|array[string])
min_by min_by(array, expref)
not_null not_null(any)
pad_left pad_left(string, number, string)
pad_right pad_right(string, number, string)
replace replace(string, string, string, number)
reverse reverse(array\\|string)
sort sort(array[string]\\|array[number])
sort_by sort_by(array, expref)
split split(string, string, number)
starts_with starts_with(string, string)
sum sum(array[number])
to_array to_array(any)
to_number to_number(any)
to_string to_string(any)
trim trim(string, string)
trim_left trim_left(string, string)
trim_right trim_right(string, string)
type type(any)
upper upper(string)
values values(object)
zip zip(array, array)
"},{"location":"jp/functions/#custom-functions","title":"custom functions","text":"Name Signature at at(array, any)
concat concat(string, string)
json_parse json_parse(string)
wildcard wildcard(string, string)
"},{"location":"jp/functions/#kyverno-functions","title":"kyverno functions","text":"Name Signature compare compare(string, string)
equal_fold equal_fold(string, string)
replace replace(string, string, string, number)
replace_all replace_all(string, string, string)
to_upper to_upper(string)
to_lower to_lower(string)
trim trim(string, string)
trim_prefix trim_prefix(string, string)
split split(string, string)
regex_replace_all regex_replace_all(string, string\\|number, string\\|number)
regex_replace_all_literal regex_replace_all_literal(string, string\\|number, string\\|number)
regex_match regex_match(string, string\\|number)
pattern_match pattern_match(string, string\\|number)
label_match label_match(object, object)
to_boolean to_boolean(string)
add add(any, any)
sum sum(array)
subtract subtract(any, any)
multiply multiply(any, any)
divide divide(any, any)
modulo modulo(any, any)
round round(number, number)
base64_decode base64_decode(string)
base64_encode base64_encode(string)
time_since time_since(string, string, string)
time_now time_now()
time_now_utc time_now_utc()
path_canonicalize path_canonicalize(string)
truncate truncate(string, number)
semver_compare semver_compare(string, string)
parse_json parse_json(string)
parse_yaml parse_yaml(string)
lookup lookup(object\\|array, string\\|number)
items items(object\\|array, string, string)
object_from_lists object_from_lists(array, array)
random random(string)
x509_decode x509_decode(string)
time_to_cron time_to_cron(string)
time_add time_add(string, string)
time_parse time_parse(string, string)
time_utc time_utc(string)
time_diff time_diff(string, string)
time_before time_before(string, string)
time_after time_after(string, string)
time_between time_between(string, string, string)
time_truncate time_truncate(string, string)
"},{"location":"policies/asserts/","title":"Assertion trees","text":"Assertion trees can be used to apply complex and dynamic conditional checks using JMESPath expressions.
"},{"location":"policies/asserts/#assert","title":"Assert","text":"An assert
declaration contains an any
or all
list in which each entry contains a:
check
: the assertion checkmessage
: an optional messageA check can contain one or more JMESPath expressions. Expressions represent projections of selected data in the JSON payload and the result of this projection is passed to descendants for further analysis.
All comparisons happen in the leaves of the assertion tree.
A simple example:
This policy checks that a pod does not use the default service account:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: assert-sample\nspec:\n rules:\n - name: foo-bar\n match:\n all:\n - apiVersion: v1\n kind: Pod\n assert:\n all:\n - message: \"serviceAccountName 'default' is not allowed\"\n check:\n spec:\n (serviceAccountName == 'default'): false\n
A detailed example:
Given the input payload below:
foo:\n baz: true\n bar: 4\n bat: 6\n
It is possible to write a validation rule like this:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar-4\n validate:\n assert:\n all:\n - message: \"...\"\n check:\n # project field `foo` onto itself, the content of `foo` becomes the current object for descendants\n foo:\n\n # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants\n # the `true` leaf is compared with the current value `true`\n (bar > `3`): true\n\n # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants\n # the leaf `false` is compared with the current value `false`\n (!baz): false\n\n # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants\n # the leaf `10` is compared with the current value `10`\n (bar + bat): 10\n
"},{"location":"policies/asserts/#iterating-with-projection-modifiers","title":"Iterating with Projection Modifiers","text":"Assertion tree expressions support modifiers to influence the way projected values are processed.
The ~
modifier applies to arrays and maps, it mean the input array or map elements will be processed individually by descendants.
When the ~
modifier is not used, descendants receive the whole array, not each individual element.
Consider the following input document:
foo:\n bar:\n - 1\n - 2\n - 3\n
The policy below does not use the ~
modifier and foo.bar
array is compared against the expected array:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # the content of the `bar` field will be compared against `[1, 2, 3]`\n bar:\n - 1\n - 2\n - 3\n
With the ~
modifier, we can apply descendant assertions to all elements in the array individually. The policy below ensures that all elements in the input array are < 5
:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # with the `~` modifier all elements in the `[1, 2, 3]` array are processed individually and passed to descendants\n ~.bar:\n # the expression `(@ < `5`)` is evaluated for every element and the result is expected to be `true`\n (@ < `5`): true\n
The ~
modifier supports binding the index of the element being processed to a named binding with the following syntax ~index_name.bar
. When this is used, we can access the element index in descendants with $index_name
.
When used with a map, the named binding receives the key of the element being processed.
"},{"location":"policies/asserts/#explicit-bindings","title":"Explicit bindings","text":"Sometimes it can be useful to refer to a parent node in the assertion tree.
This is possible to add an explicit binding at every node in the tree by appending the ->binding_name
to the key.
Given the input document:
foo:\n bar: 4\n bat: 6\n
The following policy will compute a sum and bind the result to the sum
binding. A descendant can then use $sum
and use it:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # evaluate expression `(bar + bat)` and bind it to `sum`\n (bar + bat)->sum:\n # get the `$sum` binding and compare it against `10`\n ($sum): 10\n
All binding are available to descendants, if a descendant creates a binding with a name that already exists the binding will be overridden for descendants only and it doesn't affect the bindings at upper levels in the tree.
In other words, a node in the tree always sees bindings that are defined in the parents and if a name is reused, the first binding with the given name wins when winding up the tree.
As a consequence, the policy below will evaluate to true:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n (bar + bat)->sum:\n ($sum + $sum)->sum:\n ($sum): 20\n ($sum): 10\n
Finally, we can always access the current payload, policy and rule being evaluated using the built-in $payload
, $policy
and $rule
bindings. No protection is made to prevent you from overriding those bindings though.
It can be necessary to prevent a projection under certain circumstances.
Consider the following document:
foo:\n (bar): 4\n (baz):\n - 1\n - 2\n - 3\n
Here the (bar)
key conflict with the projection syntax. To workaround this situation, you can escape a projection by surrounding it with \\
characters like this:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n \\(bar)\\: 10\n
In this case, the leading and trailing \\
characters will be erased and the projection won't be applied.
Note that it's still possible to use the ~
modifier or to create a named binding with and escaped projection.
Keys like this are perfectly valid:
~index.\\baz\\
\\baz\\@foo
~index.\\baz\\@foo
Kyverno policies are Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.
Policies that apply to JSON payload have a few differences from Kyverno policies that are applied to Kubernetes resources at admission controls.
"},{"location":"policies/policies/#resource-scope","title":"Resource Scope","text":"Policies that apply to JSON payloads are always cluster-wide resources.
"},{"location":"policies/policies/#api-group-and-kind","title":"API Group and Kind","text":"kyverno-json
policies belong to the json.kyverno.io
group and can only be of kind ValidatingPolicy
.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar-4\n validate:\n assert:\n all:\n - foo:\n bar: 4\n
"},{"location":"policies/policies/#policy-rules","title":"Policy Rules","text":"A policy can have multiple rules, and rules are processed in order. Evaluation stops at the first rule that fails.
"},{"location":"policies/policies/#match-and-exclude","title":"Match and Exclude","text":"Policies that apply to JSON payloads use assertion trees in both the match
/exclude
declarations as well as the validate
rule declaration.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: required-s3-tags\nspec:\n rules:\n - name: require-team-tag\n identifier: address\n match:\n any:\n - type: aws_s3_bucket\n exclude:\n any:\n - name: bypass-me\n validate:\n assert:\n all:\n - values:\n tags:\n Team: ?*\n
In the example above, every resource having type: aws_s3_bucket
will match, and payloads having name: bypass-me
will be excluded.
A policy rule can contain an optional identifier
which declares the path to the payload element that uniquely identifies each entry.
A policy rule can contain optional context
entries that are made available to the rule via bindings:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: required-s3-tags\nspec:\n rules:\n - name: require-team-tag\n match:\n any:\n - type: aws_s3_bucket\n context:\n # creates a `expectedTeam` binding automatically\n - name: expectedTeam\n variable: Kyverno\n validate:\n message: Bucket `{{ name }}` does not have the required Team tag {{ $expectedTeam }}\n assert:\n all:\n - values:\n tags:\n # use the `$expectedTeam` binding coming from the context\n Team: ($expectedTeam)\n
"},{"location":"policies/policies/#no-foreach-pattern-operators-anchors-or-wildcards","title":"No forEach
, pattern operators
, anchors
, or wildcards
","text":"The use of assertion trees addresses some features of Kyverno policies that apply to Kubernetes resources.
Specifically, forEach, pattern operators, anchors, or wildcards are not supported for policies that apply to JSON resources. Instead, assertion trees with JMESPath expressions are used to achieve the same powerful features.
"},{"location":"webapp/","title":"Usage","text":"kyverno-json
can be deployed as a web application with a REST API. This is useful for deployments when a long running service that processes policy requests is desired.
With kyverno-json
policies are managed as Kubernetes resources. This means that you can use Kubernetes APIs, kubectl
, GitOps, or any other Kubernetes management tool to manage policies.
Here is a complete demonstration of how to use kyverno-json
as an web application:
Install CRDs
Install the CRD for kyverno-json
:
kubectl apply -f .crds/json.kyverno.io_validatingpolicies.yaml\n
Install policies:
Install a sample policy:
kubectl apply -f test/commands/scan/dockerfile/policy.yaml\n
Prepare the payload
The payload is a JSON object with two fields:
Name Type Requiredpayload
Object Y preprocessors
Array of Strings N You can construct a sample payload for the Dockerfile policy using:
cat test/commands/scan/dockerfile/payload.json | jq '{\"payload\": .}' > /tmp/webapp-payload.json\n
Run the web application
./kyverno-json serve\n
This will show the output:
2023/10/29 23:46:11 configured route /api/scan\n2023/10/29 23:46:11 listening to requests on 0.0.0.0:8080\n
Send the REST API request
curl http://localhost:8080/api/scan -X POST -H \"Content-Type: application/json\" -d @/tmp/webapp-payload.json | jq\n
The configured policies will be applied to the payload and the results will be returned back:
{\n \"results\": [\n {\n \"policy\": \"check-dockerfile\",\n \"rule\": \"deny-external-calls\",\n \"status\": \"fail\",\n \"message\": \"HTTP calls are not allowed: all[0].check.~.(Stages[].Commands[].Args[].Value)[0].(contains(@, 'https://') || contains(@, 'http://')): Invalid value: true: Expected value: false; wget is not allowed: all[3].check.~.(Stages[].Commands[].CmdLine[])[0].(contains(@, 'wget')): Invalid value: true: Expected value: false\"\n }\n ]\n}\n
"},{"location":"webapp/#helm-chart","title":"Helm Chart","text":"The web application can be installed and managed in a Kubernetes cluster using Helm.
See details at: https://github.com/kyverno/kyverno-json/tree/main/charts/kyverno-json
"},{"location":"catalog/","title":"Policy catalog","text":"The kyverno-json
policy catalog contains curated policies to be reused.
You can share your policies with the community by opening a pull request here.
"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":"You can install the pre-compiled binary (in several ways), or compile from source. We also provide a GitHub action to easily install Kyverno-JSON in your workflows.
"},{"location":"install/#install-the-pre-compiled-binary","title":"Install the pre-compiled binary","text":""},{"location":"install/#homebrew-tap","title":"Homebrew tap","text":"add tap:
brew tap kyverno/kyverno-json https://github.com/kyverno/kyverno-json\n
install kyverno-json:
brew install kyverno/kyverno-json/kyverno-json\n
"},{"location":"install/#manually","title":"Manually","text":"Download the pre-compiled binaries for your system from the releases page and copy them to the desired location.
"},{"location":"install/#using-go-install","title":"Usinggo install
","text":"You can install with go install
with:
go install github.com/kyverno/kyverno-json@latest\n
"},{"location":"install/#build-from-the-source-code","title":"Build from the source code","text":"clone the repository:
git clone https://github.com/kyverno/kyverno-json.git\n
build the binaries:
cd kyverno-json\ngo mod tidy\nmake build\n
verify the build:
./kyverno-json version\n
"},{"location":"intro/","title":"Introduction","text":"kyverno-json
extends Kyverno policies to perform simple and efficient validation of data in JSON or YAML format. With kyverno-json
, you can now use Kyverno policies to validate:
Simply convert your runtime or configuration data to JSON, and use Kyverno to audit or enforce policies for security and best practices compliance.
kyverno-json
can be run as a:
kyverno-json
uses JMESPath community edition, a modern JMESPath implementation with lexical scopes support.
The current payload, policy and rule are always available using the following builtin bindings:
Binding Usage$payload
Current payload being analysed $policy
Current policy being executed $rule
Current rule being evaluated Warning
No protection is made to prevent you from overriding those bindings.
"},{"location":"playground/","title":"Playground","text":"The kyverno-json
playground can be used to test kyverno-json
directly in your web browser.
See Install for the available options to install the CLI.
"},{"location":"quick-start/#validate-a-terraform-plan","title":"Validate a Terraform Plan","text":"In this example we will use a Kyverno policy to validate a Terraform plan:
"},{"location":"quick-start/#create-the-payload","title":"Create the payload","text":"Here is a Terraform plan that creates an AWS S3 bucket:
terraform {\n required_providers {\n aws = {\n source = \"hashicorp/aws\"\n version = \"~> 4.16\"\n }\n }\n\n required_version = \">= 1.2.0\"\n}\n\nprovider \"aws\" {\n region = \"us-west-2\"\n}\n\nresource \"aws_s3_bucket\" \"example\" {\n bucket = \"my-tf-test-bucket\"\n\n tags = {\n Name = \"My bucket\"\n Environment = \"Dev\"\n }\n}\n
You can convert this to JSON using the following commands:
output the plan:
terraform plan -out tfplan.binary\n
convert to JSON: terraform show -json tfplan.binary | jq > payload.json\n
"},{"location":"quick-start/#create-the-policy","title":"Create the policy","text":"Create a policy.yaml
file and paste the content below that checks for required labels:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: s3\nspec:\n rules:\n - name: check-tags\n assert:\n all:\n - check:\n planned_values:\n root_module:\n ~.resources:\n values:\n (keys(tags_all)):\n (contains(@, 'Environment')): true\n (contains(@, 'Name')): true\n (contains(@, 'Team')): true\n
"},{"location":"quick-start/#scan-the-payload","title":"Scan the payload","text":"With the payload and policy above, we can invoke kyverno-json
with the command below:
kyverno-json scan --payload payload.json --policy policy.yaml\n
The plan shown above will fail as it does not contain the Team
tag.
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags / FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"quick-start/#validate-a-kubernetes-resource","title":"Validate a Kubernetes Resource","text":"For this example we will use a Kubernetes Pod
payload.
Create a payload.yaml
file and paste the Pod declaration below in it:
apiVersion: v1\nkind: Pod\nmetadata:\n name: pods-simple-pod\nspec:\n containers:\n - command:\n - sleep\n - \"3600\"\n image: busybox:latest\n name: pods-simple-container\n
This is a simple Pod
with one container running the busybox
latest docker image.
Using the latest
tag of an image is a bad practice. Let's write a policy to detect this.
Create a policy.yaml
file and paste the content below to block latest
images:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: pod-policy\nspec:\n rules:\n - name: no-latest\n # Match payloads corresponding to pods\n match:\n any:\n - apiVersion: v1\n kind: Pod\n assert:\n all:\n - message: Pod `{{ metadata.name }}` uses an image with tag `latest`\n check:\n spec:\n # Iterate over pod containers\n # Note the `~.` modifier, it means we want to iterate over array elements in descendants\n ~.containers:\n image:\n # Check that an image tag is present\n (contains(@, ':')): true\n # Check that the image tag is not `:latest`\n (ends_with(@, ':latest')): false\n
This policy iterates over pod containers, checking that the container image has a tag specified and that the tag being used is not latest
.
With the payload and policy above, we can invoke kyverno-json
with the command below:
kyverno-json scan --payload payload.yaml --policy policy.yaml\n
This produces the output:
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- pod-policy / no-latest / FAILED: Pod `pods-simple-pod` uses an image with tag `latest`\nDone\n
"},{"location":"apis/kyverno-json.v1alpha1/","title":"KyvernoJson (v1alpha1)","text":"Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
"},{"location":"apis/kyverno-json.v1alpha1/#resource-types","title":"Resource Types","text":"ValidatingPolicy
","text":"Appears in:
ValidatingPolicy is the resource that contains the policy definition.
Field Type Required Inline DescriptionapiVersion
string
json.kyverno.io/v1alpha1
kind
string
ValidatingPolicy
metadata
meta/v1.ObjectMeta
Standard object's metadata.
spec
ValidatingPolicySpec
Policy spec.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicyList","title":"ValidatingPolicyList
","text":"ValidatingPolicyList is a list of ValidatingPolicy instances.
Field Type Required Inline DescriptionapiVersion
string
json.kyverno.io/v1alpha1
kind
string
ValidatingPolicyList
metadata
meta/v1.ListMeta
No description provided. items
[]ValidatingPolicy
No description provided."},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Any","title":"Any
","text":"Appears in:
Any can be any type.
Field Type Required Inline DescriptionValue
any
Value contains the value of the Any object.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assert","title":"Assert
","text":"Appears in:
Assert defines collections of assertions.
Field Type Required Inline Descriptionany
[]Assertion
Any allows specifying assertions which will be ORed.
all
[]Assertion
All allows specifying assertions which will be ANDed.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assertion","title":"Assertion
","text":"Appears in:
Assertion contains an assertion tree associated with a message.
Field Type Required Inline Descriptionmessage
string
Message is the message associated message.
check
Any
Check is the assertion check definition.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ContextEntry","title":"ContextEntry
","text":"Appears in:
ContextEntry adds variables and data sources to a rule context.
Field Type Required Inline Descriptionname
string
Name is the entry name.
variable
Any
Variable defines an arbitrary variable.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Match","title":"Match
","text":"Appears in:
Match defines collections of assertion trees.
Field Type Required Inline Descriptionany
[]Any
Any allows specifying assertion trees which will be ORed.
all
[]Any
All allows specifying assertion trees which will be ANDed.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicySpec","title":"ValidatingPolicySpec
","text":"Appears in:
ValidatingPolicySpec contains the policy spec.
Field Type Required Inline Descriptionrules
[]ValidatingRule
Rules is a list of ValidatingRule instances.
"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingRule","title":"ValidatingRule
","text":"Appears in:
ValidatingRule defines a validating rule.
Field Type Required Inline Descriptionname
string
Name is a label to identify the rule, It must be unique within the policy.
context
[]ContextEntry
Context defines variables and data sources that can be used during rule execution.
match
Match
Match defines when this policy rule should be applied.
exclude
Match
Exclude defines when this policy rule should not be applied.
identifier
string
Identifier declares a JMESPath expression to extract a name from the payload.
assert
Assert
Assert is used to validate matching resources.
"},{"location":"catalog/","title":"Policy catalog","text":"The kyverno-json
policy catalog contains curated policies to be reused.
You can share your policies with the community by opening a pull request here.
"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":"This Policy ensures that port 22 is not exposed in Dockerfile.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that port 22 is not exposed\n in Dockerfile.\n title.policy.kyverno.io: Dockerfile expose port 22 not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-expose-port-22\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].Commands[?Name=='EXPOSE'][]):\n (contains(Ports, '22') || contains(Ports, '22/TCP')): false\n message: Port 22 exposure is not allowed\n name: check-port-exposure\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/","title":"Dockerfile latest image tag not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#description","title":"Description","text":"This Policy ensures that no image uses the latest tag in Dockerfile.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that no image uses the latest\n tag in Dockerfile.\n title.policy.kyverno.io: Dockerfile latest image tag not allowed\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-deny-latest-image-tag\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].From.Image):\n (contains(@, ':latest')): false\n message: Latest tag is not allowed\n name: check-latest-tag\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/","title":"Ensure apt is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#description","title":"Description","text":"This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get\n can be used as apt interface is less stable than apt-get and so this preferred.\n title.policy.kyverno.io: Ensure apt is not used in Dockerfile\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-apt\nspec:\n rules:\n - assert:\n any:\n - check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'apt ')): false\n message: apt not allowed\n name: dockerfile-disallow-apt\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/","title":"Dockerfile last user is not allowed to be root","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#description","title":"Description","text":"This Policy ensures that last user in Dockerfile is not root.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that last user in Dockerfile\n is not root.\n title.policy.kyverno.io: Dockerfile last user is not allowed to be root\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-last-user-root\nspec:\n rules:\n - assert:\n all:\n - check:\n ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false\n message: Last user root not allowed\n name: check-disallow-last-user-root\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/","title":"Ensure sudo is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#description","title":"Description","text":"This Policy ensures that sudo isn\u2019t used.
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that sudo isn\u2019t used.\n title.policy.kyverno.io: Ensure sudo is not used in Dockerfile\n creationTimestamp: null\n labels:\n dockerfile.tags.kyverno.io: dockerfile\n name: dockerfile-disallow-sudo\nspec:\n rules:\n - assert:\n all:\n - check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'sudo')): false\n message: sudo not allowed\n name: dockerfile-disallow-sudo\n
","tags":["dockerfile"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/","title":"ECS cluster enable logging","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#description","title":"Description","text":"This Policy ensures that ECS clusters have logging enabled.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS clusters have logging\n enabled.\n title.policy.kyverno.io: ECS cluster enable logging\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-cluster\n name: ecs-cluster-enable-logging\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.configuration:\n ~.execute_command_configuration:\n (contains($forbidden_values, @.logging)): false\n message: ECS Cluster should enable logging of ECS Exec\n context:\n - name: forbidden_values\n variable:\n - NONE\n match:\n any:\n - type: aws_ecs_cluster\n name: ecs-cluster-enable-logging\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/","title":"ECS requires container insights","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#description","title":"Description","text":"This Policy ensures that ECS clusters have container insights enabled.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS clusters have container\n insights enabled.\n title.policy.kyverno.io: ECS requires container insights\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-cluster\n name: required-container-insights\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.setting:\n name: containerInsights\n value: enabled\n message: Container insights should be enabled on ECS cluster\n match:\n any:\n - type: aws_ecs_cluster\n name: required-container-insights\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/","title":"ECS public IP","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#description","title":"Description","text":"This Policy ensures that ECS services do not have public IP addresses assigned to them automatically.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS services do not have\n public IP addresses assigned to them automatically.\n title.policy.kyverno.io: ECS public IP\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-service\n name: ecs-public-ip\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n ~.network_configuration:\n (contains('$allowed-values', @.assign_public_ip)): false\n message: ECS services should not have public IP addresses assigned to them\n automatically\n context:\n - name: allowed-values\n variable:\n - false\n match:\n any:\n - type: aws_ecs_service\n name: ecs-public-ip\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/","title":"ECS require latest platform fargate","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#description","title":"Description","text":"This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n on the latest Fargate platform version.\n title.policy.kyverno.io: ECS require latest platform fargate\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-service\n name: required-latest-platform-fargate\nspec:\n rules:\n - assert:\n all:\n - check:\n values:\n platform_version: LATEST\n message: ECS Fargate services should run on the latest Fargate platform version\n context:\n - name: pv\n variable: platform_version\n match:\n any:\n - type: aws_ecs_service\n values:\n launch_type: FARGATE\n name: required-latest-platform\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/","title":"ECS require filesystem read only","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#description","title":"Description","text":"This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n annotations:\n description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n on the latest Fargate platform version.\n title.policy.kyverno.io: ECS require filesystem read only\n creationTimestamp: null\n labels:\n ecs.aws.tags.kyverno.io: ecs-task-definition\n name: fs-read-only\nspec:\n rules:\n - assert:\n any:\n - check:\n values:\n ~.(json_parse(container_definitions)):\n readonlyRootFilesystem: true\n message: ECS containers should only have read-only access to root filesystems\n match:\n any:\n - type: aws_ecs_task_definition\n name: require-fs-read-only\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/policy-1/","title":"policy-1","text":""},{"location":"catalog/policies/ecs/policy-1/#description","title":"Description","text":"None
"},{"location":"catalog/policies/ecs/policy-1/#install","title":"Install","text":""},{"location":"catalog/policies/ecs/policy-1/#in-cluster","title":"In cluster","text":"kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#download-locally","title":"Download locally","text":"curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#manifest","title":"Manifest","text":"Original policy Raw
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n creationTimestamp: null\n name: test\nspec:\n rules:\n - assert:\n all:\n - check:\n foo:\n /(bar)/: 10\n name: foo-bar\n
"},{"location":"cli/","title":"Overview","text":"The kyverno-json
Command Line Interface (CLI) can be used to:
Here is an example of scanning an Terraform plan that creates an S3 bucket:
./kyverno-json scan --policy test/commands/scan/tf-s3/policy.yaml --payload test/commands/scan/tf-s3/payload.json\n
The output looks like:
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags / FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"cli/#installation","title":"Installation","text":"See Install for the available options to install the CLI.
"},{"location":"cli/#pre-processing-payloads","title":"Pre-processing payloads","text":"You can provide preprocessing queries in jmespath format to pre-process the input payload before evaluating resources against policies.
This is necessary if the input payload is not what you want to directly analyze.
For example, here is a partial JSON which was produced by converting a Terraform plan that creates an EC2 instance:
kyverno/kyverno-json/main/test/commands/scan/tf-ec2/payload.json
{\n \"format_version\": \"1.2\",\n \"terraform_version\": \"1.5.7\",\n \"planned_values\": {\n \"root_module\": {\n \"resources\": [\n {\n \"address\": \"aws_instance.app_server\",\n \"mode\": \"managed\",\n \"type\": \"aws_instance\",\n \"name\": \"app_server\",\n \"provider_name\": \"registry.terraform.io/hashicorp/aws\",\n \"schema_version\": 1,\n \"values\": {\n \"ami\": \"ami-830c94e3\",\n \"credit_specification\": [],\n \"get_password_data\": false,\n \"hibernation\": null,\n \"instance_type\": \"t2.micro\",\n \"launch_template\": [],\n \"source_dest_check\": true,\n \"tags\": {\n \"Name\": \"ExampleAppServerInstance\"\n },\n \"tags_all\": {\n \"Name\": \"ExampleAppServerInstance\"\n },\n \"timeouts\": null,\n \"user_data_replace_on_change\": false,\n \"volume_tags\": null\n },\n\n ...\n
To directly scan the resources
element use --pre-process planned_values.root_module.resources
as follows:
./kyverno-json scan --policy test/commands/scan/tf-ec2/policy.yaml --payload test/commands/scan/tf-ec2/payload.json --pre-process planned_values.root_module.resources\n
This command will produce the output:
Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- required-ec2-tags / require-team-tag / PASSED\nDone\n
"},{"location":"cli/commands/kyverno-json/","title":"Kyverno json","text":""},{"location":"cli/commands/kyverno-json/#kyverno-json","title":"kyverno-json","text":"kyverno-json is a CLI tool to apply policies to json resources.
"},{"location":"cli/commands/kyverno-json/#synopsis","title":"Synopsis","text":"kyverno-json is a CLI tool to apply policies to json resources.
kyverno-json [flags]\n
"},{"location":"cli/commands/kyverno-json/#options","title":"Options","text":" -h, --help help for kyverno-json\n
"},{"location":"cli/commands/kyverno-json/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for the specified shell
"},{"location":"cli/commands/kyverno-json_completion/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for kyverno-json for the specified shell. See each sub-command's help for details on how to use the generated script.
"},{"location":"cli/commands/kyverno-json_completion/#options","title":"Options","text":" -h, --help help for completion\n
"},{"location":"cli/commands/kyverno-json_completion/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for bash
"},{"location":"cli/commands/kyverno-json_completion_bash/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for the bash shell.
This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:
source <(kyverno-json completion bash)\n
To load completions for every new session, execute once:
"},{"location":"cli/commands/kyverno-json_completion_bash/#linux","title":"Linux:","text":"kyverno-json completion bash > /etc/bash_completion.d/kyverno-json\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#macos","title":"macOS:","text":"kyverno-json completion bash > $(brew --prefix)/etc/bash_completion.d/kyverno-json\n
You will need to start a new shell for this setup to take effect.
kyverno-json completion bash\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#options","title":"Options","text":" -h, --help help for bash\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for fish
"},{"location":"cli/commands/kyverno-json_completion_fish/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for the fish shell.
To load completions in your current shell session:
kyverno-json completion fish | source\n
To load completions for every new session, execute once:
kyverno-json completion fish > ~/.config/fish/completions/kyverno-json.fish\n
You will need to start a new shell for this setup to take effect.
kyverno-json completion fish [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#options","title":"Options","text":" -h, --help help for fish\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for powershell
"},{"location":"cli/commands/kyverno-json_completion_powershell/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for powershell.
To load completions in your current shell session:
kyverno-json completion powershell | Out-String | Invoke-Expression\n
To load completions for every new session, add the output of the above command to your powershell profile.
kyverno-json completion powershell [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#options","title":"Options","text":" -h, --help help for powershell\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#see-also","title":"SEE ALSO","text":"Generate the autocompletion script for zsh
"},{"location":"cli/commands/kyverno-json_completion_zsh/#synopsis","title":"Synopsis","text":"Generate the autocompletion script for the zsh shell.
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:
echo \"autoload -U compinit; compinit\" >> ~/.zshrc\n
To load completions in your current shell session:
source <(kyverno-json completion zsh)\n
To load completions for every new session, execute once:
"},{"location":"cli/commands/kyverno-json_completion_zsh/#linux","title":"Linux:","text":"kyverno-json completion zsh > \"${fpath[1]}/_kyverno-json\"\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#macos","title":"macOS:","text":"kyverno-json completion zsh > $(brew --prefix)/share/zsh/site-functions/_kyverno-json\n
You will need to start a new shell for this setup to take effect.
kyverno-json completion zsh [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#options","title":"Options","text":" -h, --help help for zsh\n --no-descriptions disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#see-also","title":"SEE ALSO","text":"Generates reference documentation.
"},{"location":"cli/commands/kyverno-json_docs/#synopsis","title":"Synopsis","text":"Generates reference documentation.
The docs command generates CLI reference documentation. It can be used to generate simple markdown files or markdown to be used for the website.
kyverno-json docs [flags]\n
"},{"location":"cli/commands/kyverno-json_docs/#examples","title":"Examples","text":" # Generate simple markdown documentation\n kyverno-json docs -o . --autogenTag=false\n\n # Generate website documentation\n kyverno-json docs -o . --website\n
"},{"location":"cli/commands/kyverno-json_docs/#options","title":"Options","text":" --autogenTag Determines if the generated docs should contain a timestamp (default true)\n -h, --help help for docs\n -o, --output string Output path (default \".\")\n --website Website version\n
"},{"location":"cli/commands/kyverno-json_docs/#see-also","title":"SEE ALSO","text":"Provides a command-line interface to JMESPath, enhanced with custom functions.
"},{"location":"cli/commands/kyverno-json_jp/#synopsis","title":"Synopsis","text":"Provides a command-line interface to JMESPath, enhanced with custom functions.
kyverno-json jp [flags]\n
"},{"location":"cli/commands/kyverno-json_jp/#examples","title":"Examples","text":" # List functions\n kyverno-json jp function\n\n # Evaluate query\n kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n # Parse expression\n kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp/#options","title":"Options","text":" -h, --help help for jp\n
"},{"location":"cli/commands/kyverno-json_jp/#see-also","title":"SEE ALSO","text":"Provides function informations.
"},{"location":"cli/commands/kyverno-json_jp_function/#synopsis","title":"Synopsis","text":"Provides function informations.
kyverno-json jp function [function_name]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_function/#examples","title":"Examples","text":" # List functions\n kyverno-json jp function\n\n # Get function infos\n kyverno-json jp function truncate\n
"},{"location":"cli/commands/kyverno-json_jp_function/#options","title":"Options","text":" -h, --help help for function\n
"},{"location":"cli/commands/kyverno-json_jp_function/#see-also","title":"SEE ALSO","text":"Parses jmespath expression and prints corresponding AST.
"},{"location":"cli/commands/kyverno-json_jp_parse/#synopsis","title":"Synopsis","text":"Parses jmespath expression and prints corresponding AST.
kyverno-json jp parse [-f file|expression]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#examples","title":"Examples","text":" # Parse expression\n kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n\n # Parse expression from a file\n kyverno-json jp parse -f my-file\n\n # Parse expression from stdin\n kyverno-json jp parse\n\n # Parse multiple expressionxs\n kyverno-json jp parse -f my-file1 -f my-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#options","title":"Options","text":" -f, --file strings Read input from a JSON or YAML file instead of stdin\n -h, --help help for parse\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#see-also","title":"SEE ALSO","text":"Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
"},{"location":"cli/commands/kyverno-json_jp_query/#synopsis","title":"Synopsis","text":"Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
kyverno-json jp query [-i input] [-q query|query]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_query/#examples","title":"Examples","text":" # Evaluate query\n kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n # Evaluate query\n kyverno-json jp query -i object.yaml -q query-file\n\n # Evaluate multiple queries\n kyverno-json jp query -i object.yaml -q query-file-1 -q query-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_query/#options","title":"Options","text":" -c, --compact Produce compact JSON output that omits non essential whitespace\n -h, --help help for query\n -i, --input string Read input from a JSON or YAML file instead of stdin\n -q, --query strings Read JMESPath expression from the specified file\n -u, --unquoted If the final result is a string, it will be printed without quotes\n
"},{"location":"cli/commands/kyverno-json_jp_query/#see-also","title":"SEE ALSO","text":"playground
"},{"location":"cli/commands/kyverno-json_playground/#synopsis","title":"Synopsis","text":"Serve playground
kyverno-json playground [flags]\n
"},{"location":"cli/commands/kyverno-json_playground/#options","title":"Options","text":" --gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for playground\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_playground/#see-also","title":"SEE ALSO","text":"scan
"},{"location":"cli/commands/kyverno-json_scan/#synopsis","title":"Synopsis","text":"Apply policies to json resources
kyverno-json scan [flags]\n
"},{"location":"cli/commands/kyverno-json_scan/#options","title":"Options","text":" -h, --help help for scan\n --labels strings Labels selectors for policies\n --output string Output format (text or json) (default \"text\")\n --payload string Path to payload (json or yaml file)\n --policy strings Path to kyverno-json policies\n --pre-process strings JMESPath expression used to pre process payload\n
"},{"location":"cli/commands/kyverno-json_scan/#see-also","title":"SEE ALSO","text":"serve
"},{"location":"cli/commands/kyverno-json_serve/#synopsis","title":"Synopsis","text":"Serve API
kyverno-json serve [flags]\n
"},{"location":"cli/commands/kyverno-json_serve/#options","title":"Options","text":" --gin-cors enable gin cors (default true)\n --gin-log enable gin logger (default true)\n --gin-max-body-size int gin max body size (default 2097152)\n --gin-mode string gin run mode (default \"release\")\n -h, --help help for serve\n --kube-as string Username to impersonate for the operation\n --kube-as-group stringArray Group to impersonate for the operation, this flag can be repeated to specify multiple groups.\n --kube-as-uid string UID to impersonate for the operation\n --kube-certificate-authority string Path to a cert file for the certificate authority\n --kube-client-certificate string Path to a client certificate file for TLS\n --kube-client-key string Path to a client key file for TLS\n --kube-cluster string The name of the kubeconfig cluster to use\n --kube-context string The name of the kubeconfig context to use\n --kube-disable-compression If true, opt-out of response compression for all requests to the server\n --kube-insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure\n -n, --kube-namespace string If present, the namespace scope for this CLI request\n --kube-password string Password for basic authentication to the API server\n --kube-proxy-url string If provided, this URL will be used to connect via proxy\n --kube-request-timeout string The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default \"0\")\n --kube-server string The address and port of the Kubernetes API server\n --kube-tls-server-name string If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.\n --kube-token string Bearer token for authentication to the API server\n --kube-user string The name of the kubeconfig user to use\n --kube-username string Username for basic authentication to the API server\n --server-host string server host (default \"0.0.0.0\")\n --server-port int server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_serve/#see-also","title":"SEE ALSO","text":"Print the version informations
"},{"location":"cli/commands/kyverno-json_version/#synopsis","title":"Synopsis","text":"Print the version informations
kyverno-json version [flags]\n
"},{"location":"cli/commands/kyverno-json_version/#examples","title":"Examples","text":" # Print version infos\n kyverno-json version\n
"},{"location":"cli/commands/kyverno-json_version/#options","title":"Options","text":" -h, --help help for version\n
"},{"location":"cli/commands/kyverno-json_version/#see-also","title":"SEE ALSO","text":"The Go API provides a way to embed the Kyverno JSON engine in Go programs that validate JSON payloads using Kyverno policies.
The Go API can be added to a program's dependencies as follows:
go get github.com/kyverno/kyverno-json/pkg/jsonengine\ngo get github.com/kyverno/kyverno-json/pkg/policy\n
Here is a sample program that shows the overall flow for programatically using the Kyverno JSON Engine:
package main\n\nimport (\n \"context\"\n \"encoding/json\"\n \"log\"\n\n jsonengine \"github.com/kyverno/kyverno-json/pkg/json-engine\"\n \"github.com/kyverno/kyverno-json/pkg/policy\"\n)\n\nconst policyYAML = `\napiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: authz\nspec:\n rules:\n - name: delete-checks\n identifier: \"name\"\n match:\n all:\n (input.method): \"DELETE\"\n assert:\n all:\n - check:\n role: \"admin\"\n`\n\nfunc main() {\n policies, err := policy.Parse([]byte(policyYAML))\n if err != nil {\n panic(err)\n }\n\n // load payloads\n requestJSON := `{\n \"name\": \"Annie\",\n \"role\": \"admin\",\n \"input\": {\n \"method\": \"DELETE\",\n \"path\": \"/red-files\"\n }\n }`\n\n var payload any\n if err := json.Unmarshal([]byte(requestJSON), &payload); err != nil {\n panic(err)\n }\n\n // create a JsonEngineRequest\n request := jsonengine.JsonEngineRequest{\n Resources: []any{payload},\n Policies: policies,\n }\n\n // create a new json engine\n engine := jsonengine.New()\n\n responses := engine.Run(context.Background(), request)\n\n logger := log.Default()\n for _, resp := range responses {\n if resp.Error != nil {\n // ...handle execution error\n logger.Printf(\"policy error: %v\", resp.Error)\n }\n\n if resp.Failure != nil {\n // ...handle policy failure\n logger.Printf(\"policy failure: %v\", resp.Failure)\n }\n }\n}\n
"},{"location":"jp/functions/","title":"Functions","text":""},{"location":"jp/functions/#built-in-functions","title":"built-in functions","text":"Name Signature abs abs(number)
avg avg(array[number])
ceil ceil(number)
contains contains(array\\|string, any)
ends_with ends_with(string, string)
find_first find_first(string, string, number, number)
find_last find_last(string, string, number, number)
floor floor(number)
from_items from_items(array[array])
group_by group_by(array, expref)
items items(object)
join join(string, array[string])
keys keys(object)
length length(string\\|array\\|object)
lower lower(string)
map map(expref, array)
max max(array[number]\\|array[string])
max_by max_by(array, expref)
merge merge(object)
min min(array[number]\\|array[string])
min_by min_by(array, expref)
not_null not_null(any)
pad_left pad_left(string, number, string)
pad_right pad_right(string, number, string)
replace replace(string, string, string, number)
reverse reverse(array\\|string)
sort sort(array[string]\\|array[number])
sort_by sort_by(array, expref)
split split(string, string, number)
starts_with starts_with(string, string)
sum sum(array[number])
to_array to_array(any)
to_number to_number(any)
to_string to_string(any)
trim trim(string, string)
trim_left trim_left(string, string)
trim_right trim_right(string, string)
type type(any)
upper upper(string)
values values(object)
zip zip(array, array)
"},{"location":"jp/functions/#custom-functions","title":"custom functions","text":"Name Signature at at(array, any)
concat concat(string, string)
json_parse json_parse(string)
wildcard wildcard(string, string)
"},{"location":"jp/functions/#kyverno-functions","title":"kyverno functions","text":"Name Signature compare compare(string, string)
equal_fold equal_fold(string, string)
replace replace(string, string, string, number)
replace_all replace_all(string, string, string)
to_upper to_upper(string)
to_lower to_lower(string)
trim trim(string, string)
trim_prefix trim_prefix(string, string)
split split(string, string)
regex_replace_all regex_replace_all(string, string\\|number, string\\|number)
regex_replace_all_literal regex_replace_all_literal(string, string\\|number, string\\|number)
regex_match regex_match(string, string\\|number)
pattern_match pattern_match(string, string\\|number)
label_match label_match(object, object)
to_boolean to_boolean(string)
add add(any, any)
sum sum(array)
subtract subtract(any, any)
multiply multiply(any, any)
divide divide(any, any)
modulo modulo(any, any)
round round(number, number)
base64_decode base64_decode(string)
base64_encode base64_encode(string)
time_since time_since(string, string, string)
time_now time_now()
time_now_utc time_now_utc()
path_canonicalize path_canonicalize(string)
truncate truncate(string, number)
semver_compare semver_compare(string, string)
parse_json parse_json(string)
parse_yaml parse_yaml(string)
lookup lookup(object\\|array, string\\|number)
items items(object\\|array, string, string)
object_from_lists object_from_lists(array, array)
random random(string)
x509_decode x509_decode(string)
time_to_cron time_to_cron(string)
time_add time_add(string, string)
time_parse time_parse(string, string)
time_utc time_utc(string)
time_diff time_diff(string, string)
time_before time_before(string, string)
time_after time_after(string, string)
time_between time_between(string, string, string)
time_truncate time_truncate(string, string)
"},{"location":"policies/asserts/","title":"Assertion trees","text":"Assertion trees can be used to apply complex and dynamic conditional checks using JMESPath expressions.
"},{"location":"policies/asserts/#assert","title":"Assert","text":"An assert
declaration contains an any
or all
list in which each entry contains a:
check
: the assertion checkmessage
: an optional messageA check can contain one or more JMESPath expressions. Expressions represent projections of selected data in the JSON payload and the result of this projection is passed to descendants for further analysis.
All comparisons happen in the leaves of the assertion tree.
A simple example:
This policy checks that a pod does not use the default service account:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: assert-sample\nspec:\n rules:\n - name: foo-bar\n match:\n all:\n - apiVersion: v1\n kind: Pod\n assert:\n all:\n - message: \"serviceAccountName 'default' is not allowed\"\n check:\n spec:\n (serviceAccountName == 'default'): false\n
A detailed example:
Given the input payload below:
foo:\n baz: true\n bar: 4\n bat: 6\n
It is possible to write a validation rule like this:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar-4\n validate:\n assert:\n all:\n - message: \"...\"\n check:\n # project field `foo` onto itself, the content of `foo` becomes the current object for descendants\n foo:\n\n # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants\n # the `true` leaf is compared with the current value `true`\n (bar > `3`): true\n\n # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants\n # the leaf `false` is compared with the current value `false`\n (!baz): false\n\n # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants\n # the leaf `10` is compared with the current value `10`\n (bar + bat): 10\n
"},{"location":"policies/asserts/#iterating-with-projection-modifiers","title":"Iterating with Projection Modifiers","text":"Assertion tree expressions support modifiers to influence the way projected values are processed.
The ~
modifier applies to arrays and maps, it mean the input array or map elements will be processed individually by descendants.
When the ~
modifier is not used, descendants receive the whole array, not each individual element.
Consider the following input document:
foo:\n bar:\n - 1\n - 2\n - 3\n
The policy below does not use the ~
modifier and foo.bar
array is compared against the expected array:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # the content of the `bar` field will be compared against `[1, 2, 3]`\n bar:\n - 1\n - 2\n - 3\n
With the ~
modifier, we can apply descendant assertions to all elements in the array individually. The policy below ensures that all elements in the input array are < 5
:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # with the `~` modifier all elements in the `[1, 2, 3]` array are processed individually and passed to descendants\n ~.bar:\n # the expression `(@ < `5`)` is evaluated for every element and the result is expected to be `true`\n (@ < `5`): true\n
The ~
modifier supports binding the index of the element being processed to a named binding with the following syntax ~index_name.bar
. When this is used, we can access the element index in descendants with $index_name
.
When used with a map, the named binding receives the key of the element being processed.
"},{"location":"policies/asserts/#explicit-bindings","title":"Explicit bindings","text":"Sometimes it can be useful to refer to a parent node in the assertion tree.
This is possible to add an explicit binding at every node in the tree by appending the ->binding_name
to the key.
Given the input document:
foo:\n bar: 4\n bat: 6\n
The following policy will compute a sum and bind the result to the sum
binding. A descendant can then use $sum
and use it:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n # evaluate expression `(bar + bat)` and bind it to `sum`\n (bar + bat)->sum:\n # get the `$sum` binding and compare it against `10`\n ($sum): 10\n
All binding are available to descendants, if a descendant creates a binding with a name that already exists the binding will be overridden for descendants only and it doesn't affect the bindings at upper levels in the tree.
In other words, a node in the tree always sees bindings that are defined in the parents and if a name is reused, the first binding with the given name wins when winding up the tree.
As a consequence, the policy below will evaluate to true:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n (bar + bat)->sum:\n ($sum + $sum)->sum:\n ($sum): 20\n ($sum): 10\n
Finally, we can always access the current payload, policy and rule being evaluated using the built-in $payload
, $policy
and $rule
bindings. No protection is made to prevent you from overriding those bindings though.
It can be necessary to prevent a projection under certain circumstances.
Consider the following document:
foo:\n (bar): 4\n (baz):\n - 1\n - 2\n - 3\n
Here the (bar)
key conflict with the projection syntax. To workaround this situation, you can escape a projection by surrounding it with \\
characters like this:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar\n validate:\n assert:\n all:\n - foo:\n \\(bar)\\: 10\n
In this case, the leading and trailing \\
characters will be erased and the projection won't be applied.
Note that it's still possible to use the ~
modifier or to create a named binding with and escaped projection.
Keys like this are perfectly valid:
~index.\\baz\\
\\baz\\@foo
~index.\\baz\\@foo
Kyverno policies are Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.
Policies that apply to JSON payload have a few differences from Kyverno policies that are applied to Kubernetes resources at admission controls.
"},{"location":"policies/policies/#resource-scope","title":"Resource Scope","text":"Policies that apply to JSON payloads are always cluster-wide resources.
"},{"location":"policies/policies/#api-group-and-kind","title":"API Group and Kind","text":"kyverno-json
policies belong to the json.kyverno.io
group and can only be of kind ValidatingPolicy
.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: test\nspec:\n rules:\n - name: foo-bar-4\n validate:\n assert:\n all:\n - foo:\n bar: 4\n
"},{"location":"policies/policies/#policy-rules","title":"Policy Rules","text":"A policy can have multiple rules, and rules are processed in order. Evaluation stops at the first rule that fails.
"},{"location":"policies/policies/#match-and-exclude","title":"Match and Exclude","text":"Policies that apply to JSON payloads use assertion trees in both the match
/exclude
declarations as well as the validate
rule declaration.
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: required-s3-tags\nspec:\n rules:\n - name: require-team-tag\n identifier: address\n match:\n any:\n - type: aws_s3_bucket\n exclude:\n any:\n - name: bypass-me\n validate:\n assert:\n all:\n - values:\n tags:\n Team: ?*\n
In the example above, every resource having type: aws_s3_bucket
will match, and payloads having name: bypass-me
will be excluded.
A policy rule can contain an optional identifier
which declares the path to the payload element that uniquely identifies each entry.
A policy rule can contain optional context
entries that are made available to the rule via bindings:
apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: required-s3-tags\nspec:\n rules:\n - name: require-team-tag\n match:\n any:\n - type: aws_s3_bucket\n context:\n # creates a `expectedTeam` binding automatically\n - name: expectedTeam\n variable: Kyverno\n validate:\n message: Bucket `{{ name }}` does not have the required Team tag {{ $expectedTeam }}\n assert:\n all:\n - values:\n tags:\n # use the `$expectedTeam` binding coming from the context\n Team: ($expectedTeam)\n
"},{"location":"policies/policies/#no-foreach-pattern-operators-anchors-or-wildcards","title":"No forEach
, pattern operators
, anchors
, or wildcards
","text":"The use of assertion trees addresses some features of Kyverno policies that apply to Kubernetes resources.
Specifically, forEach, pattern operators, anchors, or wildcards are not supported for policies that apply to JSON resources. Instead, assertion trees with JMESPath expressions are used to achieve the same powerful features.
"},{"location":"webapp/","title":"Usage","text":"kyverno-json
can be deployed as a web application with a REST API. This is useful for deployments when a long running service that processes policy requests is desired.
With kyverno-json
policies are managed as Kubernetes resources. This means that you can use Kubernetes APIs, kubectl
, GitOps, or any other Kubernetes management tool to manage policies.
Here is a complete demonstration of how to use kyverno-json
as an web application:
Install CRDs
Install the CRD for kyverno-json
:
kubectl apply -f .crds/json.kyverno.io_validatingpolicies.yaml\n
Install policies:
Install a sample policy:
kubectl apply -f test/commands/scan/dockerfile/policy.yaml\n
Prepare the payload
The payload is a JSON object with two fields:
Name Type Requiredpayload
Object Y preprocessors
Array of Strings N You can construct a sample payload for the Dockerfile policy using:
cat test/commands/scan/dockerfile/payload.json | jq '{\"payload\": .}' > /tmp/webapp-payload.json\n
Run the web application
./kyverno-json serve\n
This will show the output:
2023/10/29 23:46:11 configured route /api/scan\n2023/10/29 23:46:11 listening to requests on 0.0.0.0:8080\n
Send the REST API request
curl http://localhost:8080/api/scan -X POST -H \"Content-Type: application/json\" -d @/tmp/webapp-payload.json | jq\n
The configured policies will be applied to the payload and the results will be returned back:
{\n \"results\": [\n {\n \"policy\": \"check-dockerfile\",\n \"rule\": \"deny-external-calls\",\n \"status\": \"fail\",\n \"message\": \"HTTP calls are not allowed: all[0].check.~.(Stages[].Commands[].Args[].Value)[0].(contains(@, 'https://') || contains(@, 'http://')): Invalid value: true: Expected value: false; wget is not allowed: all[3].check.~.(Stages[].Commands[].CmdLine[])[0].(contains(@, 'wget')): Invalid value: true: Expected value: false\"\n }\n ]\n}\n
"},{"location":"webapp/#helm-chart","title":"Helm Chart","text":"The web application can be installed and managed in a Kubernetes cluster using Helm.
See details at: https://github.com/kyverno/kyverno-json/tree/main/charts/kyverno-json
"},{"location":"catalog/","title":"Policy catalog","text":"The kyverno-json
policy catalog contains curated policies to be reused.
You can share your policies with the community by opening a pull request here.
"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":"