From 8404ea9554b5efaf06e7e24206667c9e60d5a50d Mon Sep 17 00:00:00 2001 From: ci-bot Date: Sat, 30 Dec 2023 22:26:59 +0000 Subject: [PATCH] Deployed 63c24c9 to main with MkDocs 1.5.3 and mike 2.0.0 --- main/quick-start/index.html | 10 ++--- main/search/search_index.json | 2 +- main/sitemap.xml | 82 +++++++++++++++++----------------- main/sitemap.xml.gz | Bin 581 -> 582 bytes 4 files changed, 47 insertions(+), 47 deletions(-) diff --git a/main/quick-start/index.html b/main/quick-start/index.html index 4f4cd814..179de0f3 100644 --- a/main/quick-start/index.html +++ b/main/quick-start/index.html @@ -71,11 +71,11 @@ any: - apiVersion: v1 kind: Pod - validate: - message: Pod `{{ metadata.name }}` uses an image with tag `latest` - assert: - all: - - spec: + assert: + all: + - message: Pod `{{ metadata.name }}` uses an image with tag `latest` + check: + spec: # Iterate over pod containers # Note the `~.` modifier, it means we want to iterate over array elements in descendants ~.containers: diff --git a/main/search/search_index.json b/main/search/search_index.json index 622c8653..92f102a4 100644 --- a/main/search/search_index.json +++ b/main/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"install/","title":"Install","text":"

You can install the pre-compiled binary (in several ways), or compile from source.

"},{"location":"install/#using-go-install","title":"Using go install","text":"

You can install with go install with:

go install github.com/kyverno/kyverno-json@latest\n
"},{"location":"install/#download-binary","title":"Download binary","text":"

Download the pre-compiled binaries from the releases page and copy them to the desired location.

"},{"location":"install/#build-from-the-source-code","title":"Build from the source code","text":"

clone the repository:

git clone https://github.com/kyverno/kyverno-json.git\n

build the binaries:

cd kyverno-json\ngo mod tidy\nmake build\n

verify the build:

./kyverno-json version\n
"},{"location":"intro/","title":"Introduction","text":"

kyverno-json extends Kyverno policies to perform simple and efficient validation of data in JSON or YAML format. With kyverno-json, you can now use Kyverno policies to validate:

Simply convert your runtime or configuration data to JSON, and use Kyverno to audit or enforce policies for security and best practices compliance.

kyverno-json can be run as a:

  1. A Command Line Interface (CLI)
  2. A web application with a REST API
  3. A Golang library
"},{"location":"jp/","title":"Overview","text":"

kyverno-json uses JMESPath community edition, a modern JMESPath implementation with lexical scopes support.

The current payload, policy and rule are always available using the following builtin bindings:

Binding Usage $payload Current payload being analysed $policy Current policy being executed $rule Current rule being evaluated

Warning

No protection is made to prevent you from overriding those bindings.

"},{"location":"playground/","title":"Playground","text":"

The kyverno-json playground can be used to test kyverno-json directly in your web browser.

"},{"location":"quick-start/","title":"Quick Start","text":"

See Install for the available options to install the CLI.

"},{"location":"quick-start/#validate-a-terraform-plan","title":"Validate a Terraform Plan","text":"

In this example we will use a Kyverno policy to validate a Terraform plan:

"},{"location":"quick-start/#create-the-payload","title":"Create the payload","text":"

Here is a Terraform plan that creates an AWS S3 bucket:

terraform {\n  required_providers {\n    aws = {\n      source  = \"hashicorp/aws\"\n      version = \"~> 4.16\"\n    }\n  }\n\n  required_version = \">= 1.2.0\"\n}\n\nprovider \"aws\" {\n  region = \"us-west-2\"\n}\n\nresource \"aws_s3_bucket\" \"example\" {\n  bucket = \"my-tf-test-bucket\"\n\n  tags = {\n    Name        = \"My bucket\"\n    Environment = \"Dev\"\n  }\n}\n

You can convert this to JSON using the following commands:

output the plan: 

terraform plan -out tfplan.binary\n
convert to JSON: 
terraform show -json tfplan.binary | jq > payload.json\n

"},{"location":"quick-start/#create-the-policy","title":"Create the policy","text":"

Create a policy.yaml file and paste the content below that checks for required labels:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: s3\nspec:\n  rules:\n    - name: check-tags\n      assert:\n        all:\n        - check:\n            planned_values:\n              root_module:\n                ~.resources:\n                  values:\n                    (keys(tags_all)):\n                      (contains(@, 'Environment')): true\n                      (contains(@, 'Name')): true\n                      (contains(@, 'Team')): true\n
"},{"location":"quick-start/#scan-the-payload","title":"Scan the payload","text":"

With the payload and policy above, we can invoke kyverno-json with the command below:

kyverno-json scan --payload payload.json --policy policy.yaml\n

The plan shown above will fail as it does not contain the Team tag.

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags /  FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"quick-start/#validate-a-kubernetes-resource","title":"Validate a Kubernetes Resource","text":"

For this example we will use a Kubernetes Pod payload.

"},{"location":"quick-start/#create-the-payload_1","title":"Create the payload","text":"

Create a payload.yaml file and paste the Pod declaration below in it:

apiVersion: v1\nkind: Pod\nmetadata:\n  name: pods-simple-pod\nspec:\n  containers:\n    - command:\n        - sleep\n        - \"3600\"\n      image: busybox:latest\n      name: pods-simple-container\n

This is a simple Pod with one container running the busybox latest docker image.

Using the latest tag of an image is a bad practice. Let's write a policy to detect this.

"},{"location":"quick-start/#create-the-policy_1","title":"Create the policy","text":"

Create a policy.yaml file and paste the content below to block latest images:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: pod-policy\nspec:\n  rules:\n    - name: no-latest\n      # Match payloads corresponding to pods\n      match:\n        any:\n        - apiVersion: v1\n          kind: Pod\n      validate:\n        message: Pod `{{ metadata.name\u00a0}}` uses an image with tag `latest`\n        assert:\n          all:\n          - spec:\n              # Iterate over pod containers\n              # Note the `~.` modifier, it means we want to iterate over array elements in descendants\n              ~.containers:\n                image:\n                  # Check that an image tag is present\n                  (contains(@, ':')): true\n                  # Check that the image tag is not `:latest`\n                  (ends_with(@, ':latest')): false\n

This policy iterates over pod containers, checking that the container image has a tag specified and that the tag being used is not latest.

"},{"location":"quick-start/#scan-the-payload_1","title":"Scan the payload","text":"

With the payload and policy above, we can invoke kyverno-json with the command below:

kyverno-json scan --payload payload.yaml --policy policy.yaml\n

This produces the output:

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- pod-policy / no-latest /  FAILED: Pod `pods-simple-pod` uses an image with tag `latest`\nDone\n
"},{"location":"apis/kyverno-json.v1alpha1/","title":"KyvernoJson (v1alpha1)","text":"

Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group

"},{"location":"apis/kyverno-json.v1alpha1/#resource-types","title":"Resource Types","text":""},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicy","title":"ValidatingPolicy","text":"

Appears in:

ValidatingPolicy is the resource that contains the policy definition.

Field Type Required Inline Description apiVersion string json.kyverno.io/v1alpha1 kind string ValidatingPolicy metadata meta/v1.ObjectMeta

Standard object's metadata.

spec ValidatingPolicySpec

Policy spec.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicyList","title":"ValidatingPolicyList","text":"

ValidatingPolicyList is a list of ValidatingPolicy instances.

Field Type Required Inline Description apiVersion string json.kyverno.io/v1alpha1 kind string ValidatingPolicyList metadata meta/v1.ListMeta No description provided. items []ValidatingPolicy No description provided."},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Any","title":"Any","text":"

Appears in:

Any can be any type.

Field Type Required Inline Description Value interface{}

Value contains the value of the Any object.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assert","title":"Assert","text":"

Appears in:

Assert defines collections of assertions.

Field Type Required Inline Description any []Assertion

Any allows specifying assertions which will be ORed.

all []Assertion

All allows specifying assertions which will be ANDed.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assertion","title":"Assertion","text":"

Appears in:

Assertion contains an assertion tree associated with a message.

Field Type Required Inline Description message string

Message is the message associated message.

check Any

Check is the assertion check definition.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ContextEntry","title":"ContextEntry","text":"

Appears in:

ContextEntry adds variables and data sources to a rule context.

Field Type Required Inline Description name string

Name is the entry name.

variable Any

Variable defines an arbitrary variable.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Match","title":"Match","text":"

Appears in:

Match defines collections of assertion trees.

Field Type Required Inline Description any []Any

Any allows specifying assertion trees which will be ORed.

all []Any

All allows specifying assertion trees which will be ANDed.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicySpec","title":"ValidatingPolicySpec","text":"

Appears in:

ValidatingPolicySpec contains the policy spec.

Field Type Required Inline Description rules []ValidatingRule

Rules is a list of ValidatingRule instances.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingRule","title":"ValidatingRule","text":"

Appears in:

ValidatingRule defines a validating rule.

Field Type Required Inline Description name string

Name is a label to identify the rule, It must be unique within the policy.

context []ContextEntry

Context defines variables and data sources that can be used during rule execution.

match Match

Match defines when this policy rule should be applied.

exclude Match

Exclude defines when this policy rule should not be applied.

identifier string

Identifier declares a JMESPath expression to extract a name from the payload.

assert Assert

Assert is used to validate matching resources.

"},{"location":"catalog/","title":"Policy catalog","text":"

The kyverno-json policy catalog contains curated policies to be reused.

You can share your policies with the community by opening a pull request here.

"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":""},{"location":"catalog/#awsecs","title":"aws/ecs","text":""},{"location":"catalog/#dockerfile","title":"dockerfile","text":""},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/","title":"Dockerfile expose port 22 not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#description","title":"Description","text":"

This Policy ensures that port 22 is not exposed in Dockerfile.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that port 22 is not exposed\n      in Dockerfile.\n    title.policy.kyverno.io: Dockerfile expose port 22 not allowed\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-deny-expose-port-22\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ~.(Stages[].Commands[?Name=='EXPOSE'][]):\n            (contains(Ports, '22') || contains(Ports, '22/TCP')): false\n        message: Port 22 exposure is not allowed\n    name: check-port-exposure\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/","title":"Dockerfile latest image tag not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#description","title":"Description","text":"

This Policy ensures that no image uses the latest tag in Dockerfile.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that no image uses the latest\n      tag in Dockerfile.\n    title.policy.kyverno.io: Dockerfile latest image tag not allowed\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-deny-latest-image-tag\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ~.(Stages[].From.Image):\n            (contains(@, ':latest')): false\n        message: Latest tag is not allowed\n    name: check-latest-tag\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/","title":"Ensure apt is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#description","title":"Description","text":"

This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get\n      can be used as apt interface is less stable than apt-get and so this preferred.\n    title.policy.kyverno.io: Ensure apt is not used in Dockerfile\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-disallow-apt\nspec:\n  rules:\n  - assert:\n      any:\n      - check:\n          ~.(Stages[].Commands[].CmdLine[]):\n            (contains(@, 'apt ')): false\n        message: apt not allowed\n    name: dockerfile-disallow-apt\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/","title":"Dockerfile last user is not allowed to be root","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#description","title":"Description","text":"

This Policy ensures that last user in Dockerfile is not root.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that last user in Dockerfile\n      is not root.\n    title.policy.kyverno.io: Dockerfile last user is not allowed to be root\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-disallow-last-user-root\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false\n        message: Last user root not allowed\n    name: check-disallow-last-user-root\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/","title":"Ensure sudo is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#description","title":"Description","text":"

This Policy ensures that sudo isn\u2019t used.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that sudo isn\u2019t used.\n    title.policy.kyverno.io: Ensure sudo is not used in Dockerfile\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-disallow-sudo\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ~.(Stages[].Commands[].CmdLine[]):\n            (contains(@, 'sudo')): false\n        message: sudo not allowed\n    name: dockerfile-disallow-sudo\n
","tags":["dockerfile"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/","title":"ECS cluster enable logging","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#description","title":"Description","text":"

This Policy ensures that ECS clusters have logging enabled.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS clusters have logging\n      enabled.\n    title.policy.kyverno.io: ECS cluster enable logging\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-cluster\n  name: ecs-cluster-enable-logging\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            ~.configuration:\n              ~.execute_command_configuration:\n                (contains($forbidden_values, @.logging)): false\n        message: ECS Cluster should enable logging of ECS Exec\n    context:\n    - name: forbidden_values\n      variable:\n      - NONE\n    match:\n      any:\n      - type: aws_ecs_cluster\n    name: ecs-cluster-enable-logging\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/","title":"ECS requires container insights","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#description","title":"Description","text":"

This Policy ensures that ECS clusters have container insights enabled.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS clusters have container\n      insights enabled.\n    title.policy.kyverno.io: ECS requires container insights\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-cluster\n  name: required-container-insights\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            ~.setting:\n              name: containerInsights\n              value: enabled\n        message: Container insights should be enabled on ECS cluster\n    match:\n      any:\n      - type: aws_ecs_cluster\n    name: required-container-insights\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/","title":"ECS public IP","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#description","title":"Description","text":"

This Policy ensures that ECS services do not have public IP addresses assigned to them automatically.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS services do not have\n      public IP addresses assigned to them automatically.\n    title.policy.kyverno.io: ECS public IP\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-service\n  name: ecs-public-ip\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            ~.network_configuration:\n              (contains('$allowed-values', @.assign_public_ip)): false\n        message: ECS services should not have public IP addresses assigned to them\n          automatically\n    context:\n    - name: allowed-values\n      variable:\n      - false\n    match:\n      any:\n      - type: aws_ecs_service\n    name: ecs-public-ip\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/","title":"ECS require latest platform fargate","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#description","title":"Description","text":"

This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n      on the latest Fargate platform version.\n    title.policy.kyverno.io: ECS require latest platform fargate\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-service\n  name: required-latest-platform-fargate\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            platform_version: LATEST\n        message: ECS Fargate services should run on the latest Fargate platform version\n    context:\n    - name: pv\n      variable: platform_version\n    match:\n      any:\n      - type: aws_ecs_service\n        values:\n          launch_type: FARGATE\n    name: required-latest-platform\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/","title":"ECS require filesystem read only","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#description","title":"Description","text":"

This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n      on the latest Fargate platform version.\n    title.policy.kyverno.io: ECS require filesystem read only\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-task-definition\n  name: fs-read-only\nspec:\n  rules:\n  - assert:\n      any:\n      - check:\n          values:\n            ~.(json_parse(container_definitions)):\n              readonlyRootFilesystem: true\n        message: ECS containers should only have read-only access to root filesystems\n    match:\n      any:\n      - type: aws_ecs_task_definition\n    name: require-fs-read-only\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/policy-1/","title":"policy-1","text":""},{"location":"catalog/policies/ecs/policy-1/#description","title":"Description","text":"

None

"},{"location":"catalog/policies/ecs/policy-1/#install","title":"Install","text":""},{"location":"catalog/policies/ecs/policy-1/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  creationTimestamp: null\n  name: test\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          foo:\n            /(bar)/: 10\n    name: foo-bar\n
"},{"location":"cli/","title":"Overview","text":"

The kyverno-json Command Line Interface (CLI) can be used to:

Here is an example of scanning an Terraform plan that creates an S3 bucket:

./kyverno-json scan --policy test/commands/scan/tf-s3/policy.yaml --payload test/commands/scan/tf-s3/payload.json\n

The output looks like:

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags /  FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"cli/#installation","title":"Installation","text":"

See Install for the available options to install the CLI.

"},{"location":"cli/#pre-processing-payloads","title":"Pre-processing payloads","text":"

You can provide preprocessing queries in jmespath format to pre-process the input payload before evaluating resources against policies.

This is necessary if the input payload is not what you want to directly analyze.

For example, here is a partial JSON which was produced by converting a Terraform plan that creates an EC2 instance:

kyverno/kyverno-json/main/test/commands/scan/tf-ec2/payload.json

{\n  \"format_version\": \"1.2\",\n  \"terraform_version\": \"1.5.7\",\n  \"planned_values\": {\n    \"root_module\": {\n      \"resources\": [\n        {\n          \"address\": \"aws_instance.app_server\",\n          \"mode\": \"managed\",\n          \"type\": \"aws_instance\",\n          \"name\": \"app_server\",\n          \"provider_name\": \"registry.terraform.io/hashicorp/aws\",\n          \"schema_version\": 1,\n          \"values\": {\n            \"ami\": \"ami-830c94e3\",\n            \"credit_specification\": [],\n            \"get_password_data\": false,\n            \"hibernation\": null,\n            \"instance_type\": \"t2.micro\",\n            \"launch_template\": [],\n            \"source_dest_check\": true,\n            \"tags\": {\n              \"Name\": \"ExampleAppServerInstance\"\n            },\n            \"tags_all\": {\n              \"Name\": \"ExampleAppServerInstance\"\n            },\n            \"timeouts\": null,\n            \"user_data_replace_on_change\": false,\n            \"volume_tags\": null\n          },\n\n          ...\n

To directly scan the resources element use --pre-process planned_values.root_module.resources as follows:

./kyverno-json scan --policy test/commands/scan/tf-ec2/policy.yaml --payload test/commands/scan/tf-ec2/payload.json --pre-process planned_values.root_module.resources\n

This command will produce the output:

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- required-ec2-tags / require-team-tag /  PASSED\nDone\n
"},{"location":"cli/commands/kyverno-json/","title":"Kyverno json","text":""},{"location":"cli/commands/kyverno-json/#kyverno-json","title":"kyverno-json","text":"

kyverno-json is a CLI tool to apply policies to json resources.

"},{"location":"cli/commands/kyverno-json/#synopsis","title":"Synopsis","text":"

kyverno-json is a CLI tool to apply policies to json resources.

kyverno-json [flags]\n
"},{"location":"cli/commands/kyverno-json/#options","title":"Options","text":"
  -h, --help   help for kyverno-json\n
"},{"location":"cli/commands/kyverno-json/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion/","title":"Kyverno json completion","text":""},{"location":"cli/commands/kyverno-json_completion/#kyverno-json-completion","title":"kyverno-json completion","text":"

Generate the autocompletion script for the specified shell

"},{"location":"cli/commands/kyverno-json_completion/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for kyverno-json for the specified shell. See each sub-command's help for details on how to use the generated script.

"},{"location":"cli/commands/kyverno-json_completion/#options","title":"Options","text":"
  -h, --help   help for completion\n
"},{"location":"cli/commands/kyverno-json_completion/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_bash/","title":"Kyverno json completion bash","text":""},{"location":"cli/commands/kyverno-json_completion_bash/#kyverno-json-completion-bash","title":"kyverno-json completion bash","text":"

Generate the autocompletion script for bash

"},{"location":"cli/commands/kyverno-json_completion_bash/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for the bash shell.

This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.

To load completions in your current shell session:

source <(kyverno-json completion bash)\n

To load completions for every new session, execute once:

"},{"location":"cli/commands/kyverno-json_completion_bash/#linux","title":"Linux:","text":"
kyverno-json completion bash > /etc/bash_completion.d/kyverno-json\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#macos","title":"macOS:","text":"
kyverno-json completion bash > $(brew --prefix)/etc/bash_completion.d/kyverno-json\n

You will need to start a new shell for this setup to take effect.

kyverno-json completion bash\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#options","title":"Options","text":"
  -h, --help              help for bash\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_fish/","title":"Kyverno json completion fish","text":""},{"location":"cli/commands/kyverno-json_completion_fish/#kyverno-json-completion-fish","title":"kyverno-json completion fish","text":"

Generate the autocompletion script for fish

"},{"location":"cli/commands/kyverno-json_completion_fish/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for the fish shell.

To load completions in your current shell session:

kyverno-json completion fish | source\n

To load completions for every new session, execute once:

kyverno-json completion fish > ~/.config/fish/completions/kyverno-json.fish\n

You will need to start a new shell for this setup to take effect.

kyverno-json completion fish [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#options","title":"Options","text":"
  -h, --help              help for fish\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_powershell/","title":"Kyverno json completion powershell","text":""},{"location":"cli/commands/kyverno-json_completion_powershell/#kyverno-json-completion-powershell","title":"kyverno-json completion powershell","text":"

Generate the autocompletion script for powershell

"},{"location":"cli/commands/kyverno-json_completion_powershell/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for powershell.

To load completions in your current shell session:

kyverno-json completion powershell | Out-String | Invoke-Expression\n

To load completions for every new session, add the output of the above command to your powershell profile.

kyverno-json completion powershell [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#options","title":"Options","text":"
  -h, --help              help for powershell\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_zsh/","title":"Kyverno json completion zsh","text":""},{"location":"cli/commands/kyverno-json_completion_zsh/#kyverno-json-completion-zsh","title":"kyverno-json completion zsh","text":"

Generate the autocompletion script for zsh

"},{"location":"cli/commands/kyverno-json_completion_zsh/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for the zsh shell.

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

echo \"autoload -U compinit; compinit\" >> ~/.zshrc\n

To load completions in your current shell session:

source <(kyverno-json completion zsh)\n

To load completions for every new session, execute once:

"},{"location":"cli/commands/kyverno-json_completion_zsh/#linux","title":"Linux:","text":"
kyverno-json completion zsh > \"${fpath[1]}/_kyverno-json\"\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#macos","title":"macOS:","text":"
kyverno-json completion zsh > $(brew --prefix)/share/zsh/site-functions/_kyverno-json\n

You will need to start a new shell for this setup to take effect.

kyverno-json completion zsh [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#options","title":"Options","text":"
  -h, --help              help for zsh\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_docs/","title":"Kyverno json docs","text":""},{"location":"cli/commands/kyverno-json_docs/#kyverno-json-docs","title":"kyverno-json docs","text":"

Generates reference documentation.

"},{"location":"cli/commands/kyverno-json_docs/#synopsis","title":"Synopsis","text":"

Generates reference documentation.

The docs command generates CLI reference documentation. It can be used to generate simple markdown files or markdown to be used for the website.

kyverno-json docs [flags]\n
"},{"location":"cli/commands/kyverno-json_docs/#examples","title":"Examples","text":"
  # Generate simple markdown documentation\n  kyverno-json docs -o . --autogenTag=false\n\n  # Generate website documentation\n  kyverno-json docs -o . --website\n
"},{"location":"cli/commands/kyverno-json_docs/#options","title":"Options","text":"
      --autogenTag      Determines if the generated docs should contain a timestamp (default true)\n  -h, --help            help for docs\n  -o, --output string   Output path (default \".\")\n      --website         Website version\n
"},{"location":"cli/commands/kyverno-json_docs/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp/","title":"Kyverno json jp","text":""},{"location":"cli/commands/kyverno-json_jp/#kyverno-json-jp","title":"kyverno-json jp","text":"

Provides a command-line interface to JMESPath, enhanced with custom functions.

"},{"location":"cli/commands/kyverno-json_jp/#synopsis","title":"Synopsis","text":"

Provides a command-line interface to JMESPath, enhanced with custom functions.

kyverno-json jp [flags]\n
"},{"location":"cli/commands/kyverno-json_jp/#examples","title":"Examples","text":"
  # List functions\n  kyverno-json jp function\n\n  # Evaluate query\n  kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n  # Parse expression\n  kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp/#options","title":"Options","text":"
  -h, --help   help for jp\n
"},{"location":"cli/commands/kyverno-json_jp/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp_function/","title":"Kyverno json jp function","text":""},{"location":"cli/commands/kyverno-json_jp_function/#kyverno-json-jp-function","title":"kyverno-json jp function","text":"

Provides function informations.

"},{"location":"cli/commands/kyverno-json_jp_function/#synopsis","title":"Synopsis","text":"

Provides function informations.

kyverno-json jp function [function_name]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_function/#examples","title":"Examples","text":"
  # List functions\n  kyverno-json jp function\n\n  # Get function infos\n  kyverno-json jp function truncate\n
"},{"location":"cli/commands/kyverno-json_jp_function/#options","title":"Options","text":"
  -h, --help   help for function\n
"},{"location":"cli/commands/kyverno-json_jp_function/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp_parse/","title":"Kyverno json jp parse","text":""},{"location":"cli/commands/kyverno-json_jp_parse/#kyverno-json-jp-parse","title":"kyverno-json jp parse","text":"

Parses jmespath expression and prints corresponding AST.

"},{"location":"cli/commands/kyverno-json_jp_parse/#synopsis","title":"Synopsis","text":"

Parses jmespath expression and prints corresponding AST.

kyverno-json jp parse [-f file|expression]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#examples","title":"Examples","text":"
  # Parse expression\n  kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n\n  # Parse expression from a file\n  kyverno-json jp parse -f my-file\n\n  # Parse expression from stdin\n  kyverno-json jp parse\n\n  # Parse multiple expressionxs\n  kyverno-json jp parse -f my-file1 -f my-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#options","title":"Options","text":"
  -f, --file strings   Read input from a JSON or YAML file instead of stdin\n  -h, --help           help for parse\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp_query/","title":"Kyverno json jp query","text":""},{"location":"cli/commands/kyverno-json_jp_query/#kyverno-json-jp-query","title":"kyverno-json jp query","text":"

Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.

"},{"location":"cli/commands/kyverno-json_jp_query/#synopsis","title":"Synopsis","text":"

Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.

kyverno-json jp query [-i input] [-q query|query]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_query/#examples","title":"Examples","text":"
  # Evaluate query\n  kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n  # Evaluate query\n  kyverno-json jp query -i object.yaml -q query-file\n\n  # Evaluate multiple queries\n  kyverno-json jp query -i object.yaml -q query-file-1 -q query-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_query/#options","title":"Options","text":"
  -c, --compact         Produce compact JSON output that omits non essential whitespace\n  -h, --help            help for query\n  -i, --input string    Read input from a JSON or YAML file instead of stdin\n  -q, --query strings   Read JMESPath expression from the specified file\n  -u, --unquoted        If the final result is a string, it will be printed without quotes\n
"},{"location":"cli/commands/kyverno-json_jp_query/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_playground/","title":"Kyverno json playground","text":""},{"location":"cli/commands/kyverno-json_playground/#kyverno-json-playground","title":"kyverno-json playground","text":"

playground

"},{"location":"cli/commands/kyverno-json_playground/#synopsis","title":"Synopsis","text":"

Serve playground

kyverno-json playground [flags]\n
"},{"location":"cli/commands/kyverno-json_playground/#options","title":"Options","text":"
      --gin-cors                enable gin cors (default true)\n      --gin-log                 enable gin logger (default true)\n      --gin-max-body-size int   gin max body size (default 2097152)\n      --gin-mode string         gin run mode (default \"release\")\n  -h, --help                    help for playground\n      --server-host string      server host (default \"0.0.0.0\")\n      --server-port int         server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_playground/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_scan/","title":"Kyverno json scan","text":""},{"location":"cli/commands/kyverno-json_scan/#kyverno-json-scan","title":"kyverno-json scan","text":"

scan

"},{"location":"cli/commands/kyverno-json_scan/#synopsis","title":"Synopsis","text":"

Apply policies to json resources

kyverno-json scan [flags]\n
"},{"location":"cli/commands/kyverno-json_scan/#options","title":"Options","text":"
  -h, --help                  help for scan\n      --labels strings        Labels selectors for policies\n      --payload string        Path to payload (json or yaml file)\n      --policy strings        Path to kyverno-json policies\n      --pre-process strings   JMESPath expression used to pre process payload\n
"},{"location":"cli/commands/kyverno-json_scan/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_serve/","title":"Kyverno json serve","text":""},{"location":"cli/commands/kyverno-json_serve/#kyverno-json-serve","title":"kyverno-json serve","text":"

serve

"},{"location":"cli/commands/kyverno-json_serve/#synopsis","title":"Synopsis","text":"

Serve API

kyverno-json serve [flags]\n
"},{"location":"cli/commands/kyverno-json_serve/#options","title":"Options","text":"
      --gin-cors                            enable gin cors (default true)\n      --gin-log                             enable gin logger (default true)\n      --gin-max-body-size int               gin max body size (default 2097152)\n      --gin-mode string                     gin run mode (default \"release\")\n  -h, --help                                help for serve\n      --kube-as string                      Username to impersonate for the operation\n      --kube-as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.\n      --kube-as-uid string                  UID to impersonate for the operation\n      --kube-certificate-authority string   Path to a cert file for the certificate authority\n      --kube-client-certificate string      Path to a client certificate file for TLS\n      --kube-client-key string              Path to a client key file for TLS\n      --kube-cluster string                 The name of the kubeconfig cluster to use\n      --kube-context string                 The name of the kubeconfig context to use\n      --kube-disable-compression            If true, opt-out of response compression for all requests to the server\n      --kube-insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure\n  -n, --kube-namespace string               If present, the namespace scope for this CLI request\n      --kube-password string                Password for basic authentication to the API server\n      --kube-proxy-url string               If provided, this URL will be used to connect via proxy\n      --kube-request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default \"0\")\n      --kube-server string                  The address and port of the Kubernetes API server\n      --kube-tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.\n      --kube-token string                   Bearer token for authentication to the API server\n      --kube-user string                    The name of the kubeconfig user to use\n      --kube-username string                Username for basic authentication to the API server\n      --server-host string                  server host (default \"0.0.0.0\")\n      --server-port int                     server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_serve/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_version/","title":"Kyverno json version","text":""},{"location":"cli/commands/kyverno-json_version/#kyverno-json-version","title":"kyverno-json version","text":"

Print the version informations

"},{"location":"cli/commands/kyverno-json_version/#synopsis","title":"Synopsis","text":"

Print the version informations

kyverno-json version [flags]\n
"},{"location":"cli/commands/kyverno-json_version/#examples","title":"Examples","text":"
  # Print version infos\n  kyverno-json version\n
"},{"location":"cli/commands/kyverno-json_version/#options","title":"Options","text":"
  -h, --help   help for version\n
"},{"location":"cli/commands/kyverno-json_version/#see-also","title":"SEE ALSO","text":""},{"location":"go-library/","title":"Usage","text":"

The Go API provides a way to embed the Kyverno JSON engine in Go programs that validate JSON payloads using Kyverno policies.

The Go API can be added to a program's dependencies as follows:

go get github.com/kyverno/kyverno-json/pkg/jsonengine\ngo get github.com/kyverno/kyverno-json/pkg/policy\n

Here is a sample program that shows the overall flow for programatically using the Kyverno JSON Engine:

package main\n\nimport (\n    \"context\"\n    \"encoding/json\"\n    \"log\"\n\n    jsonengine \"github.com/kyverno/kyverno-json/pkg/json-engine\"\n    \"github.com/kyverno/kyverno-json/pkg/policy\"\n)\n\nconst policyYAML = `\napiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: authz\nspec:\n  rules:\n  - name: delete-checks\n    identifier: \"name\"\n    match:\n      all:\n        (input.method): \"DELETE\"\n    assert:\n      all:\n      - check:\n          role: \"admin\"\n`\n\nfunc main() {\n    policies, err := policy.Parse([]byte(policyYAML))\n    if err != nil {\n        panic(err)\n    }\n\n    // load payloads\n    requestJSON := `{\n        \"name\": \"Annie\",\n        \"role\": \"admin\",\n        \"input\": {\n            \"method\": \"DELETE\",\n            \"path\":   \"/red-files\"\n        }\n    }`\n\n    var payload interface{}\n    if err := json.Unmarshal([]byte(requestJSON), &payload); err != nil {\n        panic(err)\n    }\n\n    // create a JsonEngineRequest\n    request := jsonengine.JsonEngineRequest{\n        Resources: []interface{}{payload},\n        Policies:  policies,\n    }\n\n    // create a J\n    engine := jsonengine.New()\n\n    responses := engine.Run(context.Background(), request)\n\n    logger := log.Default()\n    for _, resp := range responses {\n        if resp.Error != nil {\n            // ...handle execution error\n            logger.Printf(\"policy error: %v\", resp.Error)\n        }\n\n        if resp.Failure != nil {\n            // ...handle policy failure\n            logger.Printf(\"policy failure: %v\", resp.Failure)\n        }\n    }\n}\n
"},{"location":"jp/functions/","title":"Functions","text":""},{"location":"jp/functions/#built-in-functions","title":"built-in functions","text":"Name Signature abs abs(number) avg avg(array[number]) ceil ceil(number) contains contains(array\\|string, any) ends_with ends_with(string, string) find_first find_first(string, string, number, number) find_last find_last(string, string, number, number) floor floor(number) from_items from_items(array[array]) group_by group_by(array, expref) items items(object) join join(string, array[string]) keys keys(object) length length(string\\|array\\|object) lower lower(string) map map(expref, array) max max(array[number]\\|array[string]) max_by max_by(array, expref) merge merge(object) min min(array[number]\\|array[string]) min_by min_by(array, expref) not_null not_null(any) pad_left pad_left(string, number, string) pad_right pad_right(string, number, string) replace replace(string, string, string, number) reverse reverse(array\\|string) sort sort(array[string]\\|array[number]) sort_by sort_by(array, expref) split split(string, string, number) starts_with starts_with(string, string) sum sum(array[number]) to_array to_array(any) to_number to_number(any) to_string to_string(any) trim trim(string, string) trim_left trim_left(string, string) trim_right trim_right(string, string) type type(any) upper upper(string) values values(object) zip zip(array, array)"},{"location":"jp/functions/#custom-functions","title":"custom functions","text":"Name Signature at at(array, any) concat concat(string, string) json_parse json_parse(string) wildcard wildcard(string, string)"},{"location":"jp/functions/#kyverno-functions","title":"kyverno functions","text":"Name Signature compare compare(string, string) equal_fold equal_fold(string, string) replace replace(string, string, string, number) replace_all replace_all(string, string, string) to_upper to_upper(string) to_lower to_lower(string) trim trim(string, string) trim_prefix trim_prefix(string, string) split split(string, string) regex_replace_all regex_replace_all(string, string\\|number, string\\|number) regex_replace_all_literal regex_replace_all_literal(string, string\\|number, string\\|number) regex_match regex_match(string, string\\|number) pattern_match pattern_match(string, string\\|number) label_match label_match(object, object) to_boolean to_boolean(string) add add(any, any) sum sum(array) subtract subtract(any, any) multiply multiply(any, any) divide divide(any, any) modulo modulo(any, any) round round(number, number) base64_decode base64_decode(string) base64_encode base64_encode(string) time_since time_since(string, string, string) time_now time_now() time_now_utc time_now_utc() path_canonicalize path_canonicalize(string) truncate truncate(string, number) semver_compare semver_compare(string, string) parse_json parse_json(string) parse_yaml parse_yaml(string) lookup lookup(object\\|array, string\\|number) items items(object\\|array, string, string) object_from_lists object_from_lists(array, array) random random(string) x509_decode x509_decode(string) time_to_cron time_to_cron(string) time_add time_add(string, string) time_parse time_parse(string, string) time_utc time_utc(string) time_diff time_diff(string, string) time_before time_before(string, string) time_after time_after(string, string) time_between time_between(string, string, string) time_truncate time_truncate(string, string)"},{"location":"policies/asserts/","title":"Assertion trees","text":"

Assertion trees can be used to apply complex and dynamic conditional checks using JMESPath expressions.

"},{"location":"policies/asserts/#assert","title":"Assert","text":"

An assert declaration contains an any or all list in which each entry contains a:

A check can contain one or more JMESPath expressions. Expressions represent projections of selected data in the JSON payload and the result of this projection is passed to descendants for further analysis.

All comparisons happen in the leaves of the assertion tree.

A simple example:

This policy checks that a pod does not use the default service account:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: assert-sample\nspec:\n  rules:\n    - name: foo-bar\n      match:\n        all:\n        - apiVersion: v1\n          kind: Pod\n      assert:\n        all:\n        - message: \"serviceAccountName 'default' is not allowed\"\n          check:\n            spec:\n              (serviceAccountName == 'default'): false\n

A detailed example:

Given the input payload below:

foo:\n  baz: true\n  bar: 4\n  bat: 6\n

It is possible to write a validation rule like this:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar-4\n      validate:\n        assert:\n          all:\n          - message: \"...\"\n            check:\n              # project field `foo` onto itself, the content of `foo` becomes the current object for descendants\n              foo:\n\n                # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants\n                # the `true` leaf is compared with the current value `true`\n                (bar > `3`): true\n\n                # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants\n                # the leaf `false` is compared with the current value `false`\n                (!baz): false\n\n                # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants\n                # the leaf `10` is compared with the current value `10`\n                (bar + bat): 10\n
"},{"location":"policies/asserts/#iterating-with-projection-modifiers","title":"Iterating with Projection Modifiers","text":"

Assertion tree expressions support modifiers to influence the way projected values are processed.

The ~ modifier applies to arrays and maps, it mean the input array or map elements will be processed individually by descendants.

When the ~ modifier is not used, descendants receive the whole array, not each individual element.

Consider the following input document:

foo:\n  bar:\n  - 1\n  - 2\n  - 3\n

The policy below does not use the ~ modifier and foo.bar array is compared against the expected array:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              # the content of the `bar` field will be compared against `[1, 2, 3]`\n              bar:\n              - 1\n              - 2\n              - 3\n

With the ~ modifier, we can apply descendant assertions to all elements in the array individually. The policy below ensures that all elements in the input array are < 5:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              # with the `~` modifier all elements in the `[1, 2, 3]` array are processed individually and passed to descendants\n              ~.bar:\n                # the expression `(@ < `5`)` is evaluated for every element and the result is expected to be `true`\n                (@ < `5`): true\n

The ~ modifier supports binding the index of the element being processed to a named binding with the following syntax ~index_name.bar. When this is used, we can access the element index in descendants with $index_name.

When used with a map, the named binding receives the key of the element being processed.

"},{"location":"policies/asserts/#explicit-bindings","title":"Explicit bindings","text":"

Sometimes it can be useful to refer to a parent node in the assertion tree.

This is possible to add an explicit binding at every node in the tree by appending the ->binding_name to the key.

Given the input document:

foo:\n  bar: 4\n  bat: 6\n

The following policy will compute a sum and bind the result to the sum binding. A descendant can then use $sum and use it:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              # evaluate expression `(bar + bat)` and bind it to `sum`\n              (bar + bat)->sum:\n                # get the `$sum` binding and compare it against `10`\n                ($sum): 10\n

All binding are available to descendants, if a descendant creates a binding with a name that already exists the binding will be overridden for descendants only and it doesn't affect the bindings at upper levels in the tree.

In other words, a node in the tree always sees bindings that are defined in the parents and if a name is reused, the first binding with the given name wins when winding up the tree.

As a consequence, the policy below will evaluate to true:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              (bar + bat)->sum:\n                ($sum + $sum)->sum:\n                  ($sum): 20\n                ($sum): 10\n

Finally, we can always access the current payload, policy and rule being evaluated using the builtin $payload, $policy and $rule bindings. No protection is made to prevent you from overriding those bindings though.

"},{"location":"policies/asserts/#escaping-projection","title":"Escaping projection","text":"

It can be necessary to prevent a projection under certain circumstances.

Consider the following document:

foo:\n  (bar): 4\n  (baz):\n  - 1\n  - 2\n  - 3\n

Here the (bar) key conflict with the projection syntax. To workaround this situation, you can escape a projection by surrounding it with \\ characters like this:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              \\(bar)\\: 10\n

In this case, the leading and trailing \\ characters will be erased and the projection won't be applied.

Note that it's still possible to use the ~ modifier or to create a named binding with and escaped projection.

Keys like this are perfectly valid:

"},{"location":"policies/policies/","title":"Policy Structure","text":"

Kyverno policies are Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.

Policies that apply to JSON payload have a few differences from Kyverno policies that are applied to Kubernetes resources at admission controls.

"},{"location":"policies/policies/#resource-scope","title":"Resource Scope","text":"

Policies that apply to JSON payloads are always cluster-wide resources.

"},{"location":"policies/policies/#api-group-and-kind","title":"API Group and Kind","text":"

kyverno-json policies belong to the json.kyverno.io group and can only be of kind ValidatingPolicy.

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar-4\n      validate:\n        assert:\n          all:\n          - foo:\n              bar: 4\n
"},{"location":"policies/policies/#policy-rules","title":"Policy Rules","text":"

A policy can have multiple rules, and rules are processed in order. Evaluation stops at the first rule that fails.

"},{"location":"policies/policies/#match-and-exclude","title":"Match and Exclude","text":"

Policies that apply to JSON payloads use assertion trees in both the match/exclude declarations as well as the validate rule declaration.

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: required-s3-tags\nspec:\n  rules:\n    - name: require-team-tag\n      identifier: address\n      match:\n        any:\n        - type: aws_s3_bucket\n      exclude:\n        any:\n        - name: bypass-me\n      validate:\n        assert:\n          all:\n          - values:\n              tags:\n                Team: ?*\n

In the example above, every resource having type: aws_s3_bucket will match, and payloads having name: bypass-me will be excluded.

"},{"location":"policies/policies/#identifying-payload-entries","title":"Identifying Payload Entries","text":"

A policy rule can contain an optional identifier which declares the path to the payload element that uniquely identifies each entry.

"},{"location":"policies/policies/#context-entries","title":"Context Entries","text":"

A policy rule can contain optional context entries that are made available to the rule via bindings:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: required-s3-tags\nspec:\n  rules:\n    - name: require-team-tag\n      match:\n        any:\n        - type: aws_s3_bucket\n      context:\n      # creates a `expectedTeam` binding automatically\n      - name: expectedTeam\n        variable: Kyverno\n      validate:\n        message: Bucket `{{ name }}` does not have the required Team tag {{ $expectedTeam }}\n        assert:\n          all:\n          - values:\n              tags:\n                # use the `$expectedTeam` binding coming from the context\n                Team: ($expectedTeam)\n
"},{"location":"policies/policies/#no-foreach-pattern-operators-anchors-or-wildcards","title":"No forEach, pattern operators, anchors, or wildcards","text":"

The use of assertion trees addresses some features of Kyverno policies that apply to Kubernetes resources.

Specifically, forEach, pattern operators, anchors, or wildcards are not supported for policies that apply to JSON resources. Instead, assertion trees with JMESPath expressions are used to achieve the same powerful features.

"},{"location":"webapp/","title":"Usage","text":"

kyverno-json can be deployed as a web application with a REST API. This is useful for deployments when a long running service that processes policy requests is desired.

"},{"location":"webapp/#managing-policies","title":"Managing Policies","text":"

With kyverno-json policies are managed as Kubernetes resources. This means that you can use Kubernetes APIs, kubectl, GitOps, or any other Kubernetes management tool to manage policies.

"},{"location":"webapp/#usage_1","title":"Usage","text":"

Here is a complete demonstration of how to use kyverno-json as an web application:

Install CRDs

Install the CRD for kyverno-json:

kubectl apply -f .crds/json.kyverno.io_validatingpolicies.yaml\n

Install policies:

Install a sample policy:

kubectl apply -f test/commands/scan/dockerfile/policy.yaml\n

Prepare the payload

The payload is a JSON object with two fields:

Name Type Required payload Object Y preprocessors Array of Strings N

You can construct a sample payload for the Dockerfile policy using:

cat test/commands/scan/dockerfile/payload.json | jq '{\"payload\": .}' > /tmp/webapp-payload.json\n

Run the web application

./kyverno-json serve\n

This will show the output:

2023/10/29 23:46:11 configured route /api/scan\n2023/10/29 23:46:11 listening to requests on 0.0.0.0:8080\n

Send the REST API request

curl http://localhost:8080/api/scan -X POST -H \"Content-Type: application/json\" -d @/tmp/webapp-payload.json | jq\n

The configured policies will be applied to the payload and the results will be returned back:

{\n  \"results\": [\n    {\n      \"policy\": \"check-dockerfile\",\n      \"rule\": \"deny-external-calls\",\n      \"status\": \"fail\",\n      \"message\": \"HTTP calls are not allowed: all[0].check.~.(Stages[].Commands[].Args[].Value)[0].(contains(@, 'https://') || contains(@, 'http://')): Invalid value: true: Expected value: false; wget is not allowed: all[3].check.~.(Stages[].Commands[].CmdLine[])[0].(contains(@, 'wget')): Invalid value: true: Expected value: false\"\n    }\n  ]\n}\n
"},{"location":"webapp/#helm-chart","title":"Helm Chart","text":"

The web application can be installed and managed in a Kubernetes cluster using Helm.

See details at: https://github.com/kyverno/kyverno-json/tree/main/charts/kyverno-json

"},{"location":"catalog/","title":"Policy catalog","text":"

The kyverno-json policy catalog contains curated policies to be reused.

You can share your policies with the community by opening a pull request here.

"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":""},{"location":"catalog/#awsecs","title":"aws/ecs","text":""},{"location":"catalog/#dockerfile","title":"dockerfile","text":""}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"install/","title":"Install","text":"

You can install the pre-compiled binary (in several ways), or compile from source.

"},{"location":"install/#using-go-install","title":"Using go install","text":"

You can install with go install with:

go install github.com/kyverno/kyverno-json@latest\n
"},{"location":"install/#download-binary","title":"Download binary","text":"

Download the pre-compiled binaries from the releases page and copy them to the desired location.

"},{"location":"install/#build-from-the-source-code","title":"Build from the source code","text":"

clone the repository:

git clone https://github.com/kyverno/kyverno-json.git\n

build the binaries:

cd kyverno-json\ngo mod tidy\nmake build\n

verify the build:

./kyverno-json version\n
"},{"location":"intro/","title":"Introduction","text":"

kyverno-json extends Kyverno policies to perform simple and efficient validation of data in JSON or YAML format. With kyverno-json, you can now use Kyverno policies to validate:

Simply convert your runtime or configuration data to JSON, and use Kyverno to audit or enforce policies for security and best practices compliance.

kyverno-json can be run as a:

  1. A Command Line Interface (CLI)
  2. A web application with a REST API
  3. A Golang library
"},{"location":"jp/","title":"Overview","text":"

kyverno-json uses JMESPath community edition, a modern JMESPath implementation with lexical scopes support.

The current payload, policy and rule are always available using the following builtin bindings:

Binding Usage $payload Current payload being analysed $policy Current policy being executed $rule Current rule being evaluated

Warning

No protection is made to prevent you from overriding those bindings.

"},{"location":"playground/","title":"Playground","text":"

The kyverno-json playground can be used to test kyverno-json directly in your web browser.

"},{"location":"quick-start/","title":"Quick Start","text":"

See Install for the available options to install the CLI.

"},{"location":"quick-start/#validate-a-terraform-plan","title":"Validate a Terraform Plan","text":"

In this example we will use a Kyverno policy to validate a Terraform plan:

"},{"location":"quick-start/#create-the-payload","title":"Create the payload","text":"

Here is a Terraform plan that creates an AWS S3 bucket:

terraform {\n  required_providers {\n    aws = {\n      source  = \"hashicorp/aws\"\n      version = \"~> 4.16\"\n    }\n  }\n\n  required_version = \">= 1.2.0\"\n}\n\nprovider \"aws\" {\n  region = \"us-west-2\"\n}\n\nresource \"aws_s3_bucket\" \"example\" {\n  bucket = \"my-tf-test-bucket\"\n\n  tags = {\n    Name        = \"My bucket\"\n    Environment = \"Dev\"\n  }\n}\n

You can convert this to JSON using the following commands:

output the plan: 

terraform plan -out tfplan.binary\n
convert to JSON: 
terraform show -json tfplan.binary | jq > payload.json\n

"},{"location":"quick-start/#create-the-policy","title":"Create the policy","text":"

Create a policy.yaml file and paste the content below that checks for required labels:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: s3\nspec:\n  rules:\n    - name: check-tags\n      assert:\n        all:\n        - check:\n            planned_values:\n              root_module:\n                ~.resources:\n                  values:\n                    (keys(tags_all)):\n                      (contains(@, 'Environment')): true\n                      (contains(@, 'Name')): true\n                      (contains(@, 'Team')): true\n
"},{"location":"quick-start/#scan-the-payload","title":"Scan the payload","text":"

With the payload and policy above, we can invoke kyverno-json with the command below:

kyverno-json scan --payload payload.json --policy policy.yaml\n

The plan shown above will fail as it does not contain the Team tag.

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags /  FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"quick-start/#validate-a-kubernetes-resource","title":"Validate a Kubernetes Resource","text":"

For this example we will use a Kubernetes Pod payload.

"},{"location":"quick-start/#create-the-payload_1","title":"Create the payload","text":"

Create a payload.yaml file and paste the Pod declaration below in it:

apiVersion: v1\nkind: Pod\nmetadata:\n  name: pods-simple-pod\nspec:\n  containers:\n    - command:\n        - sleep\n        - \"3600\"\n      image: busybox:latest\n      name: pods-simple-container\n

This is a simple Pod with one container running the busybox latest docker image.

Using the latest tag of an image is a bad practice. Let's write a policy to detect this.

"},{"location":"quick-start/#create-the-policy_1","title":"Create the policy","text":"

Create a policy.yaml file and paste the content below to block latest images:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: pod-policy\nspec:\n  rules:\n    - name: no-latest\n      # Match payloads corresponding to pods\n      match:\n        any:\n        - apiVersion: v1\n          kind: Pod\n      assert:\n        all:\n        - message: Pod `{{ metadata.name }}` uses an image with tag `latest`\n          check:\n            spec:\n              # Iterate over pod containers\n              # Note the `~.` modifier, it means we want to iterate over array elements in descendants\n              ~.containers:\n                image:\n                  # Check that an image tag is present\n                  (contains(@, ':')): true\n                  # Check that the image tag is not `:latest`\n                  (ends_with(@, ':latest')): false\n

This policy iterates over pod containers, checking that the container image has a tag specified and that the tag being used is not latest.

"},{"location":"quick-start/#scan-the-payload_1","title":"Scan the payload","text":"

With the payload and policy above, we can invoke kyverno-json with the command below:

kyverno-json scan --payload payload.yaml --policy policy.yaml\n

This produces the output:

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- pod-policy / no-latest /  FAILED: Pod `pods-simple-pod` uses an image with tag `latest`\nDone\n
"},{"location":"apis/kyverno-json.v1alpha1/","title":"KyvernoJson (v1alpha1)","text":"

Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group

"},{"location":"apis/kyverno-json.v1alpha1/#resource-types","title":"Resource Types","text":""},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicy","title":"ValidatingPolicy","text":"

Appears in:

ValidatingPolicy is the resource that contains the policy definition.

Field Type Required Inline Description apiVersion string json.kyverno.io/v1alpha1 kind string ValidatingPolicy metadata meta/v1.ObjectMeta

Standard object's metadata.

spec ValidatingPolicySpec

Policy spec.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicyList","title":"ValidatingPolicyList","text":"

ValidatingPolicyList is a list of ValidatingPolicy instances.

Field Type Required Inline Description apiVersion string json.kyverno.io/v1alpha1 kind string ValidatingPolicyList metadata meta/v1.ListMeta No description provided. items []ValidatingPolicy No description provided."},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Any","title":"Any","text":"

Appears in:

Any can be any type.

Field Type Required Inline Description Value interface{}

Value contains the value of the Any object.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assert","title":"Assert","text":"

Appears in:

Assert defines collections of assertions.

Field Type Required Inline Description any []Assertion

Any allows specifying assertions which will be ORed.

all []Assertion

All allows specifying assertions which will be ANDed.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Assertion","title":"Assertion","text":"

Appears in:

Assertion contains an assertion tree associated with a message.

Field Type Required Inline Description message string

Message is the message associated message.

check Any

Check is the assertion check definition.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ContextEntry","title":"ContextEntry","text":"

Appears in:

ContextEntry adds variables and data sources to a rule context.

Field Type Required Inline Description name string

Name is the entry name.

variable Any

Variable defines an arbitrary variable.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-Match","title":"Match","text":"

Appears in:

Match defines collections of assertion trees.

Field Type Required Inline Description any []Any

Any allows specifying assertion trees which will be ORed.

all []Any

All allows specifying assertion trees which will be ANDed.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingPolicySpec","title":"ValidatingPolicySpec","text":"

Appears in:

ValidatingPolicySpec contains the policy spec.

Field Type Required Inline Description rules []ValidatingRule

Rules is a list of ValidatingRule instances.

"},{"location":"apis/kyverno-json.v1alpha1/#json-kyverno-io-v1alpha1-ValidatingRule","title":"ValidatingRule","text":"

Appears in:

ValidatingRule defines a validating rule.

Field Type Required Inline Description name string

Name is a label to identify the rule, It must be unique within the policy.

context []ContextEntry

Context defines variables and data sources that can be used during rule execution.

match Match

Match defines when this policy rule should be applied.

exclude Match

Exclude defines when this policy rule should not be applied.

identifier string

Identifier declares a JMESPath expression to extract a name from the payload.

assert Assert

Assert is used to validate matching resources.

"},{"location":"catalog/","title":"Policy catalog","text":"

The kyverno-json policy catalog contains curated policies to be reused.

You can share your policies with the community by opening a pull request here.

"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":""},{"location":"catalog/#awsecs","title":"aws/ecs","text":""},{"location":"catalog/#dockerfile","title":"dockerfile","text":""},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/","title":"Dockerfile expose port 22 not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#description","title":"Description","text":"

This Policy ensures that port 22 is not exposed in Dockerfile.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-expose-22.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-expose-22/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that port 22 is not exposed\n      in Dockerfile.\n    title.policy.kyverno.io: Dockerfile expose port 22 not allowed\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-deny-expose-port-22\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ~.(Stages[].Commands[?Name=='EXPOSE'][]):\n            (contains(Ports, '22') || contains(Ports, '22/TCP')): false\n        message: Port 22 exposure is not allowed\n    name: check-port-exposure\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/","title":"Dockerfile latest image tag not allowed","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#description","title":"Description","text":"

This Policy ensures that no image uses the latest tag in Dockerfile.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-deny-latest-image.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-deny-latest-image/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that no image uses the latest\n      tag in Dockerfile.\n    title.policy.kyverno.io: Dockerfile latest image tag not allowed\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-deny-latest-image-tag\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ~.(Stages[].From.Image):\n            (contains(@, ':latest')): false\n        message: Latest tag is not allowed\n    name: check-latest-tag\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/","title":"Ensure apt is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#description","title":"Description","text":"

This Policy ensures that apt isnt used but apt-get can be used as apt interface is less stable than apt-get and so this preferred.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-apt.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-apt/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that apt isnt used but apt-get\n      can be used as apt interface is less stable than apt-get and so this preferred.\n    title.policy.kyverno.io: Ensure apt is not used in Dockerfile\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-disallow-apt\nspec:\n  rules:\n  - assert:\n      any:\n      - check:\n          ~.(Stages[].Commands[].CmdLine[]):\n            (contains(@, 'apt ')): false\n        message: apt not allowed\n    name: dockerfile-disallow-apt\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/","title":"Dockerfile last user is not allowed to be root","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#description","title":"Description","text":"

This Policy ensures that last user in Dockerfile is not root.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-last-user-root.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-last-user-root/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that last user in Dockerfile\n      is not root.\n    title.policy.kyverno.io: Dockerfile last user is not allowed to be root\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-disallow-last-user-root\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false\n        message: Last user root not allowed\n    name: check-disallow-last-user-root\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/","title":"Ensure sudo is not used in Dockerfile","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#description","title":"Description","text":"

This Policy ensures that sudo isn\u2019t used.

","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#install","title":"Install","text":"","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/dockerfile/dockerfile-disallow-sudo.yaml\n
","tags":["dockerfile"]},{"location":"catalog/policies/dockerfile/dockerfile-disallow-sudo/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that sudo isn\u2019t used.\n    title.policy.kyverno.io: Ensure sudo is not used in Dockerfile\n  creationTimestamp: null\n  labels:\n    dockerfile.tags.kyverno.io: dockerfile\n  name: dockerfile-disallow-sudo\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          ~.(Stages[].Commands[].CmdLine[]):\n            (contains(@, 'sudo')): false\n        message: sudo not allowed\n    name: dockerfile-disallow-sudo\n
","tags":["dockerfile"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/","title":"ECS cluster enable logging","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#description","title":"Description","text":"

This Policy ensures that ECS clusters have logging enabled.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-enable-logging.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-enable-logging/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS clusters have logging\n      enabled.\n    title.policy.kyverno.io: ECS cluster enable logging\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-cluster\n  name: ecs-cluster-enable-logging\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            ~.configuration:\n              ~.execute_command_configuration:\n                (contains($forbidden_values, @.logging)): false\n        message: ECS Cluster should enable logging of ECS Exec\n    context:\n    - name: forbidden_values\n      variable:\n      - NONE\n    match:\n      any:\n      - type: aws_ecs_cluster\n    name: ecs-cluster-enable-logging\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/","title":"ECS requires container insights","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#description","title":"Description","text":"

This Policy ensures that ECS clusters have container insights enabled.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-cluster-required-container-insights.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-cluster-required-container-insights/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS clusters have container\n      insights enabled.\n    title.policy.kyverno.io: ECS requires container insights\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-cluster\n  name: required-container-insights\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            ~.setting:\n              name: containerInsights\n              value: enabled\n        message: Container insights should be enabled on ECS cluster\n    match:\n      any:\n      - type: aws_ecs_cluster\n    name: required-container-insights\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/","title":"ECS public IP","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#description","title":"Description","text":"

This Policy ensures that ECS services do not have public IP addresses assigned to them automatically.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-public-ip.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-public-ip/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS services do not have\n      public IP addresses assigned to them automatically.\n    title.policy.kyverno.io: ECS public IP\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-service\n  name: ecs-public-ip\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            ~.network_configuration:\n              (contains('$allowed-values', @.assign_public_ip)): false\n        message: ECS services should not have public IP addresses assigned to them\n          automatically\n    context:\n    - name: allowed-values\n      variable:\n      - false\n    match:\n      any:\n      - type: aws_ecs_service\n    name: ecs-public-ip\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/","title":"ECS require latest platform fargate","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#description","title":"Description","text":"

This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-service-required-latest-platform-fargate.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-service-required-latest-platform-fargate/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n      on the latest Fargate platform version.\n    title.policy.kyverno.io: ECS require latest platform fargate\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-service\n  name: required-latest-platform-fargate\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          values:\n            platform_version: LATEST\n        message: ECS Fargate services should run on the latest Fargate platform version\n    context:\n    - name: pv\n      variable: platform_version\n    match:\n      any:\n      - type: aws_ecs_service\n        values:\n          launch_type: FARGATE\n    name: required-latest-platform\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/","title":"ECS require filesystem read only","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#description","title":"Description","text":"

This Policy ensures that ECS Fargate services runs on the latest Fargate platform version.

","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#install","title":"Install","text":"","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/ecs-task-definition-fs-read-only.yaml\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/ecs-task-definition-fs-read-only/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  annotations:\n    description.policy.kyverno.io: This Policy ensures that ECS Fargate services runs\n      on the latest Fargate platform version.\n    title.policy.kyverno.io: ECS require filesystem read only\n  creationTimestamp: null\n  labels:\n    ecs.aws.tags.kyverno.io: ecs-task-definition\n  name: fs-read-only\nspec:\n  rules:\n  - assert:\n      any:\n      - check:\n          values:\n            ~.(json_parse(container_definitions)):\n              readonlyRootFilesystem: true\n        message: ECS containers should only have read-only access to root filesystems\n    match:\n      any:\n      - type: aws_ecs_task_definition\n    name: require-fs-read-only\n
","tags":["aws","aws/ecs"]},{"location":"catalog/policies/ecs/policy-1/","title":"policy-1","text":""},{"location":"catalog/policies/ecs/policy-1/#description","title":"Description","text":"

None

"},{"location":"catalog/policies/ecs/policy-1/#install","title":"Install","text":""},{"location":"catalog/policies/ecs/policy-1/#in-cluster","title":"In cluster","text":"
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#download-locally","title":"Download locally","text":"
curl -O https://raw.githubusercontent.com/kyverno/kyverno-json/main/catalog/ecs/policy-1.yaml\n
"},{"location":"catalog/policies/ecs/policy-1/#manifest","title":"Manifest","text":"

Original policy Raw

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  creationTimestamp: null\n  name: test\nspec:\n  rules:\n  - assert:\n      all:\n      - check:\n          foo:\n            /(bar)/: 10\n    name: foo-bar\n
"},{"location":"cli/","title":"Overview","text":"

The kyverno-json Command Line Interface (CLI) can be used to:

Here is an example of scanning an Terraform plan that creates an S3 bucket:

./kyverno-json scan --policy test/commands/scan/tf-s3/policy.yaml --payload test/commands/scan/tf-s3/payload.json\n

The output looks like:

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- s3 / check-tags /  FAILED: all[0].check.planned_values.root_module.~.resources[0].values.(keys(tags_all)).(contains(@, 'Team')): Invalid value: false: Expected value: true\nDone\n
"},{"location":"cli/#installation","title":"Installation","text":"

See Install for the available options to install the CLI.

"},{"location":"cli/#pre-processing-payloads","title":"Pre-processing payloads","text":"

You can provide preprocessing queries in jmespath format to pre-process the input payload before evaluating resources against policies.

This is necessary if the input payload is not what you want to directly analyze.

For example, here is a partial JSON which was produced by converting a Terraform plan that creates an EC2 instance:

kyverno/kyverno-json/main/test/commands/scan/tf-ec2/payload.json

{\n  \"format_version\": \"1.2\",\n  \"terraform_version\": \"1.5.7\",\n  \"planned_values\": {\n    \"root_module\": {\n      \"resources\": [\n        {\n          \"address\": \"aws_instance.app_server\",\n          \"mode\": \"managed\",\n          \"type\": \"aws_instance\",\n          \"name\": \"app_server\",\n          \"provider_name\": \"registry.terraform.io/hashicorp/aws\",\n          \"schema_version\": 1,\n          \"values\": {\n            \"ami\": \"ami-830c94e3\",\n            \"credit_specification\": [],\n            \"get_password_data\": false,\n            \"hibernation\": null,\n            \"instance_type\": \"t2.micro\",\n            \"launch_template\": [],\n            \"source_dest_check\": true,\n            \"tags\": {\n              \"Name\": \"ExampleAppServerInstance\"\n            },\n            \"tags_all\": {\n              \"Name\": \"ExampleAppServerInstance\"\n            },\n            \"timeouts\": null,\n            \"user_data_replace_on_change\": false,\n            \"volume_tags\": null\n          },\n\n          ...\n

To directly scan the resources element use --pre-process planned_values.root_module.resources as follows:

./kyverno-json scan --policy test/commands/scan/tf-ec2/policy.yaml --payload test/commands/scan/tf-ec2/payload.json --pre-process planned_values.root_module.resources\n

This command will produce the output:

Loading policies ...\nLoading payload ...\nPre processing ...\nRunning ( evaluating 1 resource against 1 policy ) ...\n- required-ec2-tags / require-team-tag /  PASSED\nDone\n
"},{"location":"cli/commands/kyverno-json/","title":"Kyverno json","text":""},{"location":"cli/commands/kyverno-json/#kyverno-json","title":"kyverno-json","text":"

kyverno-json is a CLI tool to apply policies to json resources.

"},{"location":"cli/commands/kyverno-json/#synopsis","title":"Synopsis","text":"

kyverno-json is a CLI tool to apply policies to json resources.

kyverno-json [flags]\n
"},{"location":"cli/commands/kyverno-json/#options","title":"Options","text":"
  -h, --help   help for kyverno-json\n
"},{"location":"cli/commands/kyverno-json/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion/","title":"Kyverno json completion","text":""},{"location":"cli/commands/kyverno-json_completion/#kyverno-json-completion","title":"kyverno-json completion","text":"

Generate the autocompletion script for the specified shell

"},{"location":"cli/commands/kyverno-json_completion/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for kyverno-json for the specified shell. See each sub-command's help for details on how to use the generated script.

"},{"location":"cli/commands/kyverno-json_completion/#options","title":"Options","text":"
  -h, --help   help for completion\n
"},{"location":"cli/commands/kyverno-json_completion/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_bash/","title":"Kyverno json completion bash","text":""},{"location":"cli/commands/kyverno-json_completion_bash/#kyverno-json-completion-bash","title":"kyverno-json completion bash","text":"

Generate the autocompletion script for bash

"},{"location":"cli/commands/kyverno-json_completion_bash/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for the bash shell.

This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.

To load completions in your current shell session:

source <(kyverno-json completion bash)\n

To load completions for every new session, execute once:

"},{"location":"cli/commands/kyverno-json_completion_bash/#linux","title":"Linux:","text":"
kyverno-json completion bash > /etc/bash_completion.d/kyverno-json\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#macos","title":"macOS:","text":"
kyverno-json completion bash > $(brew --prefix)/etc/bash_completion.d/kyverno-json\n

You will need to start a new shell for this setup to take effect.

kyverno-json completion bash\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#options","title":"Options","text":"
  -h, --help              help for bash\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_bash/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_fish/","title":"Kyverno json completion fish","text":""},{"location":"cli/commands/kyverno-json_completion_fish/#kyverno-json-completion-fish","title":"kyverno-json completion fish","text":"

Generate the autocompletion script for fish

"},{"location":"cli/commands/kyverno-json_completion_fish/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for the fish shell.

To load completions in your current shell session:

kyverno-json completion fish | source\n

To load completions for every new session, execute once:

kyverno-json completion fish > ~/.config/fish/completions/kyverno-json.fish\n

You will need to start a new shell for this setup to take effect.

kyverno-json completion fish [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#options","title":"Options","text":"
  -h, --help              help for fish\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_fish/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_powershell/","title":"Kyverno json completion powershell","text":""},{"location":"cli/commands/kyverno-json_completion_powershell/#kyverno-json-completion-powershell","title":"kyverno-json completion powershell","text":"

Generate the autocompletion script for powershell

"},{"location":"cli/commands/kyverno-json_completion_powershell/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for powershell.

To load completions in your current shell session:

kyverno-json completion powershell | Out-String | Invoke-Expression\n

To load completions for every new session, add the output of the above command to your powershell profile.

kyverno-json completion powershell [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#options","title":"Options","text":"
  -h, --help              help for powershell\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_powershell/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_completion_zsh/","title":"Kyverno json completion zsh","text":""},{"location":"cli/commands/kyverno-json_completion_zsh/#kyverno-json-completion-zsh","title":"kyverno-json completion zsh","text":"

Generate the autocompletion script for zsh

"},{"location":"cli/commands/kyverno-json_completion_zsh/#synopsis","title":"Synopsis","text":"

Generate the autocompletion script for the zsh shell.

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

echo \"autoload -U compinit; compinit\" >> ~/.zshrc\n

To load completions in your current shell session:

source <(kyverno-json completion zsh)\n

To load completions for every new session, execute once:

"},{"location":"cli/commands/kyverno-json_completion_zsh/#linux","title":"Linux:","text":"
kyverno-json completion zsh > \"${fpath[1]}/_kyverno-json\"\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#macos","title":"macOS:","text":"
kyverno-json completion zsh > $(brew --prefix)/share/zsh/site-functions/_kyverno-json\n

You will need to start a new shell for this setup to take effect.

kyverno-json completion zsh [flags]\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#options","title":"Options","text":"
  -h, --help              help for zsh\n      --no-descriptions   disable completion descriptions\n
"},{"location":"cli/commands/kyverno-json_completion_zsh/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_docs/","title":"Kyverno json docs","text":""},{"location":"cli/commands/kyverno-json_docs/#kyverno-json-docs","title":"kyverno-json docs","text":"

Generates reference documentation.

"},{"location":"cli/commands/kyverno-json_docs/#synopsis","title":"Synopsis","text":"

Generates reference documentation.

The docs command generates CLI reference documentation. It can be used to generate simple markdown files or markdown to be used for the website.

kyverno-json docs [flags]\n
"},{"location":"cli/commands/kyverno-json_docs/#examples","title":"Examples","text":"
  # Generate simple markdown documentation\n  kyverno-json docs -o . --autogenTag=false\n\n  # Generate website documentation\n  kyverno-json docs -o . --website\n
"},{"location":"cli/commands/kyverno-json_docs/#options","title":"Options","text":"
      --autogenTag      Determines if the generated docs should contain a timestamp (default true)\n  -h, --help            help for docs\n  -o, --output string   Output path (default \".\")\n      --website         Website version\n
"},{"location":"cli/commands/kyverno-json_docs/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp/","title":"Kyverno json jp","text":""},{"location":"cli/commands/kyverno-json_jp/#kyverno-json-jp","title":"kyverno-json jp","text":"

Provides a command-line interface to JMESPath, enhanced with custom functions.

"},{"location":"cli/commands/kyverno-json_jp/#synopsis","title":"Synopsis","text":"

Provides a command-line interface to JMESPath, enhanced with custom functions.

kyverno-json jp [flags]\n
"},{"location":"cli/commands/kyverno-json_jp/#examples","title":"Examples","text":"
  # List functions\n  kyverno-json jp function\n\n  # Evaluate query\n  kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n  # Parse expression\n  kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp/#options","title":"Options","text":"
  -h, --help   help for jp\n
"},{"location":"cli/commands/kyverno-json_jp/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp_function/","title":"Kyverno json jp function","text":""},{"location":"cli/commands/kyverno-json_jp_function/#kyverno-json-jp-function","title":"kyverno-json jp function","text":"

Provides function informations.

"},{"location":"cli/commands/kyverno-json_jp_function/#synopsis","title":"Synopsis","text":"

Provides function informations.

kyverno-json jp function [function_name]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_function/#examples","title":"Examples","text":"
  # List functions\n  kyverno-json jp function\n\n  # Get function infos\n  kyverno-json jp function truncate\n
"},{"location":"cli/commands/kyverno-json_jp_function/#options","title":"Options","text":"
  -h, --help   help for function\n
"},{"location":"cli/commands/kyverno-json_jp_function/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp_parse/","title":"Kyverno json jp parse","text":""},{"location":"cli/commands/kyverno-json_jp_parse/#kyverno-json-jp-parse","title":"kyverno-json jp parse","text":"

Parses jmespath expression and prints corresponding AST.

"},{"location":"cli/commands/kyverno-json_jp_parse/#synopsis","title":"Synopsis","text":"

Parses jmespath expression and prints corresponding AST.

kyverno-json jp parse [-f file|expression]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#examples","title":"Examples","text":"
  # Parse expression\n  kyverno-json jp parse 'request.object.metadata.name | truncate(@, `9`)'\n\n  # Parse expression from a file\n  kyverno-json jp parse -f my-file\n\n  # Parse expression from stdin\n  kyverno-json jp parse\n\n  # Parse multiple expressionxs\n  kyverno-json jp parse -f my-file1 -f my-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#options","title":"Options","text":"
  -f, --file strings   Read input from a JSON or YAML file instead of stdin\n  -h, --help           help for parse\n
"},{"location":"cli/commands/kyverno-json_jp_parse/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_jp_query/","title":"Kyverno json jp query","text":""},{"location":"cli/commands/kyverno-json_jp_query/#kyverno-json-jp-query","title":"kyverno-json jp query","text":"

Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.

"},{"location":"cli/commands/kyverno-json_jp_query/#synopsis","title":"Synopsis","text":"

Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.

kyverno-json jp query [-i input] [-q query|query]... [flags]\n
"},{"location":"cli/commands/kyverno-json_jp_query/#examples","title":"Examples","text":"
  # Evaluate query\n  kyverno-json jp query -i object.yaml 'request.object.metadata.name | truncate(@, `9`)'\n\n  # Evaluate query\n  kyverno-json jp query -i object.yaml -q query-file\n\n  # Evaluate multiple queries\n  kyverno-json jp query -i object.yaml -q query-file-1 -q query-file-2 'request.object.metadata.name | truncate(@, `9`)'\n
"},{"location":"cli/commands/kyverno-json_jp_query/#options","title":"Options","text":"
  -c, --compact         Produce compact JSON output that omits non essential whitespace\n  -h, --help            help for query\n  -i, --input string    Read input from a JSON or YAML file instead of stdin\n  -q, --query strings   Read JMESPath expression from the specified file\n  -u, --unquoted        If the final result is a string, it will be printed without quotes\n
"},{"location":"cli/commands/kyverno-json_jp_query/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_playground/","title":"Kyverno json playground","text":""},{"location":"cli/commands/kyverno-json_playground/#kyverno-json-playground","title":"kyverno-json playground","text":"

playground

"},{"location":"cli/commands/kyverno-json_playground/#synopsis","title":"Synopsis","text":"

Serve playground

kyverno-json playground [flags]\n
"},{"location":"cli/commands/kyverno-json_playground/#options","title":"Options","text":"
      --gin-cors                enable gin cors (default true)\n      --gin-log                 enable gin logger (default true)\n      --gin-max-body-size int   gin max body size (default 2097152)\n      --gin-mode string         gin run mode (default \"release\")\n  -h, --help                    help for playground\n      --server-host string      server host (default \"0.0.0.0\")\n      --server-port int         server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_playground/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_scan/","title":"Kyverno json scan","text":""},{"location":"cli/commands/kyverno-json_scan/#kyverno-json-scan","title":"kyverno-json scan","text":"

scan

"},{"location":"cli/commands/kyverno-json_scan/#synopsis","title":"Synopsis","text":"

Apply policies to json resources

kyverno-json scan [flags]\n
"},{"location":"cli/commands/kyverno-json_scan/#options","title":"Options","text":"
  -h, --help                  help for scan\n      --labels strings        Labels selectors for policies\n      --payload string        Path to payload (json or yaml file)\n      --policy strings        Path to kyverno-json policies\n      --pre-process strings   JMESPath expression used to pre process payload\n
"},{"location":"cli/commands/kyverno-json_scan/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_serve/","title":"Kyverno json serve","text":""},{"location":"cli/commands/kyverno-json_serve/#kyverno-json-serve","title":"kyverno-json serve","text":"

serve

"},{"location":"cli/commands/kyverno-json_serve/#synopsis","title":"Synopsis","text":"

Serve API

kyverno-json serve [flags]\n
"},{"location":"cli/commands/kyverno-json_serve/#options","title":"Options","text":"
      --gin-cors                            enable gin cors (default true)\n      --gin-log                             enable gin logger (default true)\n      --gin-max-body-size int               gin max body size (default 2097152)\n      --gin-mode string                     gin run mode (default \"release\")\n  -h, --help                                help for serve\n      --kube-as string                      Username to impersonate for the operation\n      --kube-as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.\n      --kube-as-uid string                  UID to impersonate for the operation\n      --kube-certificate-authority string   Path to a cert file for the certificate authority\n      --kube-client-certificate string      Path to a client certificate file for TLS\n      --kube-client-key string              Path to a client key file for TLS\n      --kube-cluster string                 The name of the kubeconfig cluster to use\n      --kube-context string                 The name of the kubeconfig context to use\n      --kube-disable-compression            If true, opt-out of response compression for all requests to the server\n      --kube-insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure\n  -n, --kube-namespace string               If present, the namespace scope for this CLI request\n      --kube-password string                Password for basic authentication to the API server\n      --kube-proxy-url string               If provided, this URL will be used to connect via proxy\n      --kube-request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default \"0\")\n      --kube-server string                  The address and port of the Kubernetes API server\n      --kube-tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.\n      --kube-token string                   Bearer token for authentication to the API server\n      --kube-user string                    The name of the kubeconfig user to use\n      --kube-username string                Username for basic authentication to the API server\n      --server-host string                  server host (default \"0.0.0.0\")\n      --server-port int                     server port (default 8080)\n
"},{"location":"cli/commands/kyverno-json_serve/#see-also","title":"SEE ALSO","text":""},{"location":"cli/commands/kyverno-json_version/","title":"Kyverno json version","text":""},{"location":"cli/commands/kyverno-json_version/#kyverno-json-version","title":"kyverno-json version","text":"

Print the version informations

"},{"location":"cli/commands/kyverno-json_version/#synopsis","title":"Synopsis","text":"

Print the version informations

kyverno-json version [flags]\n
"},{"location":"cli/commands/kyverno-json_version/#examples","title":"Examples","text":"
  # Print version infos\n  kyverno-json version\n
"},{"location":"cli/commands/kyverno-json_version/#options","title":"Options","text":"
  -h, --help   help for version\n
"},{"location":"cli/commands/kyverno-json_version/#see-also","title":"SEE ALSO","text":""},{"location":"go-library/","title":"Usage","text":"

The Go API provides a way to embed the Kyverno JSON engine in Go programs that validate JSON payloads using Kyverno policies.

The Go API can be added to a program's dependencies as follows:

go get github.com/kyverno/kyverno-json/pkg/jsonengine\ngo get github.com/kyverno/kyverno-json/pkg/policy\n

Here is a sample program that shows the overall flow for programatically using the Kyverno JSON Engine:

package main\n\nimport (\n    \"context\"\n    \"encoding/json\"\n    \"log\"\n\n    jsonengine \"github.com/kyverno/kyverno-json/pkg/json-engine\"\n    \"github.com/kyverno/kyverno-json/pkg/policy\"\n)\n\nconst policyYAML = `\napiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: authz\nspec:\n  rules:\n  - name: delete-checks\n    identifier: \"name\"\n    match:\n      all:\n        (input.method): \"DELETE\"\n    assert:\n      all:\n      - check:\n          role: \"admin\"\n`\n\nfunc main() {\n    policies, err := policy.Parse([]byte(policyYAML))\n    if err != nil {\n        panic(err)\n    }\n\n    // load payloads\n    requestJSON := `{\n        \"name\": \"Annie\",\n        \"role\": \"admin\",\n        \"input\": {\n            \"method\": \"DELETE\",\n            \"path\":   \"/red-files\"\n        }\n    }`\n\n    var payload interface{}\n    if err := json.Unmarshal([]byte(requestJSON), &payload); err != nil {\n        panic(err)\n    }\n\n    // create a JsonEngineRequest\n    request := jsonengine.JsonEngineRequest{\n        Resources: []interface{}{payload},\n        Policies:  policies,\n    }\n\n    // create a J\n    engine := jsonengine.New()\n\n    responses := engine.Run(context.Background(), request)\n\n    logger := log.Default()\n    for _, resp := range responses {\n        if resp.Error != nil {\n            // ...handle execution error\n            logger.Printf(\"policy error: %v\", resp.Error)\n        }\n\n        if resp.Failure != nil {\n            // ...handle policy failure\n            logger.Printf(\"policy failure: %v\", resp.Failure)\n        }\n    }\n}\n
"},{"location":"jp/functions/","title":"Functions","text":""},{"location":"jp/functions/#built-in-functions","title":"built-in functions","text":"Name Signature abs abs(number) avg avg(array[number]) ceil ceil(number) contains contains(array\\|string, any) ends_with ends_with(string, string) find_first find_first(string, string, number, number) find_last find_last(string, string, number, number) floor floor(number) from_items from_items(array[array]) group_by group_by(array, expref) items items(object) join join(string, array[string]) keys keys(object) length length(string\\|array\\|object) lower lower(string) map map(expref, array) max max(array[number]\\|array[string]) max_by max_by(array, expref) merge merge(object) min min(array[number]\\|array[string]) min_by min_by(array, expref) not_null not_null(any) pad_left pad_left(string, number, string) pad_right pad_right(string, number, string) replace replace(string, string, string, number) reverse reverse(array\\|string) sort sort(array[string]\\|array[number]) sort_by sort_by(array, expref) split split(string, string, number) starts_with starts_with(string, string) sum sum(array[number]) to_array to_array(any) to_number to_number(any) to_string to_string(any) trim trim(string, string) trim_left trim_left(string, string) trim_right trim_right(string, string) type type(any) upper upper(string) values values(object) zip zip(array, array)"},{"location":"jp/functions/#custom-functions","title":"custom functions","text":"Name Signature at at(array, any) concat concat(string, string) json_parse json_parse(string) wildcard wildcard(string, string)"},{"location":"jp/functions/#kyverno-functions","title":"kyverno functions","text":"Name Signature compare compare(string, string) equal_fold equal_fold(string, string) replace replace(string, string, string, number) replace_all replace_all(string, string, string) to_upper to_upper(string) to_lower to_lower(string) trim trim(string, string) trim_prefix trim_prefix(string, string) split split(string, string) regex_replace_all regex_replace_all(string, string\\|number, string\\|number) regex_replace_all_literal regex_replace_all_literal(string, string\\|number, string\\|number) regex_match regex_match(string, string\\|number) pattern_match pattern_match(string, string\\|number) label_match label_match(object, object) to_boolean to_boolean(string) add add(any, any) sum sum(array) subtract subtract(any, any) multiply multiply(any, any) divide divide(any, any) modulo modulo(any, any) round round(number, number) base64_decode base64_decode(string) base64_encode base64_encode(string) time_since time_since(string, string, string) time_now time_now() time_now_utc time_now_utc() path_canonicalize path_canonicalize(string) truncate truncate(string, number) semver_compare semver_compare(string, string) parse_json parse_json(string) parse_yaml parse_yaml(string) lookup lookup(object\\|array, string\\|number) items items(object\\|array, string, string) object_from_lists object_from_lists(array, array) random random(string) x509_decode x509_decode(string) time_to_cron time_to_cron(string) time_add time_add(string, string) time_parse time_parse(string, string) time_utc time_utc(string) time_diff time_diff(string, string) time_before time_before(string, string) time_after time_after(string, string) time_between time_between(string, string, string) time_truncate time_truncate(string, string)"},{"location":"policies/asserts/","title":"Assertion trees","text":"

Assertion trees can be used to apply complex and dynamic conditional checks using JMESPath expressions.

"},{"location":"policies/asserts/#assert","title":"Assert","text":"

An assert declaration contains an any or all list in which each entry contains a:

A check can contain one or more JMESPath expressions. Expressions represent projections of selected data in the JSON payload and the result of this projection is passed to descendants for further analysis.

All comparisons happen in the leaves of the assertion tree.

A simple example:

This policy checks that a pod does not use the default service account:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: assert-sample\nspec:\n  rules:\n    - name: foo-bar\n      match:\n        all:\n        - apiVersion: v1\n          kind: Pod\n      assert:\n        all:\n        - message: \"serviceAccountName 'default' is not allowed\"\n          check:\n            spec:\n              (serviceAccountName == 'default'): false\n

A detailed example:

Given the input payload below:

foo:\n  baz: true\n  bar: 4\n  bat: 6\n

It is possible to write a validation rule like this:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar-4\n      validate:\n        assert:\n          all:\n          - message: \"...\"\n            check:\n              # project field `foo` onto itself, the content of `foo` becomes the current object for descendants\n              foo:\n\n                # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants\n                # the `true` leaf is compared with the current value `true`\n                (bar > `3`): true\n\n                # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants\n                # the leaf `false` is compared with the current value `false`\n                (!baz): false\n\n                # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants\n                # the leaf `10` is compared with the current value `10`\n                (bar + bat): 10\n
"},{"location":"policies/asserts/#iterating-with-projection-modifiers","title":"Iterating with Projection Modifiers","text":"

Assertion tree expressions support modifiers to influence the way projected values are processed.

The ~ modifier applies to arrays and maps, it mean the input array or map elements will be processed individually by descendants.

When the ~ modifier is not used, descendants receive the whole array, not each individual element.

Consider the following input document:

foo:\n  bar:\n  - 1\n  - 2\n  - 3\n

The policy below does not use the ~ modifier and foo.bar array is compared against the expected array:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              # the content of the `bar` field will be compared against `[1, 2, 3]`\n              bar:\n              - 1\n              - 2\n              - 3\n

With the ~ modifier, we can apply descendant assertions to all elements in the array individually. The policy below ensures that all elements in the input array are < 5:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              # with the `~` modifier all elements in the `[1, 2, 3]` array are processed individually and passed to descendants\n              ~.bar:\n                # the expression `(@ < `5`)` is evaluated for every element and the result is expected to be `true`\n                (@ < `5`): true\n

The ~ modifier supports binding the index of the element being processed to a named binding with the following syntax ~index_name.bar. When this is used, we can access the element index in descendants with $index_name.

When used with a map, the named binding receives the key of the element being processed.

"},{"location":"policies/asserts/#explicit-bindings","title":"Explicit bindings","text":"

Sometimes it can be useful to refer to a parent node in the assertion tree.

This is possible to add an explicit binding at every node in the tree by appending the ->binding_name to the key.

Given the input document:

foo:\n  bar: 4\n  bat: 6\n

The following policy will compute a sum and bind the result to the sum binding. A descendant can then use $sum and use it:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              # evaluate expression `(bar + bat)` and bind it to `sum`\n              (bar + bat)->sum:\n                # get the `$sum` binding and compare it against `10`\n                ($sum): 10\n

All binding are available to descendants, if a descendant creates a binding with a name that already exists the binding will be overridden for descendants only and it doesn't affect the bindings at upper levels in the tree.

In other words, a node in the tree always sees bindings that are defined in the parents and if a name is reused, the first binding with the given name wins when winding up the tree.

As a consequence, the policy below will evaluate to true:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              (bar + bat)->sum:\n                ($sum + $sum)->sum:\n                  ($sum): 20\n                ($sum): 10\n

Finally, we can always access the current payload, policy and rule being evaluated using the builtin $payload, $policy and $rule bindings. No protection is made to prevent you from overriding those bindings though.

"},{"location":"policies/asserts/#escaping-projection","title":"Escaping projection","text":"

It can be necessary to prevent a projection under certain circumstances.

Consider the following document:

foo:\n  (bar): 4\n  (baz):\n  - 1\n  - 2\n  - 3\n

Here the (bar) key conflict with the projection syntax. To workaround this situation, you can escape a projection by surrounding it with \\ characters like this:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar\n      validate:\n        assert:\n          all:\n          - foo:\n              \\(bar)\\: 10\n

In this case, the leading and trailing \\ characters will be erased and the projection won't be applied.

Note that it's still possible to use the ~ modifier or to create a named binding with and escaped projection.

Keys like this are perfectly valid:

"},{"location":"policies/policies/","title":"Policy Structure","text":"

Kyverno policies are Kubernetes resources and can be easily managed via Kubernetes APIs, GitOps workflows, and other existing tools.

Policies that apply to JSON payload have a few differences from Kyverno policies that are applied to Kubernetes resources at admission controls.

"},{"location":"policies/policies/#resource-scope","title":"Resource Scope","text":"

Policies that apply to JSON payloads are always cluster-wide resources.

"},{"location":"policies/policies/#api-group-and-kind","title":"API Group and Kind","text":"

kyverno-json policies belong to the json.kyverno.io group and can only be of kind ValidatingPolicy.

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: foo-bar-4\n      validate:\n        assert:\n          all:\n          - foo:\n              bar: 4\n
"},{"location":"policies/policies/#policy-rules","title":"Policy Rules","text":"

A policy can have multiple rules, and rules are processed in order. Evaluation stops at the first rule that fails.

"},{"location":"policies/policies/#match-and-exclude","title":"Match and Exclude","text":"

Policies that apply to JSON payloads use assertion trees in both the match/exclude declarations as well as the validate rule declaration.

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: required-s3-tags\nspec:\n  rules:\n    - name: require-team-tag\n      identifier: address\n      match:\n        any:\n        - type: aws_s3_bucket\n      exclude:\n        any:\n        - name: bypass-me\n      validate:\n        assert:\n          all:\n          - values:\n              tags:\n                Team: ?*\n

In the example above, every resource having type: aws_s3_bucket will match, and payloads having name: bypass-me will be excluded.

"},{"location":"policies/policies/#identifying-payload-entries","title":"Identifying Payload Entries","text":"

A policy rule can contain an optional identifier which declares the path to the payload element that uniquely identifies each entry.

"},{"location":"policies/policies/#context-entries","title":"Context Entries","text":"

A policy rule can contain optional context entries that are made available to the rule via bindings:

apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: required-s3-tags\nspec:\n  rules:\n    - name: require-team-tag\n      match:\n        any:\n        - type: aws_s3_bucket\n      context:\n      # creates a `expectedTeam` binding automatically\n      - name: expectedTeam\n        variable: Kyverno\n      validate:\n        message: Bucket `{{ name }}` does not have the required Team tag {{ $expectedTeam }}\n        assert:\n          all:\n          - values:\n              tags:\n                # use the `$expectedTeam` binding coming from the context\n                Team: ($expectedTeam)\n
"},{"location":"policies/policies/#no-foreach-pattern-operators-anchors-or-wildcards","title":"No forEach, pattern operators, anchors, or wildcards","text":"

The use of assertion trees addresses some features of Kyverno policies that apply to Kubernetes resources.

Specifically, forEach, pattern operators, anchors, or wildcards are not supported for policies that apply to JSON resources. Instead, assertion trees with JMESPath expressions are used to achieve the same powerful features.

"},{"location":"webapp/","title":"Usage","text":"

kyverno-json can be deployed as a web application with a REST API. This is useful for deployments when a long running service that processes policy requests is desired.

"},{"location":"webapp/#managing-policies","title":"Managing Policies","text":"

With kyverno-json policies are managed as Kubernetes resources. This means that you can use Kubernetes APIs, kubectl, GitOps, or any other Kubernetes management tool to manage policies.

"},{"location":"webapp/#usage_1","title":"Usage","text":"

Here is a complete demonstration of how to use kyverno-json as an web application:

Install CRDs

Install the CRD for kyverno-json:

kubectl apply -f .crds/json.kyverno.io_validatingpolicies.yaml\n

Install policies:

Install a sample policy:

kubectl apply -f test/commands/scan/dockerfile/policy.yaml\n

Prepare the payload

The payload is a JSON object with two fields:

Name Type Required payload Object Y preprocessors Array of Strings N

You can construct a sample payload for the Dockerfile policy using:

cat test/commands/scan/dockerfile/payload.json | jq '{\"payload\": .}' > /tmp/webapp-payload.json\n

Run the web application

./kyverno-json serve\n

This will show the output:

2023/10/29 23:46:11 configured route /api/scan\n2023/10/29 23:46:11 listening to requests on 0.0.0.0:8080\n

Send the REST API request

curl http://localhost:8080/api/scan -X POST -H \"Content-Type: application/json\" -d @/tmp/webapp-payload.json | jq\n

The configured policies will be applied to the payload and the results will be returned back:

{\n  \"results\": [\n    {\n      \"policy\": \"check-dockerfile\",\n      \"rule\": \"deny-external-calls\",\n      \"status\": \"fail\",\n      \"message\": \"HTTP calls are not allowed: all[0].check.~.(Stages[].Commands[].Args[].Value)[0].(contains(@, 'https://') || contains(@, 'http://')): Invalid value: true: Expected value: false; wget is not allowed: all[3].check.~.(Stages[].Commands[].CmdLine[])[0].(contains(@, 'wget')): Invalid value: true: Expected value: false\"\n    }\n  ]\n}\n
"},{"location":"webapp/#helm-chart","title":"Helm Chart","text":"

The web application can be installed and managed in a Kubernetes cluster using Helm.

See details at: https://github.com/kyverno/kyverno-json/tree/main/charts/kyverno-json

"},{"location":"catalog/","title":"Policy catalog","text":"

The kyverno-json policy catalog contains curated policies to be reused.

You can share your policies with the community by opening a pull request here.

"},{"location":"catalog/#policies-indexed-by-tags","title":"Policies indexed by tags","text":""},{"location":"catalog/#aws","title":"aws","text":""},{"location":"catalog/#awsecs","title":"aws/ecs","text":""},{"location":"catalog/#dockerfile","title":"dockerfile","text":""}]} \ No newline at end of file diff --git a/main/sitemap.xml b/main/sitemap.xml index 2cc5f71b..de1075a4 100644 --- a/main/sitemap.xml +++ b/main/sitemap.xml @@ -2,207 +2,207 @@ https://github.io/kyverno/kyverno-json/main/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/install/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/intro/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/jp/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/playground/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/quick-start/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/apis/kyverno-json.v1alpha1/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/dockerfile/dockerfile-deny-expose-22/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/dockerfile/dockerfile-deny-latest-image/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/dockerfile/dockerfile-disallow-apt/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/dockerfile/dockerfile-disallow-last-user-root/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/dockerfile/dockerfile-disallow-sudo/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/ecs/ecs-cluster-enable-logging/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/ecs/ecs-cluster-required-container-insights/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/ecs/ecs-service-public-ip/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/ecs/ecs-service-required-latest-platform-fargate/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/ecs/ecs-task-definition-fs-read-only/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/policies/ecs/policy-1/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_completion/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_completion_bash/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_completion_fish/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_completion_powershell/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_completion_zsh/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_docs/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_jp/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_jp_function/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_jp_parse/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_jp_query/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_playground/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_scan/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_serve/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/cli/commands/kyverno-json_version/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/go-library/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/jp/functions/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/policies/asserts/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/policies/policies/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/webapp/ - 2023-12-28 + 2023-12-30 daily https://github.io/kyverno/kyverno-json/main/catalog/ - 2023-12-28 + 2023-12-30 daily \ No newline at end of file diff --git a/main/sitemap.xml.gz b/main/sitemap.xml.gz index 3af3e41b7f7cc3caf5fec4c14a08d6cac1e4bb27..23266cd15aca0a8c83cea2f5b14f7f8c888d66e0 100644 GIT binary patch literal 582 zcmV-M0=fMkiwFoZnUG}y|8r?{Wo=<_E_iKh0PUH~a_SPq8 z&(UB8@W$AV$AqO%-yxeu$)Q!Ho(2^OVFug$pUim1X8-!$yVV&J+2CK++hVg`p*Nwn zzI|DL|MpdVTECW0`yn~PyyD89Ue;aC@r%~uI2L3x_7JHEsnujUz9D@z>P_)^T|TY& zm^=6=U5>pArkr~r?xwZ58>+$veVkZ{zg^WE1+ROsUhnnX;=Ti*+=sf{ZFbLUyHn2_ zu5z{ARWlv<7Mp~pvIgs>y}q-2DAPA-|0>dY%HW(7u{i}9Qs1HsozcP6rZD(ghThX) z%~A0;o3aeS5G_5Ji}My->|iTHzX6^fLMuyb49*&hr0Zagm>TQwuBdAClfw5H2-R-4 zJTwOxDJ$DUi_4<3#K9_z3SwR+*sNC#gh{0k7RpFN9fXphxtz+lfie#gdZ-wU>$IGG zE(D5SI@pA@GQnqV!6r@@g)o;t0iOY=AkrTI0AgPq5dZ)H literal 581 zcmV-L0=oSliwFqLg^gtb|8r?{Wo=<_E_iKh0PUH|WmoyE$VdENSuId<0TYUzczo6e+utaIawHln)VCl*XRt7L(T}c?q4zWz zeN_C-#w0^91Vazz{JaGldf3X)uYub!|gsLpp zhh`xmC1nQaa9wnUI9T~fK}hQaTlA`tFskVNN*QTvyihXKms4pwQsO~E2Q{N{osP55 zl|b=JM-#D8+PlOp*u-g~>H0*%3E8jCMxzR2%} ze@{Xh#CylG&Jyn$*FR=5FgmZSsUt}7WDaJ(LV=LLd|QeF@#meSslF9N$eyr<5dQ!1 Tc@TTK5T@!U^@Du)(jNc-d*>$e