Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: disallow-helm-tillerannotations:policies.kyverno.io/title: Disallow Helm Tillerpolicies.kyverno.io/category: Samplepolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/description: Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.spec:validationFailureAction: Auditbackground: truerules:- name: validate-helm-tillermatch:any:- resources:kinds:- Podvalidate:message: Helm Tiller is not allowedforeach:- list: request.object.spec.containerspattern:image: "!*tiller*"- list: request.object.spec.initContainerspattern:image: "!*tiller*"- list: request.object.spec.ephemeralContainerspattern:image: "!*tiller*"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.