Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: disallow-helm-tillerannotations:policies.kyverno.io/title: Disallow Helm Tillerpolicies.kyverno.io/category: Samplepolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/description: Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommended to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.spec:validationFailureAction: Auditbackground: truerules:- name: validate-helm-tillermatch:any:- resources:kinds:- Podvalidate:message: Helm Tiller is not allowedforeach:- list: request.object.spec.containerspattern:image: "!*tiller*"- list: request.object.spec.initContainerspattern:image: "!*tiller*"- list: request.object.spec.ephemeralContainerspattern:image: "!*tiller*"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.