Other

Additional sample policies to customize and use.

Add Volume

Sample policy to add a volume and volumeMount.

Add Pod Anti-Affinity

Sample policy to add Pod anti-affinity

Disallow Secrets from Env Vars

Sample policy to disallow using secrets from environment variables which are visible in resource definitions.

Validate Probes

Sample policy to check that liveness and readiness probes are not set to the same values.

Set imagePullPolicy

Sample policy that sets imagePullPolicy to “Always” when the “latest” tag is used.

Inject Sidecar Container

Sample policy that injects a sidecar container into Pods that match an annotation.

Require Multiple Replicas

Sample policy that requires more than one replica for deployments.

Restrict Auto-Mount of Service Account Tokens

Kubernetes automatically mounts service account credentials in each pod. The service account may be assigned roles allowing pods to access API resources. To restrict access, opt out of auto-mounting tokens by setting automountServiceAccountToken to false.

Restrict Ingress Classes

It can be useful to restrict Ingress resources to a set of known ingress classes that are allowed in the cluster. You can customize this policy to allow ingress classes that are configured in the cluster.

Disallow Service Type LoadBalancer

Sample policy to restrict use of Service type LoadBalancer.

Validate User ID, Group ID, and FS Group

All processes inside the pod can be made to run with specific user and groupID by setting ‘runAsUser’ and ‘runAsGroup’ respectively. ‘fsGroup’ can be specified to make sure any file created in the volume with have the specified groupID. These options can be used to validate the IDs used for user and group.

Spread Pods Across Nodes

Sample policy to spread pods matching a label across nodes.

Last modified December 30, 2020: fix typo (90d09f6)