Kubernetes Events are limited in that the circumstances under which they are created cannot be changed and with what they are associated is fixed. It may be advantageous in many cases to augment these out-of-the-box Events with custom Events which can be custom designed to your needs. This policy generates an Event on a Pod when an exec has been made to it. It lists the userInfo of the actor performing the exec along with the command used in the exec.
apiVersion: kyverno.io/v2beta1kind: ClusterPolicymetadata:name: audit-event-on-execannotations:policies.kyverno.io/title: Audit Event on Pod Execpolicies.kyverno.io/category: Otherkyverno.io/kyverno-version: 1.10.0policies.kyverno.io/minversion: 1.10.0kyverno.io/kubernetes-version: "1.26"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Kubernetes Events are limited in that the circumstances under which they are created cannot be changed and with what they are associated is fixed. It may be advantageous in many cases to augment these out-of-the-box Events with custom Events which can be custom designed to your needs. This policy generates an Event on a Pod when an exec has been made to it. It lists the userInfo of the actor performing the exec along with the command used in the exec.spec:background: falserules:- name: generate-event-on-execmatch:any:- resources:kinds:- Pod/execcontext:- name: parentPodUIDapiCall:urlPath: /api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}jmesPath: metadata.uidgenerate:apiVersion: v1kind: Eventname: exec.{{ random('[a-z0-9]{6}') }}namespace: "{{request.namespace}}"synchronize: falsedata:firstTimestamp: "{{ time_now_utc() }}"involvedObject:apiVersion: v1kind: Podname: "{{ request.name }}"namespace: "{{ request.namespace }}"uid: "{{ parentPodUID }}"lastTimestamp: "{{ time_now_utc() }}"message: An exec was performed by {{ request.userInfo | to_string(@) }} running commands {{ request.object.command }}reason: Execsource:component: kyvernotype: Warning
This policy generates and synchronizes Argo CD cluster secrets from Rancher managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. In this solution, Argo CD integrates with Rancher managed clusters via the central Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".
By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.