Container images can be built from a variety of sources, including other preexisting images. Ensuring images that are allowed to run are built from known, trusted images where their provenance is guaranteed can be an important step in ensuring overall cluster security. This policy ensures that any container image specifies some base image in its metadata from four possible sources: Docker BuildKit, OCI annotations (in manifest or config), or Buildpacks. Note that the ability to detect the presence of a base image is not implicit and requires the author to specify it using metadata or build directives of some sort (ex., Dockerfile FROM statements do not automatically expose this information).
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-base-imageannotations:policies.kyverno.io/title: Check Image Basepolicies.kyverno.io/category: Other, EKS Best Practicespolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.7.0policies.kyverno.io/minversion: 1.7.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: "Container images can be built from a variety of sources, including other preexisting images. Ensuring images that are allowed to run are built from known, trusted images where their provenance is guaranteed can be an important step in ensuring overall cluster security. This policy ensures that any container image specifies some base image in its metadata from four possible sources: Docker BuildKit, OCI annotations (in manifest or config), or Buildpacks. Note that the ability to detect the presence of a base image is not implicit and requires the author to specify it using metadata or build directives of some sort (ex., Dockerfile FROM statements do not automatically expose this information)."spec:validationFailureAction: Auditrules:- name: require-base-imagematch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: NotEqualsvalue: DELETEvalidate:message: Images must specify a source/base image from which they are built.foreach:- list: request.object.spec.containerscontext:- name: imageDataimageRegistry:reference: "{{ element.image }}"- name: mobysourcevariable:jmesPath: imageData.configData."moby.buildkit.buildinfo.v1" | base64_decode(@).parse_json(@) | sources[?type == 'docker-image'].ref | length(@)default: 0- name: ocisourcelabelsvariable:jmesPath: imageData.configData.config.Labels | keys(@)default: []- name: ocisourceannotationsvariable:jmesPath: imageData.manifest.annotations."org.opencontainers.image.base.name"default: ""- name: buildpacksvariable:jmesPath: parse_json(imageData.configData.config.Labels."io.buildpacks.lifecycle.metadata").runImage.reference || parse_json(imageData.configData.config.Labels."io.buildpacks.lifecycle.metadata").stack.runImage.imagedefault: ""deny:conditions:all:- key: org.opencontainers.image.base.nameoperator: AnyNotInvalue: "{{ ocisourcelabels}}"- key: "{{ ocisourceannotations}}"operator: Equalsvalue: ""- key: "{{ mobysource }}"operator: Equalsvalue: 0- key: "{{ buildpacks }}"operator: Equalsvalue: ""
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.