Kubernetes Policy Library Rules
Validating Policy Library Rules Documentation
Audits: Require HTTPS
Require HTTPS for dynamic audit webhook backends (AuditSink
resources). Using HTTPS ensures network traffic is encrypted.
Parameters
None
Encryption: Restrict Key Management Service Providers
Allow only key management service (KMS) providers with approved names and corresponding endpoints.
Parameters
-
Parameters:
-
approved_kms_configs
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: approved_kms_configs
Encryption: Require Secrets to be Encrypted
Prohibit the identity
provider from being used to store secret data.
Parameters
None
Configmaps: Restrict nginx ingress configmap with snippet annotations allowed.
Prevent Nginx Ingress configmaps with allow-snippet-annotations
as true
. In multi-tenant clusters, a custom snippet annotation can be used by people with limited permissions to retrieve clusterwide secrets.
Parameters
None
Resources: Restrict Names
Resource names must match one of the list of regular expressions. This rule does not apply to names inside of templates.
Parameters
-
Parameters:
-
required
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: required
Resource Types
- Exclusions: Namespace
- Verifications: Pod, Deployment, ReplicaSet, Job, DaemonSet, Ingress
Namespaces: Restrict Names
Namespace names must match one of the specified regular expressions.
Parameters
-
Parameters:
-
approved_names
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: approved_names
Resources: Require Annotations
Resources must include specified annotations. This rule does not apply to annotations inside of templates.
Parameters
-
Parameters:
-
required
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: required
Resource Types
- Exclusions: Namespace
- Verifications: Pod, Deployment, ReplicaSet, Job, DaemonSet, Ingress
Resources: Require Labels
Resources must include metadata labels specified as key-value pairs. This rule does not apply to labels in templates.
Parameters
-
Parameters:
-
required
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: required
Resource Types
- Exclusions: Namespace
- Verifications: Pod, Deployment, ReplicaSet, Job, DaemonSet, Ingress
Pods: Require Exclusive Use of Labels
Require each pod to use one label from a mutually exclusive set of labels. For example, you might define priority: high
and priority: low
as mutually-exclusive labels.
Parameters
None
Resources: Require Pod Labels
All pods must include metadata labels specified as key-value pairs.
Parameters
-
Parameters:
-
labels
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: labels
Resource Types
- Exclusions: Namespace
- Verifications: StatefulSet, Deployment, ReplicaSet, DaemonSet
Services: Prohibit IP Addresses
Prevent any service’s clusterIP
address from being defined within a prohibited IP range.
Parameters
-
Parameters:
-
blacklist: Prohibited IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: blacklist
Services: Restrict IP Addresses
Require every service’s clusterIP
address to be included in the approved IP address range.
Parameters
-
Parameters:
-
whitelist: Approved IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: whitelist
Ingresses: Deny custom snippet annotations.
Prevent Ingress resources with a custom snippet annotation from being created or updated. In multi-tenant clusters, a custom snippet annotation can be used by people with limited permissions to retrieve clusterwide secrets.
Parameters
None
Ingresses: Restrict Ingress with default Ingress-class.
Ensure that every Ingress reource is created with an ingress-class other than the default eg. use annotation kubernetes.io/ingress.class: nginx-internal
.
Parameters
None
Loadbalancer: Prohibit loadBalancerSourceRanges
Loadbalancer
resources must not allow traffic from the provided IP ranges.
Parameters
-
Parameters:
-
blacklist: Blacklisted IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: blacklist
Loadbalancer: Restrict loadBalancerSourceRanges
Loadbalancer
resources should only allow traffic from the provided IP ranges.
Parameters
-
Parameters:
-
whitelist: Approved IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: whitelist
Invariant: Require Complete Network Policy Coverage
Require all pods to be controlled by network policy and reject any changes to network policy, pods, and templated pods that violate the network policy.
Parameters
None
Network: Require Complete Network Policy Coverage
Require all pods to be controlled by network policy and reject NetworkingPolicy
changes that leave pods without NetworkingPolicy
coverage.
Parameters
None
Container: Require Complete Network Policy Coverage for Pods
Require all pods to be controlled by a NetworkPolicy
and reject any pod that is not controlled by a NetworkPolicy
.
Parameters
None
Container: Require Complete Network Policy Coverage for Templated Pods
Require all pods to be controlled by a NetworkPolicy
and reject any template that produces a pod that is not controlled by a NetworkPolicy
.
Parameters
None
Egresses: Prohibit Namespace Selectors
Prevent NetworkPolicy
resources from defining any egress rules with prohibited namespace selectors.
Parameters
-
Parameters:
-
prohibited_namespace_selectors
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: prohibited_namespace_selectors
Egresses: Prohibit Ports
Prevent NetworkPolicy
resources from defining any egress rules with prohibited ports.
Parameters
-
Parameters:
-
prohibited_named_ports
- Type: object
- Unique: false
- Required: true
-
prohibited_ports
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: prohibited_named_ports, prohibited_ports
Egresses: Restrict Ports
Expect every egress ports
field to match the specified list of protocol-port pairs.
Parameters
-
Parameters:
-
approved_named_ports
- Type: object
- Unique: false
- Required: true
-
approved_ports
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: approved_named_ports, approved_ports
Egresses: Restrict Selectors
Require NetworkPolicy
resources to define egress rules with approved namespace and pod selectors.
Parameters
-
Parameters:
-
approved_namespace_selectors
- Type: object
- Unique: false
- Required: true
-
approved_pod_selectors
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: approved_namespace_selectors, approved_pod_selectors
Ingresses: Prohibit Namespace Selectors
Prevent NetworkPolicy
resources from defining any ingress rules with prohibited namespace selectors.
Parameters
-
Parameters:
-
prohibited_namespace_selectors
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: prohibited_namespace_selectors
Ingresses: Prohibit Ports
Prevent NetworkPolicy
resources from defining any inbound (ingress) rules that use prohibited ports.
Parameters
-
Parameters:
-
prohibited_named_ports
- Type: object
- Unique: false
- Required: true
-
prohibited_ports
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: prohibited_named_ports, prohibited_ports
Ingresses: Restrict Ports
Require every ingress ports
field to match the list of specified protocol-port pairs.
Parameters
-
Parameters:
-
approved_named_ports
- Type: object
- Unique: false
- Required: true
-
approved_ports
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: approved_named_ports, approved_ports
Ingresses: Restrict Namespace and Pod Selectors
Require NetworkPolicy
resources define ingress rules that include approved namespace selectors and pod selectors.
Parameters
-
Parameters:
-
approved_namespace_selectors
- Type: object
- Unique: false
- Required: true
-
approved_pod_selectors
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: approved_namespace_selectors, approved_pod_selectors
Services: Prohibit External Load Balancers
Prevent services from creating cloud network load balancers.
Parameters
None
Container: Restrict Ports
Ensure containers listen only on allowed ports.
Parameters
-
Parameters:
-
container_port_numbers
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: container_port_numbers
Service: Restrict Ports
Ensure services listen only on allowed ports.
Parameters
-
Parameters:
-
port_numbers
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: port_numbers
kubectl exec: Restrict Commands
Allows users to whitelist commands that may be used with “kubectl exec”
Parameters
-
Parameters:
-
allowed_commands
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: allowed_commands
Egresses: Prohibit IP Blocks
Prevent NetworkPolicy
resources from defining any egress rules within prohibited IP address ranges.
Parameters
-
Parameters:
-
blacklist: Prohibited IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: blacklist
Egresses: Restrict IP Blocks
Require that NetworkPolicy
resources define egress rules only within approved IP address ranges.
Parameters
-
Parameters:
-
whitelist: Approved IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: whitelist
Pod: Prohibit Containers From Sharing HostPID or HostIPC Namespace
Expect hostPID and hostIPC to be set to false.
Parameters
None
Resource Types
- Verifications: Pod, Deployment, ReplicaSet
Ingresses: Restrict Hostnames
Require ingress hostnames to match one of the globs you specify.
Parameters
-
Parameters:
-
whitelist
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: whitelist
Ingresses: Prohibit IP Blocks
Prevent NetworkPolicy
resources from defining any ingress rules that allow traffic on IP addresses in the prohibited ranges you specify.
Parameters
-
Parameters:
-
blacklist: Prohibited IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: blacklist
Ingresses: Restrict IP Blocks
Require NetworkPolicy
resources to define ingress rules that only allow traffic within the IP address ranges you specify.
Parameters
-
Parameters:
-
whitelist: Approved IP address ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: whitelist
Pod: Restrict hostPorts
Ensure containers access allowed hostPorts only.
Parameters
-
Parameters:
-
host_port_ranges
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: host_port_ranges
Ingresses: Prohibit Host Conflicts
Ensure that no two ingresses are configured to use the same hostname. This rule is not compatible with mock OPAs.
Parameters
None
Ingresses: Prohibit Host Path Conflicts
Ensure that no two ingresses are configured to use the same hostname and overlapping paths. Path conflicts are detected using prefix matching. This rule is not compatible with mock OPAs.
Parameters
None
Ingresses: Require TLS
Require all ingresses to have Transport Layer Security (TLS) configured.
Parameters
None
Role-Based Access Control (RBAC): Restrict Roles to Protect OPA Webhook
Allow an approved list of ClusterRoles with permissions of create, update, or delete validatingwebhookconfigurations
, mutatingwebhookconfigurations
kinds.
Parameters
-
Parameters:
-
approved_roles
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: approved_roles
Service Accounts: Prohibit Namespaces
Prevent service accounts from being created or updated in prohibited namespaces.
Parameters
-
Parameters:
-
prohibited_namespaces
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_namespaces
Audits: Restrict Groups
Allow dynamic audit webhook backends (AuditSink
resources) to be created only by approved groups.
Parameters
-
Parameters:
-
approved_groups
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: approved_groups
Audits: Restrict Users
Allow dynamic audit webhook backends (AuditSink
resources) to be created only by approved users.
Parameters
-
Parameters:
-
approved_users
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: approved_users
Encryption: Restrict Configuration to Specific Groups
Allow encryption to be configured only by approved groups.
Parameters
-
Parameters:
-
approved_groups
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: approved_groups
Encryption: Restrict Configuration to Specific Users
Allow encryption to be configured only by approved users.
Parameters
-
Parameters:
-
approved_users
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: approved_users
Cluster Role Bindings: Prohibit Built-In Role Modifications
Prevent privileged built-in roles, such as admin
and cluster-admin
, from being modified.
Parameters
None
Cluster Roles: Prohibit Updates from Specified Users
Prevent the specified users from creating or updating cluster roles.
Parameters
-
Parameters:
-
prohibited_users
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_users
Cluster Roles: Restrict Updates to Approved Users
Allow only the approved users to create or update cluster roles.
Parameters
-
Parameters:
-
approved_users
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: approved_users
Cluster Roles: Prohibit Wildcard API Groups
Require cluster roles to be granted access to specific API groups without using wildcards.
Parameters
None
Cluster Roles: Prohibit Wildcard Resources
Require cluster roles to be granted access to each resource without using wildcards.
Parameters
None
Cluster Roles: Prohibit Wildcard Verbs
Require cluster roles to be granted access to each API verb without using wildcards.
Parameters
None
Cluster Role Bindings: Prohibit Cluster Roles
Prevent cluster role bindings from using prohibited roles.
Parameters
-
Parameters:
-
prohibited_roles
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_roles
Cluster Role Bindings: Prohibit Wildcard User/Group Names
Require cluster roles to have each user and group assigned without using wildcards.
Parameters
None
Roles: Prohibit Pod Shell Access
Prohibit roles and cluster roles from being created with the capability to access pod shells.
Parameters
None
Roles: Prohibit Wildcard API Groups
Require roles to be granted access to specific API groups without using wildcards.
Parameters
None
Roles: Prohibit Wildcard Resources
Require roles to be granted access to each resource without using wildcards.
Parameters
None
Roles: Prohibit Wildcard Verbs
Require roles to be granted access to each API verb without using wildcards.
Parameters
None
Cluster Roles: Prohibit Name Prefixes
Prevent cluster roles from being created with specific name prefixes such as system
.
Parameters
-
Parameters:
-
prohibited_name_prefixes
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_name_prefixes
Role Bindings: Prohibit Cluster Roles
Prevent role bindings from using prohibited ClusterRoles.
Parameters
-
Parameters:
-
prohibited_roles
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_roles
NetworkPolicy: Restrict Operations to Specified Users
Require that only specified users be allowed to perform specific operations.
Parameters
-
Parameters:
-
approved_users
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: approved_users
Storage: Restrict Persistent Volume Storage Classes
Require every persistent volume claim to use an approved storage class and (optionally) an approved access mode (ReadOnlyMany
, ReadWriteMany
, ReadWriteOnce
).
Details
Every persistent volume claim can specify a storage class and an access mode (ReadOnlyMany
, ReadWriteMany
, ReadWriteOnce
). If no class is specified by the claim, the default storage class will be used.
Parameters
-
Parameters:
-
classes
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: classes
Resource Types
- Inclusions: PersistentVolumeClaim
Storage: Require Persistent Volume Encryption
Require persistent volume claims to request storage only from an encrypting storage class.
Parameters
None
Resource Types
- Inclusions: PersistentVolumeClaim
Storage: Restrict Network File System (NFS) Mount Points
Require every NFS mount to use an approved mount path.
Details
Any NFS volume mounted into a pod may only use a mount point specified by a whitelist.
Parameters
-
Parameters:
-
approved_mount_points
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: approved_mount_points
Resource Types
- Inclusions: Pod, DaemonSet, Deployment, ReplicaSet, StatefulSet
Pod: Restrict FlexVolumes
Ensure resources use FlexVolume drivers from an approved list.
Parameters
-
Parameters:
-
whitelist
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: whitelist
Resource Types
- Verifications: Pod, Deployment, ReplicaSet
Pod: Restrict FsGroup
Ensure resources use FsGroup from an approved whitelist.
Parameters
-
Parameters:
-
fs_group_ranges
- Type: array
- Unique: true
- Required: true
-
fs_group_rule
- Type: string
- Unique: false
- Required: true
-
-
Required Parameters: fs_group_ranges, fs_group_rule
Pod: Restrict Types of Volumes
Ensure resources use volume types from an approved list.
Parameters
-
Parameters:
-
whitelist
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: whitelist
Resource Types
- Verifications: Pod, Deployment, ReplicaSet
Nodes: Prohibit Master Workloads
Prevent workloads from being deployed to master nodes.
Parameters
None
Resource Types
- Inclusions: Pod, DaemonSet, Deployment, ReplicaSet, StatefulSet
Nodes: Prohibit nodeName-based Workload Assignment
Prevent workloads from specifying nodeName to exploit direct scheduling
Parameters
None
Resource Types
- Inclusions: Pod, DaemonSet, Deployment, ReplicaSet, StatefulSet
Containers: Prohibit Images (Blocklist - Exact)
Prohibit container images from specified registries (Host) and (optionally) from specified repository image paths.
Parameters
-
Parameters:
-
blocklist
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: blocklist
Resource Types
- Verifications: Pod, Deployment, ReplicaSet, Job, DaemonSet, Service, Endpoint, Ingress
Containers: Prohibit Images (Blocklist - Globs)
Prohibit container images from specified registries (Host) and repository paths specified as a path with optional wildcard globs.
Parameters
-
Parameters:
-
blocklist
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: blocklist
Resource Types
- Verifications: Pod, Deployment, ReplicaSet, Job, DaemonSet
Pods: Prohibit Mounting of ConfigMap
Resources
Prevent pods from referencing ConfigMap
resources that contain the restricted keys you specify.
Parameters
-
Parameters:
-
prohibited_keys
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_keys
Containers: Deny workloads which are using default service account
Ensure all containers must not use default
service account.
Parameters
None
Pods: Prohibit Specified Host Paths
Prevent volumes from accessing prohibited paths on the host node’s file system.
Parameters
-
Parameters:
-
prohibited_host_paths: Use glob patterns to specify the host paths that cannot be accessed.
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_host_paths
Containers: Prohibit windowsOptions HostProcess
Restrict containers which contains windowsOptions HostProcess.
Parameters
None
Resource Types
- Inclusions: Pod, DaemonSet, Deployment, Job
Resources: Require Valid Replicas
Expect Resources to specify a minimum valid replica count (default: 1). The default minimum count can be changed by specifying it in the parameter.
Parameters
- Parameters:
-
replica_count: Value (Example: 2)
- Type: number
- Unique: false
-
Resource Types
- Verifications: Deployment
Namespace: Prohibit Namespace Changes
Prevent changes from being made to a list of specified namespaces.
Parameters
-
Parameters:
-
prohibited_namespaces
- Type: array
- Unique: true
- Required: true
-
-
Required Parameters: prohibited_namespaces
Pods: Restrict Priority
Ensure pods use approved minimum and maximum priority values.
Parameters
-
Parameters:
-
max: Maximum priority value allowed
- Type: number
- Unique: false
- Required: true
-
min: Minimum priority value allowed
- Type: number
- Unique: false
- Required: true
-
-
Required Parameters: max, min
Pods: Require Node Selectors
Ensure a pod specifies node selectors that match an approved list.
Parameters
-
Parameters:
-
pod
- Type: string
- Unique: false
- Required: true
-
selectors
- Type: object
- Unique: false
- Required: true
-
-
Required Parameters: pod, selectors
Storage Classes: Prohibit Retain
Reclaim Policy
Prevent storage classes from using Retain
as a reclaim policy.
Parameters
None
Containers: Deny workloads which are mounting service account token
Ensure all containers must not mount 'service account token'.
Parameters
None