new samples around image practices (kyverno#1302)

realshuting · Nov 25, 2020 · f5d4872 · f5d4872
1 parent d8062eb
commit f5d4872
Show file tree

Hide file tree

Showing 5 changed files with 108 additions and 1 deletion.
diff --git a/samples/README.md b/samples/README.md
@@ -2,7 +2,7 @@
 
 Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.
 
-The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy compliance.
+The policies are mostly validation rules in `audit` mode (i.e. your existing workloads will not be impacted, but will be audited for policy compliance). It is recommended that all policies be tested and observed in a non-production environment before setting `enforce` mode.
 
 ## Best Practice Policies
 
@@ -45,6 +45,13 @@ These policies provide additional best practices and are worthy of close conside
 1. [Disallow mounting Secrets as environment variables](DisallowSecretsFromEnvVars.md)
 1. [Add default labels](AddDefaultLabels.md)
 
+## Miscellaneous Policies
+
+Policies in this group are either highly-specific, involve third-party CRDs, or may be variations on standard Best Practice or Additional policies.
+
+1. [Require `imagePullPolicy` of `Always` for images not using `latest` tags](RequireImagePullPolicyAlways.md)
+1. [Require images using `latest` tag not use `imagePullPolicy` of `Always`](RequireLatestImagesNotUseAlways.md)
+
 ## Applying the sample policies
 
 To apply these policies to your cluster, install Kyverno and import the policies as follows:

diff --git a/samples/RequireImagePullPolicyAlways.md b/samples/RequireImagePullPolicyAlways.md
@@ -0,0 +1,29 @@
+# Require `imagePullPolicy` is set to `Always` for images not using `latest` tags
+
+By default, Kubernetes sets the `imagePullPolicy` for images which specify a tag to be `IfNotPresent`. In some cases, this may not be desired where the image could be rebuilt upstream. This sample policy ensures that all containers have their `imagePullPolicy` set to `Always`.
+
+## Policy YAML
+
+[imagepullpolicy-always.yaml](misc/imagepullpolicy-always.yaml)
+
+```yaml
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: imagepullpolicy-always
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: imagepullpolicy-always
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The imagePullPolicy must be set to `Always` for all containers when a tag other than `latest` is used."  
+      pattern:
+        spec:
+          containers:
+          - imagePullPolicy: Always
+```
diff --git a/samples/RequireLatestImagesNotUseAlways.md b/samples/RequireLatestImagesNotUseAlways.md
@@ -0,0 +1,32 @@
+# Require images using `latest` tag set `imagePullPolicy` to not `Always`
+
+When using the `latest` tag for images, although generally [not a best practice](DisallowLatestTag.md), Kubernetes defaults its `imagePullPolicy` to `Always`. Since Docker Hub has instituted a [rate-limiting policy](https://www.docker.com/blog/what-you-need-to-know-about-upcoming-docker-hub-rate-limiting/), this could result in reaching that limit faster than anticipated, which could mean errors for other Pods in the cluster or across the enterprise. Ensuring those `latest`-tagged images do not use the default of `Always` is one way to ensure pulls are only when needed.
+
+This sample policy checks the `image` value and ensures that if `:latest` is defined that the `imagePullPolicy` must use something other than the value of `Always`. Note that if no tag is defined, Kyverno will not see that as a violation of the policy.
+
+## Policy YAML
+
+[latestimage-notalways.yaml](misc/latestimage-notalways.yaml)
+
+```yaml
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: latestimage-notalways
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: latestimage-notalways
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "When using the `latest` tag, the `imagePullPolicy` must not use `Always`."  
+      pattern:
+        spec:
+          containers:
+          - (image): "*:latest"
+            imagePullPolicy: "!Always"
+```
diff --git a/samples/misc/imagepullpolicy-always.yaml b/samples/misc/imagepullpolicy-always.yaml
@@ -0,0 +1,19 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: imagepullpolicy-always
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: imagepullpolicy-always
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The imagePullPolicy must be set to `Always` for all containers when a tag other than `latest` is used."  
+      pattern:
+        spec:
+          containers:
+          - imagePullPolicy: Always
diff --git a/samples/misc/latestimage-notalways.yaml b/samples/misc/latestimage-notalways.yaml
@@ -0,0 +1,20 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: latestimage-notalways
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: latestimage-notalways
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "When using the `latest` tag, the `imagePullPolicy` must not use `Always`."  
+      pattern:
+        spec:
+          containers:
+          - (image): "*:latest"
+            imagePullPolicy: "!Always"