forked from kubewarden/helm-charts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathquestions.yaml
356 lines (356 loc) · 15.8 KB
/
questions.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
# This is a Rancher questions file
---
questions:
# Recommended policies questions:
- variable: "recommendedPolicies.enabled"
type: boolean
default: false
required: true
label: Enable recommended policies
description: |
Whether the recommended policies are enabled or not. Recommended
policies are a minimum set of policies that secure your cluster and
Kubewarden, while leaving the system namespaces untouched.
group: "Recommended Policies"
- variable: "recommendedPolicies.defaultPolicyMode"
type: enum
options:
- "monitor"
- "protect"
default: "monitor"
show_if: recommendedPolicies.enabled=true
label: Execution mode of the recommended policies
description: |
Execution mode of the recommended policies. "protect" will reject requests,
"monitor" will log them. Transitioning from "monitor" to "protect" is
allowed, but not from "protect" to "monitor".
group: "Recommended Policies"
- variable: "recommendedPolicies.skipAdditionalNamespaces"
type: array[
show_if: recommendedPolicies.enabled=true
label: Additional namespaces to skip from evaluation
description: |
Additional namespaces that the recommended policies will not apply to.
group: "Recommended Policies"
# Default PolicyServer questions
- variable: "policyServer.serviceAccountName"
type: string
required: true
label: Name of the ServiceAccount associated to the PolicyServer default
description: |
Minimum number of policy-server Pods that must be available at all times.
Can be an integer or a percentage.
group: "Default PolicyServer"
# Default PolicyServer HA
- variable: "policyServer.replicaCount"
type: integer
default: 1
required: true
label: Number of replicas
description: |
Number of replicas of the PolicyServer Deployment
group: "Default PolicyServer HA"
# no-privilege-escalation policy settings
- variable: recommendedPolicies.allowPrivilegeEscalationPolicy.settings.allowPrivilegeEscalation
description: >-
This policy works by inspecting the containers and init containers of a Pod.
If any of these containers have `allowPrivilegeEscalation` enabled, the Pod
will be rejected.
tooltip: >-
Used to default to disallow, while still permitting pods to request
allowPrivilegeEscalation explicitly.
label: Allow privilege escalation
required: false
type: boolean
group: "no-privilege-escalation policy settings"
# drop-capabilities policy settings
- variable: recommendedPolicies.capabilitiesPolicy.settings.allowed_capabilities
description: Provides a list of capabilities that are allowed to be added to a container
tooltip: Specified as the capability name in ALL_CAPS. (e.g. `CHOWN`, `KILL`)
group: "drop-capabilities policy settings"
label: Allowed capabilities
required: false
type: array[
- variable: recommendedPolicies.capabilitiesPolicy.settings.required_drop_capabilities
description: The capabilities which must be dropped from containers.
tooltip: Specified as the capability name in ALL_CAPS. (e.g. `NET_ADMIN`)
group: "drop-capabilities policy settings"
label: Required drop capabilities
required: false
type: array[
- variable: recommendedPolicies.capabilitiesPolicy.settings.default_add_capabilities
description: >-
The capabilities which are added to containers by default, in addition to
the runtime defaults.
tooltip: Specified as the capability name in ALL_CAPS. (e.g. `CHOWN`)
group: "drop-capabilities policy settings"
label: Default add capabilities
required: false
type: array[
# no-host-namespace-sharing policy settings
#
# - default: null
# description: >-
# This policy works by defining what host namespaces can be used by a Pod.
# `allow_host_ipc`, `allow_host_network` and `allow_host_pid` are `false` by
# default. `allow_host_ports` is an empty list by default. This means that by
# default host IPC, network, pid and all host ports are disabled when this
# policy is loaded with no configuration.
# group: no-host-namespace-sharing policy settings
# label: Description
# required: false
# hide_input: true # TODO not implemented yet in rancher/dashboard
# type: string
# variable: recommendedPolicies.hostNamespacePolicy.settings.description
- variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_ipc
tooltip: Allows the pod to set .spec.HostIPC to true.
group: no-host-namespace-sharing policy settings
label: Allow host IPC
required: false
type: boolean
- variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_network
tooltip: Allows the pod to set .spec.HostNetwork to true.
group: no-host-namespace-sharing policy settings
label: Allow host network
required: false
type: boolean
- variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_pid
tooltip: Allows the pod to set .spec.HostPID to true.
group: no-host-namespace-sharing policy settings
label: Allow host PID
required: false
type: boolean
- variable: recommendedPolicies.hostNamespacePolicy.settings.allow_host_ports
description: >-
A range of ports to allow, an example would allow host ports `80`, `443` and
the range `8000-9000`.
group: no-host-namespace-sharing policy settings
label: Allow host ports
hide_input: true
type: sequence[
sequence_questions:
- default: 0
tooltip: ""
group: no-host-namespace-sharing policy settings
label: min
type: int
variable: min
- default: 0
tooltip: ""
group: no-host-namespace-sharing policy settings
label: max
type: int
variable: max
# no-privileged-pod policy settings
- variable: recommendedPolicies.podPrivilegedPolicy.settings.skip_init_containers
tooltip: >-
Ignore that some init container is configured as privileged
group: no-privileged-pod policy settings
label: Skip init containers
required: false
type: boolean
- variable: recommendedPolicies.podPrivilegedPolicy.settings.skip_ephemeral_containers
tooltip: >-
Ignore that some ephemeral container is configured as privileged
group: no-privileged-pod policy settings
label: Skip ephemeral containers
required: false
type: boolean
# do-not-run-as-root policy
#
# TODO sequence[ is not implemented in rancher/dashboard yet: https://github.com/rancher/dashboard/issues/10826
#
# - default: null
# description: >-
# This policy is a replacement for the Kubernetes Pod Security Policy that
# controls containers user and groups.
# group: do-not-run-as-root policy settings
# label: Description
# required: false
# hide_input: true # TODO not implemented yet in rancher/dashboard
# type: string
# variable: recommendedPolicies.userGroupPolicy.settings.description
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user
# description: Controls which user ID the containers are run with.
# group: do-not-run-as-root policy settings
# label: Run as user
# hide_input: true
# type: map[
# subquestions:
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule
# tooltip: >-
# Defines the strategy used by the policy to enforce users and groups used
# in containers.
# group: do-not-run-as-root policy settings
# label: Rule
# options:
# - MustRunAs
# - MustRunAsNonRoot
# - RunAsAny
# type: enum
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user.overwrite
# group: do-not-run-as-root policy settings
# label: Overwrite
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs
# title: Overwrite
# tooltip: >-
# The overwrite attribute can be set only with the MustRunAs rule. This
# flag configures the policy to mutate the runAsUser or runAsGroup despite
# of the value present in the request - even if the value is a valid one.
# The default value of this attribute is false.
# type: boolean
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_user.ranges
# description: >-
# Ranges is a list of JSON objects with two attributes: min and max. Each
# range object define the user/group ID range used by the rule.
# group: do-not-run-as-root policy settings
# label: Ranges
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAsNonRoot
# hide_input: true
# type: sequence[
# sequence_questions:
# - default: 0
# group: do-not-run-as-root policy settings
# label: min
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAsNonRoot
# tooltip: Minimum UID or GID
# type: int
# variable: min
# - default: 0
# group: do-not-run-as-root policy settings
# label: max
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_user.rule=MustRunAsNonRoot
# tooltip: Maxium UID or GID
# type: int
# variable: max
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group
# description: Controls which primary group ID the containers are run with.
# group: do-not-run-as-root policy settings
# label: Run as group
# hide_input: true
# type: map[
# subquestions:
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule
# tooltip: >-
# Defines the strategy used by the policy to enforce users and groups used
# in containers.
# group: do-not-run-as-root policy settings
# label: Rule
# options:
# - MustRunAs
# - MayRunAs
# - RunAsAny
# type: enum
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group.overwrite
# group: do-not-run-as-root policy settings
# label: Overwrite
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs
# type: boolean
# - variable: recommendedPolicies.userGroupPolicy.settings.run_as_group.ranges
# description: >-
# Ranges is a list of JSON objects with two attributes: min and max. Each
# range object define the user/group ID range used by the rule.
# group: do-not-run-as-root policy settings
# label: Ranges
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MayRunAs
# hide_input: true
# type: sequence[
# sequence_questions:
# - default: 0
# group: do-not-run-as-root policy settings
# label: min
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MayRunAs
# tooltip: Minimum UID or GID
# type: int
# variable: min
# - default: 0
# group: do-not-run-as-root policy settings
# label: max
# show_if: recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.run_as_group.rule=MayRunAs
# tooltip: Maxium UID or GID
# type: int
# variable: max
# - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups
# description: Controls which group IDs containers add.
# group: do-not-run-as-root policy settings
# label: Supplemental groups
# hide_input: true
# type: map[
# subquestions:
# - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule
# tooltip: >-
# Defines the strategy used by the policy to enforce users and groups used
# in containers.
# group: do-not-run-as-root policy settings
# label: Rule
# options:
# - MustRunAs
# - MayRunAs
# - RunAsAny
# type: enum
# - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups.overwrite
# group: do-not-run-as-root policy settings
# label: Overwrite
# show_if: >-
# recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs
# type: boolean
# - variable: recommendedPolicies.userGroupPolicy.settings.supplemental_groups.ranges
# description: >-
# Ranges is a list of JSON objects with two attributes: min and max. Each
# range object define the user/group ID range used by the rule.
# group: do-not-run-as-root policy settings
# label: Ranges
# show_if: >-
# recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MayRunAs
# hide_input: true
# type: sequence[
# sequence_questions:
# - default: 0
# group: do-not-run-as-root policy settings
# label: min
# show_if: >-
# recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MayRunAs
# tooltip: Minimum UID or GID
# type: int
# variable: min
# - default: 0
# group: do-not-run-as-root policy settings
# label: max
# show_if: >-
# recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MustRunAs||recommendedPolicies.userGroupPolicy.settings.supplemental_groups.rule=MayRunAs
# tooltip: Maxium UID or GID
# type: int
# variable: max
# do-not-share-host-paths policy settings
#
# TODO sequence[ is not implemented in rancher/dashboard yet: https://github.com/rancher/dashboard/issues/10826
#
# - variable: recommendedPolicies.hostPathsPolicy.settings.allowedHostPaths
# description: >-
# This policy is a replacement for the Kubernetes Pod Security Policy that
# controls the usage of `hostPath` volumes. The policy inspects both the
# containers and the init containers that are using `hostPath` volumes.
# `allowedHostPaths` is a list of host paths that are allowed to be used by
# hostPath volumes. An empty `allowedHostPaths` list means there is no
# restriction on host paths used. Each entry of `allowedHostPaths` must have:
# a `pathPrefix` field, which allows hostPath volumes to mount a path that
# begins with an allowed prefix, and a `readOnly` field indicating it must be
# mounted read-only.
# tooltip: A list of host paths that are allowed to be used by hostPath volumes.
# group: do-not-share-host-paths policy settings
# label: Allow host path
# hide_input: true
# type: sequence[
# sequence_questions:
# - variable: pathPrefix
# description: >-
# Allows hostPath volumes to mount a path that begins with an allowed
# prefix.
# group: do-not-share-host-paths policy settings
# label: Path prefix
# type: string
# - variable: readOnly
# tooltip: Indicates if the volume must be mounted read-only.
# group: do-not-share-host-paths policy settings
# label: Read only
# type: boolean