Platform security polcies
j-zimnowoda opened this issue · 0 comments
j-zimnowoda commented
WHY
Platform apps also need to validated to ensure security posture and control the applications during the upgrades
Acceptance criteria
GIVENplatform apps (offline mode)
WHENI run otomi validate-polices then
THEN I can perform static validation of all the manifests rendered by otomi
GIVENplatform apps on running k8s cluster
WHENI enable Kyverno
THEN I can see if platform apps conform with that platform security policy baseline
Functional requirements:
- prevent run as root user and group
- drop all capabilities
- enforce semver tags (no latest)
- prevent privilege escalation
- enforce readOnlyRootFilesystem
- ensure runAsNonRoot
- enforce
privileged: false - prevent hostPath
- prevent hostNetwork
Non-functional requirements:
- policy exceptions are defined as app artefacts
- use kyverno CLI instead of konstraint for policy validation
Definition of done
- Relevant PRs are merged
- Tested by peer
- Updated documentation reviewed by peer
- Short demo video recorded and stored on google drive (if applicable)