Curated Policies
Nirmata provides curated Policy Sets that map to various industry standards for running Kubernetes clusters following best practices.
All policies are available at https://github.com/nirmata/kyverno-policies
Writing Custom Policies
Refer to the official documentation to learn the policy constructs and syntax.
Policy Conventions
The Nirmata Policy Manager (NPM) relies heavily on policy annotations to display relevant information to users and to support certain workflows, such as displaying Remediation Suggestions and diffs. To ensure custom policies integrate seamlessly with NPM, adhere to the following conventions.
Display Policy Category
policies.kyverno.io/category
Use this annotation to display the Category in the Policy Reports page. Example,
policies.kyverno.io/category: Pod Security Standards (Baseline)
Sample policy: disallow-host-namespaces.yaml
Display Findings Description
policies.kyverno.io/description
Use this annotation to display more info about the policy in the findings details page. Example,
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
Sample policy: disallow-host-namespaces.yaml
Display Findings Severity
policies.kyverno.io/severity
Use this annotation to display the severity of a finding. Example,
policies.kyverno.io/severity:medium
Sample policy: disallow-host-namespaces.yaml
Display Fix Recommendations
policies.nirmata.io/remediation-docs
Use this annotation to link to external/internal web pages that contain more information on the policy, its impact, and how to fix in case of violations. Example,
policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/"
Sample policy: disallow-host-namespaces.yaml
Provide Remediation Suggestion (Diff)
policies.nirmata.io/remediation
Use this annotation to link to a Kyverno mutate
policy that is used for computing remediation diffs for violations. Example,
policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml"
Sample policy: disallow-host-namespaces.yaml
Adding Analyzer Binding to Kyverno JSON Policy
Add this binding to the match
block: $analyzer.resource.type
Use the analyzer binding to let NCTL know what the policy is for. Example,
($analyzer.resource.type): terraform-config
Similarly, if the policy is for a terraform plan, terraform state, or dockerfile, the analyzer is terraform-plan, terraform-state, or dockerfile respectively.
Sample policy: enable-kms-encryption.yaml