Giters

linode / apl-core

Application Platform for Linode Kubernetes Engine (and any other conformant K8s)

Home Page:https://otomi.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Platform security polcies

j-zimnowoda opened this issue · comments

commented

WHY

Platform apps also need to validated to ensure security posture and control the applications during the upgrades

Acceptance criteria

GIVENplatform apps (offline mode)
WHENI run otomi validate-polices then
THEN I can perform static validation of all the manifests rendered by otomi

GIVENplatform apps on running k8s cluster
WHENI enable Kyverno
THEN I can see if platform apps conform with that platform security policy baseline

Functional requirements:

  • prevent run as root user and group
  • drop all capabilities
  • enforce semver tags (no latest)
  • prevent privilege escalation
  • enforce readOnlyRootFilesystem
  • ensure runAsNonRoot
  • enforce privileged: false
  • prevent hostPath
  • prevent hostNetwork

Non-functional requirements:

  • policy exceptions are defined as app artefacts
  • use kyverno CLI instead of konstraint for policy validation

Definition of done

  • Relevant PRs are merged
  • Tested by peer
  • Updated documentation reviewed by peer
  • Short demo video recorded and stored on google drive (if applicable)