Curated Policies

Nirmata provides curated Policy Sets that map to various industry standards for running Kubernetes clusters following best practices.

All policies are available at https://github.com/nirmata/kyverno-policies

Writing Custom Policies

Refer to the official documentation to learn the policy constructs and syntax.

Policy Conventions

The Nirmata Policy Manager (NPM) relies heavily on policy annotations to display relevant information to users and to support certain workflows, such as displaying Remediation Suggestions and diffs. To ensure custom policies integrate seamlessly with NPM, adhere to the following conventions.

Display Policy Category

policies.kyverno.io/category

Use this annotation to display the Category in the Policy Reports page. Example,

policies.kyverno.io/category: Pod Security Standards (Baseline)

Sample policy: disallow-host-namespaces.yaml

Display Findings Description

policies.kyverno.io/description

Use this annotation to display more info about the policy in the findings details page. Example,

policies.kyverno.io/description: >-
      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
      network namespace) allow access to shared information and can be used to elevate
      privileges. Pods should not be allowed access to host namespaces. This policy ensures
      fields which make use of these host namespaces are unset or set to `false`.

Sample policy: disallow-host-namespaces.yaml

Display Findings Severity

policies.kyverno.io/severity

Use this annotation to display the severity of a finding. Example,

policies.kyverno.io/severity:medium

Sample policy: disallow-host-namespaces.yaml

Display Fix Recommendations

policies.nirmata.io/remediation-docs

Use this annotation to link to external/internal web pages that contain more information on the policy, its impact, and how to fix in case of violations. Example,

policies.nirmata.io/remediation-docs: "https://docs.nirmata.io/policysets/podsecurity/baseline/disallow-host-namespaces/"

Sample policy: disallow-host-namespaces.yaml

Provide Remediation Suggestion (Diff)

policies.nirmata.io/remediation

Use this annotation to link to a Kyverno mutate policy that is used for computing remediation diffs for violations. Example,

policies.nirmata.io/remediation: "https://github.com/nirmata/kyverno-policies/tree/main/pod-security/baseline/disallow-host-namespaces/remediate-disallow-host-namespaces.yaml"

Sample policy: disallow-host-namespaces.yaml

Adding Analyzer Binding to Kyverno JSON Policy

Add this binding to the match block: $analyzer.resource.type

Use the analyzer binding to let NCTL know what the policy is for. Example,

($analyzer.resource.type): terraform-config

Similarly, if the policy is for a terraform plan, terraform state, or dockerfile, the analyzer is terraform-plan, terraform-state, or dockerfile respectively.

Sample policy: enable-kms-encryption.yaml