Policies

This section allows to turn Open Policy Agent (OPA) policies on or off, and also set default parameters to be used by the policies.

SettingDescription
banned-image-tagsAdd any image tags for containers that are not allowed in your cluster.
container-limitsSet global compute limits for your containers.
psp-allowed-reposAdd globally allowed repositories for version control.
psp-host-filesystemSet policies for the host filesystem of all Kubernetes cluster nodes.
psp-allowed-usersDefault user (UID) settings to force containers to run with. It is recommended to at least set 'runAsUser' to 'MustRunAsNonRoot' to disallow root.
psp-host-securityWhether a pod is allowed to access the host PID namespace/host IPC, or if a pod defines host aliases.
psp-host-networking-portsWhether a pod can access ports on the host.
psp-privilegedWhether privileged containers can escalate to root privileges on the node.
psp-capabilitiesWhether to allow containers with sufficient capabilities granted to obtain escalated access.
psp-forbidden-sysctlsDetermine what system controls are allowed or not.
psp-apparmorPrevents an application from accessing files it should not access.
psp-seccompReduces the chance that a kernel vulnerability will be successfully exploited.
psp-selinuxSecurity-enhanced Linux.

Please see the OPA Gatekeeper policy library as it is the source for the policies here. We made a selection of usable policies for Otomi and adapted them to be used by Conftest as well for static analysis of manifests generated by Otomi.