From f980b651d9f855c1b83f7cc2e6374b7a487b6438 Mon Sep 17 00:00:00 2001 From: Vassiliy Yegorov Date: Tue, 19 May 2026 17:16:39 +0700 Subject: [PATCH] fix foreach --- .claude/settings.local.json | 11 ++++++++++- .../1. require-resource-limits.yaml | 6 +++--- .../3. disallow-latest-tag.yaml | 6 +++--- .../4. allow-only-trusted-registries.yaml | 7 +++---- .../02-security/disallow-dangerous-capabilities.yaml | 6 +++--- .../02-security/disallow-privileged-containers.yaml | 6 +++--- .../02-security/require-drop-all-capabilities.yaml | 6 +++--- .../02-security/require-run-as-non-root.yaml | 4 +++- 06-monitoring/02-debugging/README.md | 2 +- .../02-debugging/test-pols/policy-require-limits.yaml | 4 +--- .../validate-registry-from-cache.yaml | 8 ++++---- 11 files changed, 37 insertions(+), 29 deletions(-) diff --git a/.claude/settings.local.json b/.claude/settings.local.json index eeffd17..b456ec3 100644 --- a/.claude/settings.local.json +++ b/.claude/settings.local.json @@ -7,7 +7,16 @@ "Bash(sudo mv /tmp/kyverno /usr/local/bin/kyverno)", "Bash(mv /tmp/kyverno ~/bin/kyverno)", "Bash(mv /tmp/kyverno ~/.local/bin/kyverno)", - "Bash(export PATH=\"$HOME/bin:$HOME/.local/bin:$PATH\")" + "Bash(export PATH=\"$HOME/bin:$HOME/.local/bin:$PATH\")", + "Bash(~/.local/bin/kyverno apply *)", + "Bash(rtk ls *)", + "Bash(/bin/ls *)", + "Bash(export PATH=\"$HOME/.local/bin:$PATH\")", + "Bash(kyverno apply *)", + "Read(//private/tmp/**)", + "Bash(mkdir -p polsdir1 polsdir2)", + "Bash(cp t1.yaml polsdir1/)", + "Bash(cp t2.yaml polsdir2/)" ] } } diff --git a/02-validation/01-resource-validation/1. require-resource-limits.yaml b/02-validation/01-resource-validation/1. require-resource-limits.yaml index 65b1e4d..4076596 100644 --- a/02-validation/01-resource-validation/1. require-resource-limits.yaml +++ b/02-validation/01-resource-validation/1. require-resource-limits.yaml @@ -26,14 +26,14 @@ spec: - kube-system - kyverno validate: + message: >- + Все контейнеры в поде '{{ request.object.metadata.name }}' + обязаны иметь resources.limits.memory и resources.limits.cpu. foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) | merge(request.object.spec.ephemeralContainers[] || `[]`, @) - message: >- - Контейнер '{{ element.name }}' в поде '{{ request.object.metadata.name }}' - не имеет resource limits. Добавьте resources.limits.memory и resources.limits.cpu. pattern: resources: limits: diff --git a/02-validation/01-resource-validation/3. disallow-latest-tag.yaml b/02-validation/01-resource-validation/3. disallow-latest-tag.yaml index f6d7274..97e948a 100644 --- a/02-validation/01-resource-validation/3. disallow-latest-tag.yaml +++ b/02-validation/01-resource-validation/3. disallow-latest-tag.yaml @@ -25,14 +25,14 @@ spec: namespaces: - kube-system validate: + message: >- + Один из образов в поде '{{ request.object.metadata.name }}' использует + тег :latest или не имеет тега. Используйте конкретный тег или digest. foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) | merge(request.object.spec.ephemeralContainers[] || `[]`, @) - message: >- - Образ '{{ element.image }}' использует тег :latest или не имеет тега. - Используйте конкретный тег (nginx:1.25.3) или digest (nginx@sha256:...). deny: conditions: any: diff --git a/02-validation/01-resource-validation/4. allow-only-trusted-registries.yaml b/02-validation/01-resource-validation/4. allow-only-trusted-registries.yaml index 1554e88..7ef8358 100644 --- a/02-validation/01-resource-validation/4. allow-only-trusted-registries.yaml +++ b/02-validation/01-resource-validation/4. allow-only-trusted-registries.yaml @@ -27,15 +27,14 @@ spec: - kube-system - kyverno validate: + message: >- + Один из образов в поде '{{ request.object.metadata.name }}' из недоверенного реестра. + Разрешены: registry.company.com/, gcr.io/company-project/. foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) | merge(request.object.spec.ephemeralContainers[] || `[]`, @) - message: >- - Образ '{{ element.image }}' из недоверенного реестра. - Разрешены: registry.company.com/, gcr.io/company-project/. - Загрузите образ в внутренний реестр и обновите манифест. deny: conditions: all: diff --git a/02-validation/02-security/disallow-dangerous-capabilities.yaml b/02-validation/02-security/disallow-dangerous-capabilities.yaml index 8765e8e..fc668d0 100644 --- a/02-validation/02-security/disallow-dangerous-capabilities.yaml +++ b/02-validation/02-security/disallow-dangerous-capabilities.yaml @@ -26,14 +26,14 @@ spec: namespaces: - kube-system validate: + message: >- + Один из контейнеров в поде '{{ request.object.metadata.name }}' добавляет + запрещённые capabilities. Разрешена только NET_BIND_SERVICE. foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) | merge(request.object.spec.ephemeralContainers[] || `[]`, @) - message: >- - Контейнер '{{ element.name }}' добавляет запрещённые capabilities. - Разрешена только NET_BIND_SERVICE. Пересмотрите необходимость привилегий. deny: conditions: any: diff --git a/02-validation/02-security/disallow-privileged-containers.yaml b/02-validation/02-security/disallow-privileged-containers.yaml index 099d42b..2440d2f 100644 --- a/02-validation/02-security/disallow-privileged-containers.yaml +++ b/02-validation/02-security/disallow-privileged-containers.yaml @@ -26,14 +26,14 @@ spec: namespaces: - kube-system validate: + message: >- + Один из контейнеров в поде '{{ request.object.metadata.name }}' + имеет securityContext.privileged: true. Запрещено. foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) | merge(request.object.spec.ephemeralContainers[] || `[]`, @) - message: >- - Контейнер '{{ element.name }}' имеет securityContext.privileged: true. - Привилегированные контейнеры запрещены. Удалите поле или установите false. deny: conditions: any: diff --git a/02-validation/02-security/require-drop-all-capabilities.yaml b/02-validation/02-security/require-drop-all-capabilities.yaml index d8ae2d3..39c2d47 100644 --- a/02-validation/02-security/require-drop-all-capabilities.yaml +++ b/02-validation/02-security/require-drop-all-capabilities.yaml @@ -25,14 +25,14 @@ spec: namespaces: - kube-system validate: + message: >- + Каждый контейнер в поде '{{ request.object.metadata.name }}' должен + сбрасывать все capabilities: securityContext.capabilities.drop: [ALL]. foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) | merge(request.object.spec.ephemeralContainers[] || `[]`, @) - message: >- - Контейнер '{{ element.name }}' не сбрасывает все capabilities. - Добавьте securityContext.capabilities.drop: [ALL]. deny: conditions: all: diff --git a/02-validation/02-security/require-run-as-non-root.yaml b/02-validation/02-security/require-run-as-non-root.yaml index 97436a5..c5e7a34 100644 --- a/02-validation/02-security/require-run-as-non-root.yaml +++ b/02-validation/02-security/require-run-as-non-root.yaml @@ -45,11 +45,13 @@ spec: namespaces: - kube-system validate: + message: >- + Один из контейнеров в поде '{{ request.object.metadata.name }}' + использует runAsUser: 0 (root). Установите runAsUser >= 1000. foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) - message: "Контейнер '{{ element.name }}' использует runAsUser: 0 (root). Установите runAsUser >= 1000." deny: conditions: any: diff --git a/06-monitoring/02-debugging/README.md b/06-monitoring/02-debugging/README.md index 9a0da66..4fe56a0 100644 --- a/06-monitoring/02-debugging/README.md +++ b/06-monitoring/02-debugging/README.md @@ -26,7 +26,7 @@ kubectl get clusterpolicy my-policy -o yaml | grep -A 10 "status:" ```bash # Kyverno CLI — самый быстрый способ проверить -kyverno apply test-pols/policy-require-labels.yaml \ +kyverno apply test-pols/ \ --resource test-deployment.yaml \ --detailed-results diff --git a/06-monitoring/02-debugging/test-pols/policy-require-limits.yaml b/06-monitoring/02-debugging/test-pols/policy-require-limits.yaml index ae06d6a..059d574 100644 --- a/06-monitoring/02-debugging/test-pols/policy-require-limits.yaml +++ b/06-monitoring/02-debugging/test-pols/policy-require-limits.yaml @@ -18,11 +18,9 @@ spec: kinds: - Pod validate: + message: "All containers must have resources.limits.cpu and resources.limits.memory." foreach: - list: "request.object.spec.containers" - message: >- - Container '{{ element.name }}' must have resources.limits.cpu - and resources.limits.memory defined. pattern: resources: limits: diff --git a/07-advanced/02-external-data/validate-registry-from-cache.yaml b/07-advanced/02-external-data/validate-registry-from-cache.yaml index 918d775..7477e1a 100644 --- a/07-advanced/02-external-data/validate-registry-from-cache.yaml +++ b/07-advanced/02-external-data/validate-registry-from-cache.yaml @@ -36,14 +36,14 @@ spec: value: >- {{ join('', ['^(', join('|', split(allowedRegistries.data.\"allowed-registries\", '\n')[?@ != '']), ')']) }} validate: + message: >- + Образ в поде '{{ request.object.metadata.name }}' из недоверенного реестра. + Список разрешённых (обновлён {{ allowedRegistries.data.\"last-updated\" }}): + {{ allowedRegistries.data.\"allowed-registries\" }} foreach: - list: >- request.object.spec.containers[] | merge(request.object.spec.initContainers[] || `[]`, @) - message: >- - Образ '{{ element.image }}' из недоверенного реестра. - Список разрешённых реестров (обновлён {{ allowedRegistries.data.\"last-updated\" }}): - {{ allowedRegistries.data.\"allowed-registries\" }} deny: conditions: all: