Kyverno Policy Catalog
Purpose: For security officers, provides all 17 ClusterPolicies with name, enforcement mode, and customization instructions.
These Kyverno ClusterPolicies are maintained in the openCenter-gitops-base repository at applications/base/services/kyverno/default-ruleset/. The openCenter-cli generates FluxCD manifests that reference these policies — it does not define or manage the policies themselves. To inspect, customize, or audit policy definitions, work directly with openCenter-gitops-base.
Overview
openCenter deploys 17 Kyverno ClusterPolicies from openCenter-gitops-base/applications/base/services/kyverno/default-ruleset/. These policies are deployed via FluxCD and apply cluster-wide. They complement Pod Security Admission by providing finer-grained validation, mutation, and audit reporting.
Policy Catalog
Container Security
| # | Policy | Mode | Description |
|---|---|---|---|
| 1 | disallow-privileged-containers | enforce | Rejects pods with securityContext.privileged: true |
| 2 | disallow-privilege-escalation | enforce | Rejects pods with allowPrivilegeEscalation: true |
| 3 | require-run-as-nonroot | enforce | Requires runAsNonRoot: true on all containers |
| 4 | disallow-capabilities | enforce | Drops all capabilities; allows only a defined safe list |
| 5 | restrict-seccomp | enforce | Requires RuntimeDefault or Localhost seccomp profile |
Host Isolation
| # | Policy | Mode | Description |
|---|---|---|---|
| 6 | disallow-host-namespaces | enforce | Blocks hostPID, hostIPC, and hostNetwork |
| 7 | disallow-host-path | enforce | Blocks hostPath volume mounts |
| 8 | disallow-host-ports | enforce | Blocks hostPort bindings on containers |
Volume and Storage
| # | Policy | Mode | Description |
|---|---|---|---|
| 9 | restrict-volume-types | enforce | Allows only configMap, emptyDir, projected, secret, downwardAPI, persistentVolumeClaim, csi |
| 10 | disallow-default-namespace | audit | Warns when resources are created in the default namespace |
Image and Registry
| # | Policy | Mode | Description |
|---|---|---|---|
| 11 | require-image-tag | enforce | Rejects images using :latest or no tag |
| 12 | restrict-image-registries | audit | Warns on images from non-approved registries |
Resource Management
| # | Policy | Mode | Description |
|---|---|---|---|
| 13 | require-resource-limits | audit | Warns when pods lack CPU/memory limits |
| 14 | require-resource-requests | audit | Warns when pods lack CPU/memory requests |
Workload Best Practices
| # | Policy | Mode | Description |
|---|---|---|---|
| 15 | require-probes | audit | Warns when deployments lack readiness/liveness probes |
| 16 | require-labels | audit | Warns when resources lack standard labels (app.kubernetes.io/name, etc.) |
| 17 | restrict-sysctls | enforce | Blocks unsafe sysctl settings |
Enforcement Modes
- enforce — the policy rejects non-compliant resources at admission time. The resource is not created.
- audit — the policy allows the resource but records a violation in the Kyverno PolicyReport. Visible in
kubectl get policyreport -A.
Customization
Changing a Policy Mode
Override the policy in the customer overlay. For example, to change require-resource-limits from audit to enforce:
# applications/overlays/<cluster>/services/kyverno/patches/require-resource-limits.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-resource-limits
spec:
validationFailureAction: Enforce
Excluding Namespaces
Add namespace exclusions to a policy:
spec:
rules:
- name: require-limits
exclude:
any:
- resources:
namespaces:
- kube-system
- monitoring
Viewing Policy Reports
# List all policy violations across namespaces
kubectl get policyreport -A
# Detailed report for a namespace
kubectl get policyreport -n <namespace> -o yaml
Further Reading
- Defense-in-Depth Model — how Kyverno fits into the security architecture
- Pod Security Admission — cluster-level admission controls
- Audit & Evidence — using policy reports for compliance