Kyverno Policies vs. Gatekeeper Policies in Big Bang

The following table shows the policies implemented in Big Bang under Gatekeeper and the corresponding policy in Kyverno.

GK = Gatekeeper KY = Kyverno

Name	Category	Description	Gatekeeper	Kyverno	Notes
AppArmor	Pod Security Standards (Baseline)	Restrict AppArmor profiles to allowed list	allowedAppArmorProfiles	restrict-apparmor	Disabled in GK
Default Service Account	Unknown	Disallow use of default service account	noDefaultServiceAccount	Will not implement	Kubernetes assigns the default service account to all pods that do not specify a service account. Policy value is below threshold for implementation. KY policy update-token-automount likely covers what this policy was intended to do.
Docker Registries	Best Practices (Security)	Restrict image registries to allowed list	allowedDockerRegistries	restrict-image-registries
External IPs	Vulnerability Mitigation	Restrict service’s external IPs to allowed list	allowedIPs	restrict-external-ips	GK uses CIDR range. KY uses regex.
Group IDs - Non-root	Pod Security Standards (Restricted)	Require groups to be non-root	allowedUsers	require-non-root-group
Group IDs - Range	Best Practices (Security)	Restrict group IDs to a specified range	allowedUsers	restrict-group-id
Host Namespace	Pod Security Standards (Baseline)	Disallow access to the host PID and IPC	noHostNamespace	disallow-host-namespaces
Host Networking	Pod Security Standards (Baseline)	Disallow sharing the host network	hostNetworking	disallow-host-namespaces
Host Path	Best Practices (Security)	Restrict volumes that map host paths to allowed list and require the volume mount to be read-only	allowedHostFilesystem	restrict-host-path-mount; restrict-host-path-write
Host Ports	Pod Security Standards (Baseline)	Restrict host ports to a specified range	hostNetworking	restrict-host-ports
Image Digest	Best Practices (Security)	Require images to use image digests instead of tags	imageDigest	Will not implement	Iron Bank images require tags for nightly image builds. Policy value is below threshold for implementation.
Image Tags	Best Practices	Allow image tags not on banned list	bannedImageTags	disallow-image-tags
Ingress - HTTPS Only	Best Practices (Security)	Require ingresses to be HTTPS only	httpsOnly	Will not implement	Big Bang uses Istio instead of Ingresses. Policy value is below threshold for implementation.
Ingress - Unique	Best Practice	Disallows multiple Ingresses with the same host	uniqueIngressHost	Will not implement	Big Bang uses Istio instead of Ingresses. Policy value is below threshold for implementation.
Istio Sidecar Injection - Namespace	Best Practices	Require namespaces to be annotated for automatic Istio sidecar injection	namespacesHaveIstio	require-istio-on-namespaces
Istio Sidecar Injection - Pod	Best Practices	Require pods don’t disable automatic Istio sidecar injection	podsHaveIstio	disallow-istio-injection-bypass
Labels	Best Practices	Require specified labels to be on resources	requiredLabels	require-labels	KY removed component, part-of, and managed-by from default required list.
Linux Capabilities	Pod Security Standards (Restricted)	Require all capabilities to be dropped and restrict added capabilities to allowed list	allowedCapabilities	require-drop-all-capabilities; restrict-capabilities	KY adds NET_BIND_SERVICE to the default allowed list
Node Ports	Best Practices (Security)	Disallow NodePort services	blockNodePort	disallow-nodeport-services
Privileged Containers	Pod Security Standards (Baseline)	Disallow containers that run as privileged	noPrivilegedContainers	disallow-privileged-containers
Privileged Escalation	Pod Security Standards (Restricted)	Disallow privilege escalation permissions	noPrivilegedEscalation	disallow-privileged-containers
Probes	Best Practices	Require probes on pods	requiredProbes	require-probes	KY removes validation of probe types (e.g. tcpSocket, httpGet, exec)
Proc Mount	Pod Security Standards (Baseline)	Restrict proc mount to allowed list	allowedProcMount	restrict-proc-mount
Read-only Root Filesystem	Best Practices (Security)	Require root file systems to be read only	readOnlyRoot	require-ro-rootfs
Resources - Large	Best Practices	Require CPU and memory limits and disallow extremely large values	noBigContainers	require-cpu-limit; require-memory-limit
Resources - Ratio	Best Practices	Ensure CPU and memory limits are not disproportionate to requests	containerRatio	Will not implement	No use case. Policy value is below threshold for implementation.
SecComp	Pod Security Standards (Baseline)	Restrict SecComp profiles to allowed list	allowedSecCompProfiles	restrict-seccomp	KY adds Localhost to the default allowed list
SELinux	Pod Security Standards (Baseline)	Restrict SELinux options to allowed list	seLinuxPolicy	disallow-selinux-options; restrict-selinux-type	KY adds additional allowed values to the default allowed list
SysCtl	Pod Security Standards (Baseline)	Restrict SysCtls to allowed list	noSysctls	restrict-sysctl	KY adds additional sysctl values to the default allowed list
Tolerations	Best Practices (Security)	Tolerations must not match specified list of taints	restrictedTaint	disallow-tolerations	KY also prevents tolerations on RuntimeClasses
User IDs - Non-root	Pod Security Standards (Restricted)	Require user to run as non-root	allowedUsers	require-non-root-user
User IDs - Range	Best Practices (Security)	Restrict user IDs to a specified range	allowedUsers	restrict-user-id
Volumes - Flex	Historical	Restrict flex volume drivers to allowed list	allowedFlexVolumes	restrict-volume-types	Flex Volume drivers are deprecated. In KY, Flex Volumes are not allowed.
Volumes - Types	Pod Security Standards (Restricted)	Restrict volume types to allowed list	volumeTypes	restrict-volume-types	KY adds csiand ephemeral to the default allowed list.

---

Last update: 2022-03-03 by michaelmcleroy