2023-09-18 00:24:26 +02:00
|
|
|
|
---
|
2019-11-13 13:56:20 -08:00
|
|
|
|
apiVersion: kyverno.io/v1
|
2019-11-08 20:04:42 -08:00
|
|
|
|
kind: ClusterPolicy
|
|
|
|
|
|
metadata:
|
2019-11-08 20:08:23 -08:00
|
|
|
|
annotations:
|
|
|
|
|
|
policies.kyverno.io/category: Security
|
2023-09-18 00:24:26 +02:00
|
|
|
|
policies.kyverno.io/description: Privileged containers are defined as any container
|
|
|
|
|
|
where the container uid 0 is mapped to the host’s uid 0. A process within a
|
|
|
|
|
|
privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation`
|
|
|
|
|
|
enabled, a process can gain privileges from its parent.
|
|
|
|
|
|
name: disallow-privileged
|
2019-11-08 20:04:42 -08:00
|
|
|
|
spec:
|
2023-09-18 00:24:26 +02:00
|
|
|
|
admission: true
|
|
|
|
|
|
background: true
|
2019-11-08 20:04:42 -08:00
|
|
|
|
rules:
|
2023-09-18 00:24:26 +02:00
|
|
|
|
- match:
|
|
|
|
|
|
any:
|
|
|
|
|
|
- resources:
|
|
|
|
|
|
kinds:
|
|
|
|
|
|
- Pod
|
|
|
|
|
|
name: validate-privileged
|
2019-11-08 20:04:42 -08:00
|
|
|
|
validate:
|
2023-09-18 00:24:26 +02:00
|
|
|
|
message: Privileged mode is not allowed. Set privileged to false
|
2019-12-30 13:53:51 -08:00
|
|
|
|
pattern:
|
|
|
|
|
|
spec:
|
2019-11-08 20:04:42 -08:00
|
|
|
|
containers:
|
2019-12-30 13:53:51 -08:00
|
|
|
|
- =(securityContext):
|
|
|
|
|
|
=(privileged): false
|
2023-09-18 00:24:26 +02:00
|
|
|
|
- match:
|
|
|
|
|
|
any:
|
|
|
|
|
|
- resources:
|
|
|
|
|
|
kinds:
|
|
|
|
|
|
- Pod
|
|
|
|
|
|
name: validate-allowPrivilegeEscalation
|
2019-11-08 20:04:42 -08:00
|
|
|
|
validate:
|
2023-09-18 00:24:26 +02:00
|
|
|
|
message: Privileged mode is not allowed. Set allowPrivilegeEscalation to false
|
2019-12-30 13:53:51 -08:00
|
|
|
|
pattern:
|
|
|
|
|
|
spec:
|
2019-11-08 20:04:42 -08:00
|
|
|
|
containers:
|
2019-12-30 13:53:51 -08:00
|
|
|
|
- securityContext:
|
2019-11-08 20:04:42 -08:00
|
|
|
|
allowPrivilegeEscalation: false
|
2023-09-18 00:24:26 +02:00
|
|
|
|
validationFailureAction: Audit
|
