2023-09-17 22:24:26 +00:00
|
|
|
---
|
2019-12-10 17:51:15 +00:00
|
|
|
apiVersion: kyverno.io/v1
|
|
|
|
|
kind: ClusterPolicy
|
|
|
|
|
metadata:
|
|
|
|
|
annotations:
|
|
|
|
|
policies.kyverno.io/category: Security Context
|
2023-09-17 22:24:26 +00:00
|
|
|
policies.kyverno.io/description: All processes inside the pod can be made to run
|
|
|
|
|
with specific user and groupID by setting 'runAsUser' and 'runAsGroup' respectively.
|
|
|
|
|
'fsGroup' can be specified to make sure any file created in the volume with
|
|
|
|
|
have the specified groupID. These options can be used to validate the IDs used
|
|
|
|
|
for user and group.
|
|
|
|
|
name: validate-userid-groupid-fsgroup
|
2019-12-10 17:51:15 +00:00
|
|
|
spec:
|
2023-09-17 22:24:26 +00:00
|
|
|
admission: true
|
|
|
|
|
background: true
|
2019-12-10 17:51:15 +00:00
|
|
|
rules:
|
2023-09-17 22:24:26 +00:00
|
|
|
- match:
|
|
|
|
|
any:
|
|
|
|
|
- resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Pod
|
|
|
|
|
name: validate-userid
|
2019-12-10 17:51:15 +00:00
|
|
|
validate:
|
2023-09-17 22:24:26 +00:00
|
|
|
message: User ID should be 1000
|
2019-12-10 17:51:15 +00:00
|
|
|
pattern:
|
|
|
|
|
spec:
|
|
|
|
|
securityContext:
|
2023-09-17 22:24:26 +00:00
|
|
|
runAsUser: "1000"
|
|
|
|
|
- match:
|
|
|
|
|
any:
|
|
|
|
|
- resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Pod
|
|
|
|
|
name: validate-groupid
|
2019-12-10 17:51:15 +00:00
|
|
|
validate:
|
2023-09-17 22:24:26 +00:00
|
|
|
message: Group ID should be 3000
|
2019-12-10 17:51:15 +00:00
|
|
|
pattern:
|
|
|
|
|
spec:
|
|
|
|
|
securityContext:
|
2023-09-17 22:24:26 +00:00
|
|
|
runAsGroup: "3000"
|
|
|
|
|
- match:
|
|
|
|
|
any:
|
|
|
|
|
- resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Pod
|
|
|
|
|
name: validate-fsgroup
|
2019-12-10 17:51:15 +00:00
|
|
|
validate:
|
2023-09-17 22:24:26 +00:00
|
|
|
message: fsgroup should be 2000
|
2019-12-10 17:51:15 +00:00
|
|
|
pattern:
|
|
|
|
|
spec:
|
|
|
|
|
securityContext:
|
2023-09-17 22:24:26 +00:00
|
|
|
fsGroup: "2000"
|
|
|
|
|
validationFailureAction: Audit
|
