2019-10-08 21:30:19 -07:00
|
|
|
|
apiVersion: kyverno.io/v1alpha1
|
|
|
|
|
|
kind: ClusterPolicy
|
|
|
|
|
|
metadata:
|
2019-10-08 21:42:49 -07:00
|
|
|
|
name: validate-deny-privileged-priviligedescalation
|
2019-10-11 18:57:16 -07:00
|
|
|
|
annotations:
|
|
|
|
|
|
policies.kyverno.io/category: Security Context
|
2019-10-14 16:33:19 -07:00
|
|
|
|
policies.kyverno.io/description: Privileged containers are defined as any container
|
|
|
|
|
|
where the container uid 0 is mapped to the host’s uid 0. A process within privileged
|
|
|
|
|
|
containers can get unrestricted host access. With 'securityContext.allowPrivilegeEscalation'
|
|
|
|
|
|
enabled a process can gain privileges from its parent. To disallow privileged containers
|
|
|
|
|
|
and the escalation of privileges it is recommended to run pod containers with
|
|
|
|
|
|
'securityContext.priveleged' as 'false' and 'allowPrivilegeEscalation' as 'false'.
|
2019-10-08 21:30:19 -07:00
|
|
|
|
spec:
|
|
|
|
|
|
rules:
|
2019-10-08 21:42:49 -07:00
|
|
|
|
- name: deny-privileged-priviligedescalation
|
2019-10-08 21:30:19 -07:00
|
|
|
|
match:
|
|
|
|
|
|
resources:
|
|
|
|
|
|
kinds:
|
|
|
|
|
|
- Pod
|
|
|
|
|
|
validate:
|
|
|
|
|
|
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
|
|
|
|
|
|
anyPattern:
|
|
|
|
|
|
- spec:
|
|
|
|
|
|
securityContext:
|
|
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
|
|
privileged: false
|
|
|
|
|
|
- spec:
|
|
|
|
|
|
containers:
|
|
|
|
|
|
- name: "*"
|
|
|
|
|
|
securityContext:
|
|
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
|
|
privileged: false
|
