2019-11-13 13:56:20 -08:00
|
|
|
|
apiVersion: kyverno.io/v1
|
2019-11-08 20:04:42 -08:00
|
|
|
|
kind: ClusterPolicy
|
|
|
|
|
|
metadata:
|
|
|
|
|
|
name: disallow-privileged
|
2019-11-08 20:08:23 -08:00
|
|
|
|
annotations:
|
|
|
|
|
|
policies.kyverno.io/category: Security
|
|
|
|
|
|
policies.kyverno.io/description: Privileged containers are defined as any
|
|
|
|
|
|
container where the container uid 0 is mapped to the host’s uid 0.
|
|
|
|
|
|
A process within a privileged container can get unrestricted host access.
|
|
|
|
|
|
With `securityContext.allowPrivilegeEscalation` enabled, a process can
|
|
|
|
|
|
gain privileges from its parent.
|
2019-11-08 20:04:42 -08:00
|
|
|
|
spec:
|
|
|
|
|
|
rules:
|
|
|
|
|
|
- name: validate-privileged
|
|
|
|
|
|
match:
|
|
|
|
|
|
resources:
|
|
|
|
|
|
kinds:
|
|
|
|
|
|
- Pod
|
|
|
|
|
|
validate:
|
|
|
|
|
|
message: "Privileged mode is not allowed. Set privileged to false"
|
|
|
|
|
|
anyPattern:
|
|
|
|
|
|
- spec:
|
|
|
|
|
|
securityContext:
|
|
|
|
|
|
privileged: false
|
|
|
|
|
|
- spec:
|
|
|
|
|
|
containers:
|
|
|
|
|
|
- name: "*"
|
|
|
|
|
|
securityContext:
|
|
|
|
|
|
privileged: false
|
|
|
|
|
|
- name: validate-allowPrivilegeEscalation
|
|
|
|
|
|
match:
|
|
|
|
|
|
resources:
|
|
|
|
|
|
kinds:
|
|
|
|
|
|
- Pod
|
|
|
|
|
|
validate:
|
|
|
|
|
|
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
|
|
|
|
|
|
anyPattern:
|
|
|
|
|
|
- spec:
|
|
|
|
|
|
securityContext:
|
|
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
|
|
- spec:
|
|
|
|
|
|
containers:
|
|
|
|
|
|
- name: "*"
|
|
|
|
|
|
securityContext:
|
|
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
|
|
|
