2019-10-08 22:05:15 -07:00
|
|
|
apiVersion: kyverno.io/v1alpha1
|
|
|
|
|
kind: ClusterPolicy
|
|
|
|
|
metadata:
|
2019-10-08 22:09:58 -07:00
|
|
|
name: validate-readonly-rootfilesystem
|
2019-10-11 18:57:16 -07:00
|
|
|
annotations:
|
|
|
|
|
policies.kyverno.io/category: Security Context
|
2019-10-14 16:33:19 -07:00
|
|
|
policies.kyverno.io/description: A read-only root file system helps to enforce an immutable
|
|
|
|
|
infrastructure strategy; the container only needs to write on the mounted volume that p
|
|
|
|
|
ersists the state. An immutable root filesystem can also prevent malicious binaries from
|
|
|
|
|
writing to the host system.
|
2019-10-08 22:05:15 -07:00
|
|
|
spec:
|
|
|
|
|
rules:
|
2019-10-08 22:09:58 -07:00
|
|
|
- name: validate-readonly-rootfilesystem
|
2019-10-08 22:05:15 -07:00
|
|
|
match:
|
|
|
|
|
resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Pod
|
|
|
|
|
validate:
|
2019-10-08 22:09:58 -07:00
|
|
|
message: "Container require read-only rootfilesystem"
|
2019-10-08 22:05:15 -07:00
|
|
|
pattern:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
- securityContext:
|
2019-10-08 22:09:58 -07:00
|
|
|
readOnlyRootFilesystem: true
|
