mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 09:26:54 +00:00
Code Activity
kyverno/samples/best_practices/disallow_priviledged_priviligedescalation.yaml

30 lines
1.2 KiB
YAML
Raw Normal View History

add samples/best_practices/deny_runasrootuser.yaml
2019-10-08 21:30:19 -07:00
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
add disallow_priviledged_privelegesecalation.yaml
2019-10-08 21:42:49 -07:00
name: validate-deny-privileged-priviligedescalation
Provide descriptions for policies
2019-10-11 18:57:16 -07:00
annotations:
policies.kyverno.io/category: Security Context
update description
2019-10-14 13:58:47 -07:00
policies.kyverno.io/description: |
Privileged containers are defined as any container where the container uid 0 is mapped to the hosts uid 0. A process within privileged containers can get unrestricted host access. With 'securityContext.allowPrivilegeEscalation' enabled a process can gain privileges from its parent.
To disallow privileged containers and the escalation of privileges it is recommended to run pod containers with 'securityContext.priveleged' as 'false' and 'allowPrivilegeEscalation' as 'false'.
add samples/best_practices/deny_runasrootuser.yaml
2019-10-08 21:30:19 -07:00
spec:
rules:
add disallow_priviledged_privelegesecalation.yaml
2019-10-08 21:42:49 -07:00
- name: deny-privileged-priviligedescalation
add samples/best_practices/deny_runasrootuser.yaml
2019-10-08 21:30:19 -07:00
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
anyPattern:
- spec:
securityContext:
allowPrivilegeEscalation: false
privileged: false
- spec:
containers:
- name: "*"
securityContext:
allowPrivilegeEscalation: false
privileged: false
Copy permalink