mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/CheckUserGroup.md

49 lines
1.2 KiB
Markdown
Raw Normal View History

reorganize samples
2019-10-23 21:06:03 +00:00
# Check userID, groupIP & fsgroup
All processes inside the pod can be made to run with specific user and groupID by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified to make sure any file created in the volume with have the specified groupID. These options can be used to validate the IDs used for user and group.
## Policy YAML
update documentation
2019-12-10 17:51:15 +00:00
[policy_validate_user_group_fsgroup_id.yaml](more/restrict_usergroup_fsgroup_id.yaml)
reorganize samples
2019-10-23 21:06:03 +00:00
````yaml
update api in samples/
2019-11-13 21:56:20 +00:00
apiVersion: kyverno.io/v1
reorganize samples
2019-10-23 21:06:03 +00:00
kind: ClusterPolicy
metadata:
name: validate-userid-groupid-fsgroup
spec:
rules:
- name: validate-userid
match:
resources:
kinds:
- Pod
validate:
message: "User ID should be 1000"
pattern:
spec:
securityContext:
runAsUser: '1000'
- name: validate-groupid
match:
resources:
kinds:
- Pod
validate:
message: "Group ID should be 3000"
pattern:
spec:
securityContext:
runAsGroup: '3000'
- name: validate-fsgroup
match:
resources:
kinds:
- Pod
validate:
message: "fsgroup should be 2000"
pattern:
spec:
securityContext:
fsGroup: '2000'
update documentation
2019-12-10 17:51:15 +00:00
````
Copy permalink