mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

add disallow_priviledged_privelegesecalation.yaml

Browse source
This commit is contained in:
Shuting Zhao 2019-10-08 21:42:49 -07:00
parent 8f8bd05106
commit 0c0a9a69a6
6 changed files with 23 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/testrunner/testrunner_test.go
View file

@ -23,7 +23,7 @@ func Test_validate_deny_runasrootuser(t *testing.T) {
} }
func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) { func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_container_disallow_priviledgedprivelegesecalation.yaml") testScenario(t, "test/scenarios/test/scenario_validate_disallow_priviledged_privelegesecalation.yaml")
} }
func Test_validate_healthChecks(t *testing.T) { func Test_validate_healthChecks(t *testing.T) {

2
samples/README.md
View file

@ -2,7 +2,7 @@
| Best practice | Policy | Best practice | Policy
|------------------------------------------------|-----------------------------------------------------------------------| |------------------------------------------------|-----------------------------------------------------------------------|
| Run as non-root user | [policy_validate_deny_runasrootuser.yaml](best_practices/policy_validate_deny_runasrootuser.yaml) | | Run as non-root user | [deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml) |

4
samples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml → samples/best_practices/disallow_priviledged_priviligedescalation.yaml
View file

@ -1,11 +1,11 @@
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-deny-privileged-disallowpriviligedescalation name: validate-deny-privileged-priviligedescalation
spec: spec:
validationFailureAction: "audit" validationFailureAction: "audit"
rules: rules:
- name: deny-privileged-disallowpriviligedescalation - name: deny-privileged-priviligedescalation
exclude: exclude:
match: match:
resources: resources:

0
examples/best_practices/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml → test/manifest/disallow_priviledged_priviligedescalation.yaml
View file

19
test/scenarios/test/scenario_validate_container_disallow_priviledgedprivelegesecalation.yaml
View file

@ -1,19 +0,0 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_container_disallow_priviledgedprivelegesecalation.yaml
resource: examples/best_practices/resources/resource_validate_container_disallow_priviledgedprivelegesecalation.yaml
expected:
validation:
policyresponse:
policy: validate-deny-privileged-disallowpriviligedescalation
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: check-privileged-cfg
rules:
- name: deny-privileged-disallowpriviligedescalation
type: Validation
message: "Validation rule 'deny-privileged-disallowpriviligedescalation' failed to validate patterns defined in anyPattern. Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/"
success: false

19
test/scenarios/test/scenario_validate_disallow_priviledged_privelegesecalation.yaml Normal file
View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: samples/best_practices/disallow_priviledged_priviligedescalation.yaml
resource: test/manifest/disallow_priviledged_priviligedescalation.yaml
expected:
validation:
policyresponse:
policy: validate-deny-privileged-priviligedescalation
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: check-privileged-cfg
rules:
- name: deny-privileged-priviligedescalation
type: Validation
message: "Validation rule 'deny-privileged-priviligedescalation' failed to validate patterns defined in anyPattern. Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false; anyPattern[0] failed at path /spec/securityContext/; anyPattern[1] failed at path /spec/containers/0/securityContext/allowPrivilegeEscalation/"
success: false