1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

add policy and test case

This commit is contained in:
Jim Bugwadia 2019-11-01 13:31:08 -07:00
parent 3f865516bb
commit 1323a9a81e
5 changed files with 95 additions and 1 deletions

View file

@ -115,7 +115,10 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
}
func Test_validate_disallow_new_capabilities(t *testing.T) {
testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml")
}
func Test_validate_disallow_docker_sock_mount(t *testing.T) {
testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml")
}

View file

@ -0,0 +1,35 @@
# Disallow Docker socket bind mount
The Docker socket bind mount allows access to the
Docker daemon on the node. This access can be used for privilege escalation and
to manage containers outside of Kubernetes, and hence should not be allowed.
## Policy YAML
[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml)
````yaml
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: disallow-docker-sock-mount
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: The Docker socket bind mount allows access to the
Docker daemon on the node. This access can be used for privilege escalation and
to manage containers outside of Kubernetes, and hence should not be allowed.
spec:
rules:
- name: validate-docker-sock-mount
match:
resources:
kinds:
- Pod
validate:
message: "Use of the Docker Unix socket is not allowed"
pattern:
spec:
(volume):
(hostPath):
path: "!/var/run/docker.sock"
````

View file

@ -0,0 +1,23 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: disallow-docker-sock-mount
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: The Docker socket bind mount allows access to the
Docker daemon on the node. This access can be used for privilege escalation and
to manage containers outside of Kubernetes, and hence should not be allowed.
spec:
rules:
- name: validate-docker-sock-mount
match:
resources:
kinds:
- Pod
validate:
message: "Use of the Docker Unix socket is not allowed"
pattern:
spec:
=(volumes):
=(hostPath):
path: "!/var/run/docker.sock"

View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: pod-with-docker-sock-mount
spec:
containers:
- name: myshell
image: "ubuntu:18.04"
command:
- /bin/sleep
- "300"
volumes:
- name: dockersock
hostPath:
path: /var/run/docker.sock

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: samples/best_practices/disallow_docker_sock_mount.yaml
resource: test/resources/disallow_docker_sock_mount.yaml
expected:
validation:
policyresponse:
policy: disallow-docker-sock-mount
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: pod-with-docker-sock-mount
rules:
- name: validate-docker-sock-mount
type: Validation
message: Validation rule 'validate-docker-sock-mount' failed at '/spec/volumes/' for resource Pod//pod-with-docker-sock-mount. Use of the Docker Unix socket is not allowed
success: false