mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

disallow automountServiceAccountToken

Browse source
This commit is contained in:
Shuting Zhao 2019-10-10 12:29:48 -07:00
parent b7f1d82dfc
commit 24f3b8ac96
7 changed files with 57 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
examples/best_practices/README.md
View file

@ -3,6 +3,7 @@
| Best practice | Policy | scenario| | Best practice | Policy | scenario|
|------------------------------------------------|------------------------------------|---------------------| |------------------------------------------------|------------------------------------|---------------------|
| Run as non-root user | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml) | best_practices | | Run as non-root user | [policy_validate_deny_runasrootuser.yaml](policy_validate_deny_runasrootuser.yaml) | best_practices |
| Disallow automount api credentials | []() | best_practices |
| Disallow privileged and privilege escalation | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml) | best_practices | | Disallow privileged and privilege escalation | [policy_validate_container_disallow_priviledgedprivelegesecalation.yaml](policy_validate_container_disallow_priviledgedprivelegesecalation.yaml) | best_practices |
| Disallow use of host networking and ports | [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml) | best_practices | | Disallow use of host networking and ports | [policy_validate_host_network_port.yaml](policy_validate_host_network_port.yaml) | best_practices |
| Disallow use of host filesystem | [policy_validate_host_path.yaml](policy_validate_host_path.yaml) | | Disallow use of host filesystem | [policy_validate_host_path.yaml](policy_validate_host_path.yaml) |

4
pkg/testrunner/testrunner_test.go
View file

@ -76,8 +76,8 @@ func Test_validate_require_image_tag_not_latest_pass(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml") testScenario(t, "test/scenarios/test/scenario_valiadate_require_image_tag_not_latest_pass.yaml")
} }
func Test_mutate_pod_disable_automoutingapicred_pass(t *testing.T) { func Test_validate_disallow_automoutingapicred_pass(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml") testScenario(t, "test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml")
} }
func Test_validate_disallow_default_namespace(t *testing.T) { func Test_validate_disallow_default_namespace(t *testing.T) {

7
samples/README.md
View file

@ -19,6 +19,13 @@ By default, processes in a container run as a root user (uid 0). To prevent comp
* [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) * [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
## Disallow automounte API credentials
One can access the API from inside a pod using automatically mounted service account credentials by default. To restrict access, opt out of automounting API credentials for any pod by setting `automountServiceAccountToken` to `false`.
***Policy YAML***: [disallow_automountingapicred.yaml](best_practices/disallow_automountingapicred.yaml)
## Disallow use of default namespace ## Disallow use of default namespace
Namespaces are a way to divide cluster resources between multiple users. When multiple users or teams are sharing a single cluster, it is recommended to isolate different workloads and aviod using default namespace. Namespaces are a way to divide cluster resources between multiple users. When multiple users or teams are sharing a single cluster, it is recommended to isolate different workloads and aviod using default namespace.

17
samples/best_practices/disallow_automountingapicred.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-disallow-automoutingapicred
spec:
rules:
- name: disallow-automoutingapicred
match:
resources:
kinds:
- Pod
validate:
message: "Deny automounting API credentials"
pattern:
spec:
=(serviceAccountName): "*"
automountServiceAccountToken: false

12
test/manifest/disallow_automountingapicred.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
serviceAccountName: default
automountServiceAccountToken: false
containers:
- name: nginx
image: nginx

19
test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml
View file

@ -1,19 +0,0 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
resource: examples/best_practices/resources/resource_mutate_pod_disable_automountingapicred.yaml
expected:
mutation:
patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
policyresponse:
policy: mutate-pod-disable-automoutingapicred
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: pod-disable-automoutingapicred
type: Mutation
message: "succesfully process overlay"
success: true

18
test/scenarios/test/scenario_validate_disallow_automountingapicred.yaml Normal file
View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: samples/best_practices/disallow_automountingapicred.yaml
resource: test/manifest/disallow_automountingapicred.yaml
expected:
validation:
policyresponse:
policy: validate-disallow-automoutingapicred
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: disallow-automoutingapicred
type: Validation
message: Validation rule 'disallow-automoutingapicred' succesfully validated
success: true