mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

fix(policies): Add ability to configure skipBackgroundRequests (#9532)

Browse source 
* fix(policies): Add ability to configure skipBackgroundRequests

Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>

* fix: Drop trailing spaces to fix CI

Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>

---------

Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Marco Maurer (-Kilchhofer) 2024-01-27 18:42:22 +01:00 committed by GitHub
parent 7170cbb0c2
commit 2ee9db072a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 70 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
charts/kyverno-policies/Chart.yaml
View file

@ -21,4 +21,3 @@ kubeVersion: ">=1.16.0-0"
annotations:
artifacthub.io/operator: "false"
artifacthub.io/prerelease: "false"

1
charts/kyverno-policies/README.md
View file

@ -79,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and
| nameOverride | string | `nil` | Name override. |
| customLabels | object | `{}` | Additional labels. |
| background | bool | `true` | Policies background mode |
| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
## Source Code

3
charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
View file

@ -64,6 +64,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,

3
charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
View file

@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,

3
charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
View file

@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.

3
charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
View file

@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort

3
charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
View file

@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,

3
charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
View file

@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged

3
charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
View file

@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields

6
charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
View file

@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Setting the SELinux type is restricted. The fields
@ -83,6 +86,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Setting the SELinux user or role is forbidden. The fields

3
charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
View file

@ -49,6 +49,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Specifying other AppArmor profiles is disallowed. The annotation

3
charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
View file

@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields

3
charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
View file

@ -50,6 +50,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Setting additional sysctls above the allowed type is disallowed.

9
charts/kyverno-policies/templates/other/require-non-root-groups.yaml
View file

@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Running with root group IDs is disallowed. The fields
@ -92,6 +95,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Containers cannot run with a root primary or supplementary GID. The field
@ -111,6 +117,9 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Containers cannot run with a root primary or supplementary GID. The field

6
charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
View file

@ -65,6 +65,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Containers must drop `ALL` capabilities.
@ -107,6 +110,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Any capabilities added other than NET_BIND_SERVICE are disallowed.

3
charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
View file

@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Privilege escalation is disallowed. The fields

3
charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
View file

@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Running as root is not allowed. The fields spec.securityContext.runAsUser,

3
charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
View file

@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot

3
charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
View file

@ -49,6 +49,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields

3
charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
View file

@ -66,6 +66,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
message: >-
Only the following types of volumes may be used: configMap, csi, downwardAPI,

3
charts/kyverno-policies/values.yaml
View file

@ -101,6 +101,9 @@ customLabels: {}
# -- Policies background mode
background: true
# -- (bool) SkipBackgroundRequests bypasses admission requests that are sent by the background controller
skipBackgroundRequests: ~
# -- Kyverno version
# The default of "autodetect" will try to determine the currently installed version from the deployment
kyvernoVersion: autodetect