mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-08 10:04:25 +00:00
Code Activity

update description for smaples/more/

Browse source
This commit is contained in:
Shuting Zhao 2019-10-14 14:06:39 -07:00
parent 31437c107b
commit 3a8ff5ec6a
3 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
samples/more/policy_validate_container_capabilities.yaml
View file

@ -4,7 +4,8 @@ metadata:
name: validate-container-capablities
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: The capabilities to add/drop when running containers
policies.kyverno.io/description: |
Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled or disabled by listing them in 'securityContext.capabilites'.
spec:
validationFailureAction: "audit"
rules:

3
samples/more/policy_validate_sysctl_configs.yaml
View file

@ -4,7 +4,8 @@ metadata:
name: validate-allow-portrange-with-sysctl
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: The local port range can be used by TCP and UDP is from 1024 to 65535
policies.kyverno.io/description: |
The Sysctl interface allows to modify kernel parameters at runtime and in the pod can be specified under 'securityContext.sysctls'. If kernel parameters in the pod are to be modified, should be handled cautiously, and policy with rules restricting these options will be helpful. We can control minimum and maximum port that a network connection can use as its source(local) port by checking 'net.ipv4.ip_local_port_range'.
spec:
validationFailureAction: "audit"
rules:

3
samples/more/policy_validate_user_group_fsgroup_id.yaml
View file

@ -4,7 +4,8 @@ metadata:
name: validate-userid-groupid-fsgroup
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: Set processes to run with specific userID and groupID, and configure new files are owned by 'fsGroup'
policies.kyverno.io/description: |
All processes inside the pod can be made to run with specific user and groupID by setting 'runAsUser' and 'runAsGroup' respectively. 'fsGroup' can be specified to make sure any file created in the volume with have the specified groupID. These options can be used to validate the IDs used for user and group.
spec:
rules:
- name: validate-userid