mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 18:38:40 +00:00
Allow setting validationFailureActionOverrides for policies (#3201)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
This commit is contained in:
treydock
GitHub
parent
9661ea8584
commit
3f1a0bfd6c
21 changed files with 78 additions and 0 deletions
|
|
@ -67,6 +67,7 @@ The following table lists the configurable parameters of the kyverno chart and t
|
|||
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
|
||||
| `policyExclude` | Exclude resources from individual policies | `{}` |
|
||||
| `validationFailureAction` | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |
|
||||
| `validationFailureActionOverrides` | Set validate failure action overrides to either all policies or select policies. See: https://kyverno.io/docs/writing-policies/validate/ | `{}` |
|
||||
|
||||
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,15 @@
|
|||
podSecurityStandard: restricted
|
||||
includeOtherPolicies:
|
||||
- require-non-root-groups
|
||||
validationFailureActionOverrides:
|
||||
all:
|
||||
- action: audit
|
||||
namespaces:
|
||||
- ingress-nginx
|
||||
disallow-host-path:
|
||||
- action: audit
|
||||
namespaces:
|
||||
- fluent
|
||||
policyExclude:
|
||||
disallow-host-path:
|
||||
any:
|
||||
|
|
|
|||
|
|
@ -19,6 +19,9 @@ metadata:
|
|||
Adding capabilities beyond those listed in the policy must be disallowed.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: adding-capabilities
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ metadata:
|
|||
fields which make use of these host namespaces are unset or set to `false`.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: host-namespaces
|
||||
|
|
|
|||
|
|
@ -19,6 +19,9 @@ metadata:
|
|||
and should not be allowed. This policy ensures no hostPath volumes are in use.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: host-path
|
||||
|
|
|
|||
|
|
@ -19,6 +19,9 @@ metadata:
|
|||
field is unset or set to `0`.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: host-ports-none
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ metadata:
|
|||
the `hostProcess` field, if present, is set to `false`.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: host-process-containers
|
||||
|
|
|
|||
|
|
@ -18,6 +18,9 @@ metadata:
|
|||
ensures Pods do not call for privileged mode.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: privileged-containers
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ metadata:
|
|||
server.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: check-proc-mount
|
||||
|
|
|
|||
|
|
@ -18,6 +18,9 @@ metadata:
|
|||
ensures that the `seLinuxOptions` field is undefined.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: selinux-type
|
||||
|
|
|
|||
|
|
@ -21,6 +21,9 @@ metadata:
|
|||
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: app-armor
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ metadata:
|
|||
spec:
|
||||
background: true
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- name: check-seccomp
|
||||
match:
|
||||
|
|
|
|||
|
|
@ -22,6 +22,9 @@ metadata:
|
|||
a Pod.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: check-sysctls
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ metadata:
|
|||
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: check-runasgroup
|
||||
|
|
|
|||
|
|
@ -20,6 +20,9 @@ metadata:
|
|||
all containers must explicitly drop `ALL` capabilities.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: require-drop-all
|
||||
|
|
|
|||
|
|
@ -18,6 +18,9 @@ metadata:
|
|||
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: privilege-escalation
|
||||
|
|
|
|||
|
|
@ -18,6 +18,9 @@ metadata:
|
|||
`runAsUser` is either unset or set to a number greater than zero.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: run-as-non-root-user
|
||||
|
|
|
|||
|
|
@ -19,6 +19,9 @@ metadata:
|
|||
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: run-as-non-root
|
||||
|
|
|
|||
|
|
@ -22,6 +22,9 @@ metadata:
|
|||
spec:
|
||||
background: true
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- name: check-seccomp-strict
|
||||
match:
|
||||
|
|
|
|||
|
|
@ -21,6 +21,9 @@ metadata:
|
|||
This policy blocks any other type of volume other than those in the allow list.
|
||||
spec:
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: true
|
||||
rules:
|
||||
- name: restricted-volumes
|
||||
|
|
|
|||
|
|
@ -13,6 +13,20 @@ includeOtherPolicies: []
|
|||
# Supported values- `audit`, `enforce`
|
||||
# For more info- https://kyverno.io/docs/writing-policies/validate/
|
||||
validationFailureAction: audit
|
||||
# Define validationFailureActionOverrides for specific policies.
|
||||
# The overrides for 'all' will apply to all policies
|
||||
# Eg:
|
||||
# validationFailureActionOverrides:
|
||||
# all:
|
||||
# - action: audit
|
||||
# namespaces:
|
||||
# - ingress-nginx
|
||||
# disallow-host-path:
|
||||
# - action: audit
|
||||
# namespaces:
|
||||
# - fluent
|
||||
validationFailureActionOverrides:
|
||||
all: []
|
||||
# Exclude resources from individual policies
|
||||
# Eg:
|
||||
# policyExclude:
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue