mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

update disallow_root_user

Browse source
This commit is contained in:
Jim Bugwadia 2019-11-08 19:25:43 -08:00
parent 6baa678e27
commit 5ce8fd7a9a
6 changed files with 21 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkg/testrunner/testrunner_test.go
View file

@ -10,8 +10,8 @@ func Test_Mutate_Validate_qos(t *testing.T) {
testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml") testScenario(t, "/test/scenarios/other/scenario_mutate_validate_qos.yaml")
} }
func Test_validate_deny_runasrootuser(t *testing.T) { func Test_disallow_root_user(t *testing.T) {
testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml") testScenario(t, "test/scenarios/samples/best_practices/disallow_root_user.yaml")
} }
func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) { func Test_validate_disallow_priviledgedprivelegesecalation(t *testing.T) {

2
samples/AddSafeToEvict.md
View file

@ -10,7 +10,7 @@ This policy matches and mutates pods with `emptyDir` and `hostPath` volumes, to
## Policy YAML ## Policy YAML
[add_safe_to_evict_annotation.yaml](best_practices/add_safe-to-evict_annotation.yaml) [add_safe_to_evict_annotation.yaml](best_practices/add_safe_to_evict.yaml)
````yaml ````yaml
apiVersion: "kyverno.io/v1alpha1" apiVersion: "kyverno.io/v1alpha1"

12
samples/RunAsNonRootUser.md → samples/DisallowRootUser.md
View file

@ -8,16 +8,22 @@ By default, all processes in a container run as the root user (uid 0). To preven
## Policy YAML ## Policy YAML
[deny_runasrootuser.yaml](best_practices/deny_runasrootuser.yaml) [disallow_root_user.yaml](best_practices/disallow_root_user.yaml)
````yaml ````yaml
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-deny-runasrootuser name: disallow-root-user
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: By default, processes in a container run as a
root user (uid 0). To prevent potential compromise of container hosts, specify a
least privileged user ID when building the container image and require that
application containers run as non root users.
spec: spec:
rules: rules:
- name: deny-runasrootuser - name: validate-runAsNonRoot
match: match:
resources: resources:
kinds: kinds:

4
samples/README.md
View file

@ -36,7 +36,7 @@ The policies are mostly validation rules in `audit` mode i.e. your existing work
These policies are highly recommended. These policies are highly recommended.
1. [Run as non-root user](RunAsNonRootUser.md) 1. [Disallow root user](DisallowRootUser.md)
2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md) 2. [Disable privileged containers and disallow privilege escalation](DisablePrivilegedContainers.md)
3. [Disallow new capabilities](DisallowNewCapabilities.md) 3. [Disallow new capabilities](DisallowNewCapabilities.md)
4. [Require read-only root filesystem](RequireReadOnlyFS.md) 4. [Require read-only root filesystem](RequireReadOnlyFS.md)
@ -52,7 +52,7 @@ These policies are highly recommended.
14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
15. [Default deny all ingress traffic](DefaultDenyAllIngress.md) 15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
16. [Disallow Helm Tiller](DisallowHelmTiller.md) 16. [Disallow Helm Tiller](DisallowHelmTiller.md)
17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](MutateSafeToEvict.md) 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)
## Additional Policies ## Additional Policies

8
samples/best_practices/deny_runasrootuser.yaml → samples/best_practices/disallow_root_user.yaml
View file

@ -1,22 +1,22 @@
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-deny-runasrootuser name: disallow-root-user
annotations: annotations:
policies.kyverno.io/category: Security Context policies.kyverno.io/category: Security
policies.kyverno.io/description: By default, processes in a container run as a policies.kyverno.io/description: By default, processes in a container run as a
root user (uid 0). To prevent potential compromise of container hosts, specify a root user (uid 0). To prevent potential compromise of container hosts, specify a
least privileged user ID when building the container image and require that least privileged user ID when building the container image and require that
application containers run as non root users. application containers run as non root users.
spec: spec:
rules: rules:
- name: deny-runasrootuser - name: validate-runAsNonRoot
match: match:
resources: resources:
kinds: kinds:
- Pod - Pod
validate: validate:
message: "Root user is not allowed. Set runAsNonRoot to true" message: "Running as root user is not allowed. Set runAsNonRoot to true"
anyPattern: anyPattern:
- spec: - spec:
securityContext: securityContext:

7
test/scenarios/samples/best_practices/scenario_validate_deny_runasrootuser.yaml → test/scenarios/samples/best_practices/disallow_root_user.yaml
View file

@ -1,19 +1,18 @@
# file path relative to project root # file path relative to project root
input: input:
policy: samples/best_practices/deny_runasrootuser.yaml policy: samples/best_practices/disallow_root_user.yaml
resource: test/resources/deny_runasrootuser.yaml resource: test/resources/deny_runasrootuser.yaml
expected: expected:
validation: validation:
policyresponse: policyresponse:
policy: validate-deny-runasrootuser policy: disallow-root-user
resource: resource:
kind: Pod kind: Pod
apiVersion: v1 apiVersion: v1
namespace: '' namespace: ''
name: check-root-user name: check-root-user
rules: rules:
- name: deny-runasrootuser - name: validate-runAsNonRoot
type: Validation type: Validation
message: "Validation rule 'deny-runasrootuser' anyPattern[1] succeeded."
success: true success: true