mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00
Code Activity

fixes #928 (#957)

Browse source
This commit is contained in:
Jim Bugwadia 2020-06-26 18:28:52 -07:00 committed by GitHub
parent ec7969df31
commit 87cdf80e09
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
samples/DisallowNewCapabilities.md
View file

@ -3,7 +3,7 @@
Linux allows defining fine-grained permissions using
capabilities. With Kubernetes, it is possible to add capabilities that escalate the
level of kernel access and allow other potentially dangerous behaviors. This policy
enforces that pods cannot add new capabilities. Other policies can be used to set
enforces that containers cannot add new capabilities. Other policies can be used to set
default capabilities.
## Policy YAML
@ -24,11 +24,7 @@ spec:
- Pod
validate:
message: "New capabilities cannot be added"
anyPattern:
- spec:
=(securityContext):
=(capabilities):
X(add): null
pattern:
- spec:
containers:
- name: "*"

8
samples/best_practices/disallow_new_capabilities.yaml
View file

@ -7,7 +7,7 @@ metadata:
policies.kyverno.io/description: Linux allows defining fine-grained permissions using
capabilities. With Kubernetes, it is possible to add capabilities that escalate the
level of kernel access and allow other potentially dangerous behaviors. This policy
enforces that pods cannot add new capabilities. Other policies can be used to set
enforces that containers cannot add new capabilities. Other policies can be used to set
default capabilities.
spec:
rules:
@ -18,11 +18,7 @@ spec:
- Pod
validate:
message: "New capabilities cannot be added"
anyPattern:
- spec:
=(securityContext):
=(capabilities):
X(add): null
pattern:
- spec:
containers:
- name: "*"