mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

add anchors for omitempty tag

Browse source
This commit is contained in:
Shuting Zhao 2019-12-30 13:53:51 -08:00
parent 56c03f712a
commit d33a89cc0f
2 changed files with 14 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
samples/best_practices/disallow_privileged.yaml
View file

@ -10,6 +10,7 @@ metadata:
With `securityContext.allowPrivilegeEscalation` enabled, a process can
gain privileges from its parent.
spec:
validationFailureAction: enforce
rules:
- name: validate-privileged
match:
@ -18,15 +19,13 @@ spec:
- Pod
validate:
message: "Privileged mode is not allowed. Set privileged to false"
anyPattern:
- spec:
securityContext:
privileged: false
- spec:
pattern:
spec:
containers:
- name: "*"
securityContext:
privileged: false
- =(securityContext):
# https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5707-L5711
# k8s default to false
=(privileged): false
- name: validate-allowPrivilegeEscalation
match:
resources:
@ -34,13 +33,10 @@ spec:
- Pod
validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
anyPattern:
- spec:
securityContext:
allowPrivilegeEscalation: false
- spec:
pattern:
spec:
containers:
- name: "*"
securityContext:
- securityContext:
# https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5754
allowPrivilegeEscalation: false

5
samples/best_practices/disallow_root_user.yaml
View file

@ -20,9 +20,10 @@ spec:
anyPattern:
- spec:
securityContext:
# https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L3165
runAsNonRoot: true
- spec:
containers:
- name: "*"
securityContext:
- securityContext:
# https://github.com/kubernetes/api/blob/7dc09db16fb8ff2eee16c65dc066c85ab3abb7ce/core/v1/types.go#L5742
runAsNonRoot: true