mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
fix: use failureAction and failureActionOverrides in validate rules (#10941)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
8e35198c28
commit
d9b975129c
19 changed files with 181 additions and 144 deletions
|
|
@ -21,3 +21,8 @@ kubeVersion: ">=1.25.0-0"
|
|||
annotations:
|
||||
artifacthub.io/operator: "false"
|
||||
artifacthub.io/prerelease: "false"
|
||||
artifacthub.io/changes: |
|
||||
- kind: removed
|
||||
description: Remove spec.validationFailureAction field from policies as it is deprecated
|
||||
- kind: added
|
||||
description: Add spec.validate[*].failureAction field to policies
|
||||
|
|
|
|||
|
|
@ -22,14 +22,6 @@ metadata:
|
|||
Adding capabilities beyond those listed in the policy must be disallowed.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -68,6 +60,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
|
||||
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
|
||||
|
|
|
|||
|
|
@ -23,14 +23,6 @@ metadata:
|
|||
fields which make use of these host namespaces are unset or set to `false`.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -52,6 +44,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
|
||||
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
|
||||
|
|
|
|||
|
|
@ -22,14 +22,6 @@ metadata:
|
|||
and should not be allowed. This policy ensures no hostPath volumes are in use.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -51,6 +43,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
|
||||
pattern:
|
||||
|
|
|
|||
|
|
@ -22,14 +22,6 @@ metadata:
|
|||
field is unset or set to `0`.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -51,6 +43,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
|
||||
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
|
||||
|
|
|
|||
|
|
@ -23,14 +23,6 @@ metadata:
|
|||
the `hostProcess` field, if present, is set to `false`.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -52,6 +44,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
|
||||
spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
|
||||
|
|
|
|||
|
|
@ -21,14 +21,6 @@ metadata:
|
|||
ensures Pods do not call for privileged mode.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -50,6 +42,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
|
||||
and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
|
||||
|
|
|
|||
|
|
@ -23,14 +23,6 @@ metadata:
|
|||
server.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -52,6 +44,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Changing the proc mount from the default is not allowed. The fields
|
||||
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
|
||||
|
|
|
|||
|
|
@ -21,14 +21,6 @@ metadata:
|
|||
ensures that the `seLinuxOptions` field is undefined.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -50,6 +42,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Setting the SELinux type is restricted. The fields
|
||||
spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
|
||||
|
|
@ -90,6 +90,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Setting the SELinux user or role is forbidden. The fields
|
||||
spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
|
||||
|
|
|
|||
|
|
@ -24,14 +24,6 @@ metadata:
|
|||
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -53,6 +45,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Specifying other AppArmor profiles is disallowed. The annotation
|
||||
`container.apparmor.security.beta.kubernetes.io` if defined
|
||||
|
|
|
|||
|
|
@ -23,14 +23,6 @@ metadata:
|
|||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
background: {{ .Values.background }}
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
- name: check-seccomp
|
||||
|
|
@ -51,6 +43,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Use of custom Seccomp profiles is disallowed. The fields
|
||||
spec.securityContext.seccompProfile.type,
|
||||
|
|
|
|||
|
|
@ -25,14 +25,6 @@ metadata:
|
|||
a Pod.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -54,6 +46,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Setting additional sysctls above the allowed type is disallowed.
|
||||
The field spec.securityContext.sysctls must be unset or not use any other names
|
||||
|
|
|
|||
|
|
@ -23,14 +23,6 @@ metadata:
|
|||
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -52,6 +44,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Running with root group IDs is disallowed. The fields
|
||||
spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
|
||||
|
|
@ -99,6 +99,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Containers cannot run with a root primary or supplementary GID. The field
|
||||
spec.securityContext.supplementalGroups must be unset or
|
||||
|
|
@ -121,6 +129,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Containers cannot run with a root primary or supplementary GID. The field
|
||||
spec.securityContext.fsGroup must be unset or set to a value greater than zero.
|
||||
|
|
|
|||
|
|
@ -23,14 +23,6 @@ metadata:
|
|||
all containers must explicitly drop `ALL` capabilities.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -69,6 +61,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Containers must drop `ALL` capabilities.
|
||||
foreach:
|
||||
|
|
@ -114,6 +114,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Any capabilities added other than NET_BIND_SERVICE are disallowed.
|
||||
foreach:
|
||||
|
|
|
|||
|
|
@ -21,14 +21,6 @@ metadata:
|
|||
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -50,6 +42,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Privilege escalation is disallowed. The fields
|
||||
spec.containers[*].securityContext.allowPrivilegeEscalation,
|
||||
|
|
|
|||
|
|
@ -21,14 +21,6 @@ metadata:
|
|||
`runAsUser` is either unset or set to a number greater than zero.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -50,6 +42,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Running as root is not allowed. The fields spec.securityContext.runAsUser,
|
||||
spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,
|
||||
|
|
|
|||
|
|
@ -22,14 +22,6 @@ metadata:
|
|||
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -51,6 +43,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
|
||||
must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
|
||||
|
|
|
|||
|
|
@ -24,14 +24,6 @@ metadata:
|
|||
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -53,6 +45,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Use of custom Seccomp profiles is disallowed. The fields
|
||||
spec.securityContext.seccompProfile.type,
|
||||
|
|
|
|||
|
|
@ -24,14 +24,6 @@ metadata:
|
|||
This policy blocks any other type of volume other than those in the allow list.
|
||||
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
|
||||
spec:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
validationFailureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
validationFailureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
background: {{ .Values.background }}
|
||||
failurePolicy: {{ .Values.failurePolicy }}
|
||||
rules:
|
||||
|
|
@ -70,6 +62,14 @@ spec:
|
|||
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
|
||||
{{- end }}
|
||||
validate:
|
||||
{{- with index .Values "validationFailureActionByPolicy" $name }}
|
||||
failureAction: {{ toYaml . }}
|
||||
{{- else }}
|
||||
failureAction: {{ .Values.validationFailureAction }}
|
||||
{{- end }}
|
||||
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
|
||||
failureActionOverrides: {{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
message: >-
|
||||
Only the following types of volumes may be used: configMap, csi, downwardAPI,
|
||||
emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue