mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

update RequireReadOnlyRootFS

Browse source
This commit is contained in:
Jim Bugwadia 2019-11-09 16:18:33 -08:00
parent 121b81a83b
commit fae8ac0325
6 changed files with 33 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkg/testrunner/testrunner_test.go
View file

@ -52,8 +52,8 @@ func Test_validate_hostPID_hostIPC(t *testing.T) {
testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml") testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml")
} }
func Test_validate_not_readonly_rootfilesystem(t *testing.T) { func Test_validate_ro_rootfs(t *testing.T) {
testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml") testScenario(t, "test/scenarios/samples/best_practices/require_ro_rootfs.yaml")
} }
func Test_validate_require_namespace_quota(t *testing.T) { func Test_validate_require_namespace_quota(t *testing.T) {

2
samples/README.md
View file

@ -39,7 +39,7 @@ These policies are highly recommended.
1. [Disallow root user](DisallowRootUser.md) 1. [Disallow root user](DisallowRootUser.md)
2. [Disallow privileged containers](DisallowPrivilegedContainers.md) 2. [Disallow privileged containers](DisallowPrivilegedContainers.md)
3. [Disallow new capabilities](DisallowNewCapabilities.md) 3. [Disallow new capabilities](DisallowNewCapabilities.md)
4. [Require read-only root filesystem](RequireReadOnlyFS.md) 4. [Require read-only root filesystem](RequireReadOnlyRootFS.md)
5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md) 5. [Disallow use of bind mounts (`hostPath` volumes)](DisallowHostFS.md)
6. [Disallow docker socket bind mount](DisallowDockerSockMount.md) 6. [Disallow docker socket bind mount](DisallowDockerSockMount.md)
7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md) 7. [Disallow `hostNetwork` and `hostPort`](DisallowHostNetworkPort.md)

14
samples/RequireReadOnlyFS.md → samples/RequireReadOnlyRootFS.md
View file

@ -4,23 +4,29 @@ A read-only root file system helps to enforce an immutable infrastructure strate
## Policy YAML ## Policy YAML
[require_readonly_rootfilesystem.yaml](best_practices/require_readonly_rootfilesystem.yaml) [require_ro_rootfs.yaml](best_practices/require_ro_rootfs.yaml)
````yaml ````yaml
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-readonly-rootfilesystem name: require-ro-rootfs
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: A read-only root file system helps to enforce an immutable
infrastructure strategy; the container only needs to write on the mounted volume that p
ersists the state. An immutable root filesystem can also prevent malicious binaries from
writing to the host system.
spec: spec:
rules: rules:
- name: validate-readonly-rootfilesystem - name: validate-readOnlyRootFilesystem
match: match:
resources: resources:
kinds: kinds:
- Pod - Pod
validate: validate:
message: "Container require read-only rootfilesystem" message: "Root filesystem must be read-only"
pattern: pattern:
spec: spec:
containers: containers:

6
samples/best_practices/require_readonly_rootfilesystem.yaml → samples/best_practices/require_ro_rootfs.yaml
View file

@ -1,7 +1,7 @@
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: validate-readonly-rootfilesystem name: require-ro-rootfs
annotations: annotations:
policies.kyverno.io/category: Security Context policies.kyverno.io/category: Security Context
policies.kyverno.io/description: A read-only root file system helps to enforce an immutable policies.kyverno.io/description: A read-only root file system helps to enforce an immutable
@ -10,13 +10,13 @@ metadata:
writing to the host system. writing to the host system.
spec: spec:
rules: rules:
- name: validate-readonly-rootfilesystem - name: validate-readOnlyRootFilesystem
match: match:
resources: resources:
kinds: kinds:
- Pod - Pod
validate: validate:
message: "Container require read-only rootfilesystem" message: "Root filesystem must be read-only"
pattern: pattern:
spec: spec:
containers: containers:

17
test/scenarios/samples/best_practices/require_ro_rootfs.yaml Normal file
View file

@ -0,0 +1,17 @@
# file path relative to project root
input:
policy: samples/best_practices/require_ro_rootfs.yaml
resource: test/resources/require_readonly_rootfilesystem.yaml
expected:
validation:
policyresponse:
policy: require-ro-rootfs
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: "ghost-with-readonly-rootfilesystem"
rules:
- name: validate-readOnlyRootFilesystem
type: Validation
success: false

18
test/scenarios/samples/best_practices/scenario_validate_require_readonly_rootfilesystem.yaml
View file

@ -1,18 +0,0 @@
# file path relative to project root
input:
policy: samples/best_practices/require_readonly_rootfilesystem.yaml
resource: test/resources/require_readonly_rootfilesystem.yaml
expected:
validation:
policyresponse:
policy: validate-readonly-rootfilesystem
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: "ghost-with-readonly-rootfilesystem"
rules:
- name: validate-readonly-rootfilesystem
type: Validation
message: "Validation error: Container require read-only rootfilesystem\nValidation rule 'validate-readonly-rootfilesystem' failed at path '/spec/containers/0/securityContext/readOnlyRootFilesystem/'."
success: false