apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
webhook.kyverno.io/managed-by: kyverno
name: kyverno-resource-validating-webhook-cfg
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: kyverno-svc
namespace: kyverno
path: /policies/vpol/validate/fail/finegrained/disallow-privilege-escalation
port: 443
failurePolicy: Fail
matchConditions:
- expression: '!(object.kind == ''Pod'') || has(object.metadata.labels) && has(object.metadata.labels.prod)
&& object.metadata.labels.prod == ''true'''
name: check-prod-label
- expression: '!(object.kind ==''Deployment'' || object.kind ==''ReplicaSet'' ||
object.kind ==''StatefulSet'' || object.kind ==''DaemonSet'') || has(object.spec.template.metadata.labels)
&& has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod
== ''true'''
name: autogen-check-prod-label
- expression: '!(object.kind ==''CronJob'') || has(object.spec.jobTemplate.spec.template.metadata.labels)
&& has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod
== ''true'''
name: autogen-cronjobs-check-prod-label
matchPolicy: Equivalent
name: vpol.validate.kyverno.svc-fail-finegrained-disallow-privilege-escalation
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- jobs
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- cronjobs
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: 10