1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/test/more/restrict_usergroup_fsgroup_id.yaml
Charles-Edouard Brétéché 7562bea6db
chore: apply policy fixes (#8427)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-09-17 22:24:26 +00:00

53 lines
1.3 KiB
YAML

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: All processes inside the pod can be made to run
with specific user and groupID by setting 'runAsUser' and 'runAsGroup' respectively.
'fsGroup' can be specified to make sure any file created in the volume with
have the specified groupID. These options can be used to validate the IDs used
for user and group.
name: validate-userid-groupid-fsgroup
spec:
admission: true
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: validate-userid
validate:
message: User ID should be 1000
pattern:
spec:
securityContext:
runAsUser: "1000"
- match:
any:
- resources:
kinds:
- Pod
name: validate-groupid
validate:
message: Group ID should be 3000
pattern:
spec:
securityContext:
runAsGroup: "3000"
- match:
any:
- resources:
kinds:
- Pod
name: validate-fsgroup
validate:
message: fsgroup should be 2000
pattern:
spec:
securityContext:
fsGroup: "2000"
validationFailureAction: Audit