mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
51 lines
1.2 KiB
YAML
51 lines
1.2 KiB
YAML
apiVersion: kyverno.io/v1alpha1
|
|
kind: Policy
|
|
metadata:
|
|
name: check-container-security-context
|
|
spec:
|
|
validationFailureAction: "audit"
|
|
rules:
|
|
- name: check-root-user
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- kube-system
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Root user is not allowed. Set runAsNonRoot to true."
|
|
anyPattern:
|
|
- spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
# pattern:
|
|
# spec:
|
|
# containers:
|
|
# - name: "*"
|
|
# securityContext:
|
|
# runAsNonRoot: true
|
|
- name: check-privilege
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- kube-system
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Privileged mode is not allowed. Set allowPrivilegeEscalatin and privileged to false"
|
|
anyPattern:
|
|
- spec:
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
privileged: false
|
|
# pattern:
|
|
# spec:
|
|
# containers:
|
|
# - name: "*"
|
|
# securityContext:
|
|
# allowPrivilegeEscalation: false
|
|
# privileged: false
|