mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/test/best_practices/disallow_privileged.yaml
Charles-Edouard Brétéché 7562bea6db
chore: apply policy fixes (#8427) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-09-17 22:24:26 +00:00

42 lines
1.2 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: Privileged containers are defined as any container
where the container uid 0 is mapped to the hosts uid 0. A process within a
privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation`
enabled, a process can gain privileges from its parent.
name: disallow-privileged
spec:
admission: true
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: validate-privileged
validate:
message: Privileged mode is not allowed. Set privileged to false
pattern:
spec:
containers:
- =(securityContext):
=(privileged): false
- match:
any:
- resources:
kinds:
- Pod
name: validate-allowPrivilegeEscalation
validate:
message: Privileged mode is not allowed. Set allowPrivilegeEscalation to false
pattern:
spec:
containers:
- securityContext:
allowPrivilegeEscalation: false
validationFailureAction: Audit
View git blame Copy permalink