mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 17:37:12 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
treydock 4e0d8ca612
Update kyverno-policies chart with latest pod-security policies (#3126) 
* Update kyverno-policies chart with latest pod-security policies
Fixes #3063
Fixes #2277

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update README to have better example

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use chart testing during e2e to test against ci values

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix e2e tests for Helm chart

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix Kyverno chart testing to actually test values, and fix networkpolicy template

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update README for exclusion

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Allow adding 'other' policies via Helm

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update Chart.yaml for kyverno-policies

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Bump minimum Kubernetes version in charts

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update kyverno-policies chart readme

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use version that should catch all pre-releases

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use version that should catch all pre-releases (part 2)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use same logic to get git tag by using Makefile target for updating Helm values

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
2022-02-04 14:47:36 +08:00

48 lines
1.7 KiB
YAML
Raw Blame History

{{- $name := "disallow-privileged-containers" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow Privileged Containers
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: privileged-containers
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(privileged): "false"
=(initContainers):
- =(securityContext):
=(privileged): "false"
containers:
- =(securityContext):
=(privileged): "false"
{{- end }}
View git blame Copy permalink