mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/samples/DisallowPrivilegedContainers.md
Shuting Zhao 051eba058f update api in samples/
2019-11-13 13:56:20 -08:00

50 lines
1.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Diallow privileged containers
Privileged containers are defined as any container where the container uid 0 is mapped to the hosts uid 0. A process within a privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation` enabled, a process can gain privileges from its parent.
To disallow privileged containers and privilege escalation, run pod containers with `securityContext.privileged` set to `false` and `securityContext.allowPrivilegeEscalation` set to `false`.
## Policy YAML
[disallow_privileged.yaml](best_practices/disallow_privileged.yaml)
````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-privileged
spec:
rules:
- name: validate-privileged
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed. Set privileged to false"
anyPattern:
- spec:
securityContext:
privileged: false
- spec:
containers:
- name: "*"
securityContext:
privileged: false
- name: validate-allowPrivilegeEscalation
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
anyPattern:
- spec:
securityContext:
allowPrivilegeEscalation: false
- spec:
containers:
- name: "*"
securityContext:
allowPrivilegeEscalation: false
````
View git blame Copy permalink