mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
04dc3ddfe3
* remove sample Dir and remove testcases form test_runner Signed-off-by: vyankatesh <vyankatesh@neualto.com> * change git URL for test Signed-off-by: vyankatesh <vyankatesh@neualto.com> * fix fmt issue Signed-off-by: vyankatesh <vyankatesh@neualto.com> * remove unused policy and test yamls Signed-off-by: vyankatesh <vyankatesh@neualto.com> * fix yaml path issue Signed-off-by: vyankatesh <vyankatesh@neualto.com> Co-authored-by: vyankatesh <vyankatesh@neualto.com>
39 lines
1.1 KiB
YAML
39 lines
1.1 KiB
YAML
apiVersion: kyverno.io/v1
|
||
kind: ClusterPolicy
|
||
metadata:
|
||
name: disallow-privileged
|
||
annotations:
|
||
policies.kyverno.io/category: Security
|
||
policies.kyverno.io/description: Privileged containers are defined as any
|
||
container where the container uid 0 is mapped to the host’s uid 0.
|
||
A process within a privileged container can get unrestricted host access.
|
||
With `securityContext.allowPrivilegeEscalation` enabled, a process can
|
||
gain privileges from its parent.
|
||
spec:
|
||
validationFailureAction: audit
|
||
rules:
|
||
- name: validate-privileged
|
||
match:
|
||
resources:
|
||
kinds:
|
||
- Pod
|
||
validate:
|
||
message: "Privileged mode is not allowed. Set privileged to false"
|
||
pattern:
|
||
spec:
|
||
containers:
|
||
- =(securityContext):
|
||
=(privileged): false
|
||
- name: validate-allowPrivilegeEscalation
|
||
match:
|
||
resources:
|
||
kinds:
|
||
- Pod
|
||
validate:
|
||
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
|
||
pattern:
|
||
spec:
|
||
containers:
|
||
- securityContext:
|
||
allowPrivilegeEscalation: false
|
||
|