mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 18:06:55 +00:00
51 lines
2 KiB
YAML
51 lines
2 KiB
YAML
apiVersion: policies.kyverno.io/v1alpha1
|
|
kind: ValidatingPolicy
|
|
metadata:
|
|
name: disallow-privilege-escalation
|
|
status:
|
|
autogen:
|
|
rules:
|
|
- matchConditions:
|
|
- expression: has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
|
|
&& object.spec.template.metadata.labels.prod == 'true'
|
|
name: check-prod-label
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- apps
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- deployments
|
|
validations:
|
|
- expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
|
|
&& has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
|
|
== false)
|
|
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
|
|
must be set to `false`.
|
|
- matchConditions:
|
|
- expression: has(object.spec.jobTemplate.spec.template.spec.template.metadata.labels)
|
|
&& has(object.spec.jobTemplate.spec.template.spec.template.metadata.labels.prod)
|
|
&& object.spec.jobTemplate.spec.template.spec.template.metadata.labels.prod
|
|
== 'true'
|
|
name: check-prod-label
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- cronjobs
|
|
validations:
|
|
- expression: object.spec.jobTemplate.spec.template.spec.template.spec.containers.all(container,
|
|
has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
|
|
&& container.securityContext.allowPrivilegeEscalation == false)
|
|
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
|
|
must be set to `false`.
|