mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
treydock 871d8ed3ca
Add policyKind option to kyverno-policies chart (#8827) 
Fixes #4317 #8568

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
2023-11-16 17:32:38 +08:00

61 lines
2.5 KiB
YAML
Raw Blame History

{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
{{- with .Values.autogenControllers }}
pod-policies.kyverno.io/autogen-controllers: {{ . }}
{{- end }}
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod, Annotation
policies.kyverno.io/minversion: 1.3.0
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict
overrides to an allowed set of profiles. This policy ensures Pods do not
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
background: {{ .Values.background }}
failurePolicy: {{ .Values.failurePolicy }}
rules:
- name: app-armor
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Specifying other AppArmor profiles is disallowed. The annotation
`container.apparmor.security.beta.kubernetes.io` if defined
must not be set to anything other than `runtime/default` or `localhost/*`.
pattern:
=(metadata):
=(annotations):
=(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"
{{- end }}
View git blame Copy permalink