mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/DisablePrivilegedContainers.md
Jim Bugwadia 733633637e update descriptions...
2019-10-23 15:36:37 -07:00

1.3 KiB
Raw Blame History

Disable privileged containers

Privileged containers are defined as any container where the container uid 0 is mapped to the hosts uid 0. A process within a privileged container can get unrestricted host access. With securityContext.allowPrivilegeEscalation enabled, a process can gain privileges from its parent.

To disallow privileged containers and the privilege escalation it is recommended to run pod containers with securityContext.priveleged set to false and allowPrivilegeEscalation set to false.

Policy YAML

disallow_priviledged_priviligedescalation.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-deny-privileged-priviligedescalation
spec:
  rules:
  - name: deny-privileged-priviligedescalation
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
      anyPattern:
      - spec:
          securityContext:
            allowPrivilegeEscalation: false
            privileged: false
      - spec:
          containers:
          - name: "*"
            securityContext:
              allowPrivilegeEscalation: false
              privileged: false