mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 08:26:53 +00:00
Code Activity
kyverno/samples/best_practices/disallow_priviledged_priviligedescalation.yaml
Shuting Zhao da57501dcd update description format
2019-10-14 16:33:19 -07:00

32 lines
1.2 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-deny-privileged-priviligedescalation
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: Privileged containers are defined as any container
where the container uid 0 is mapped to the hosts uid 0. A process within privileged
containers can get unrestricted host access. With 'securityContext.allowPrivilegeEscalation'
enabled a process can gain privileges from its parent. To disallow privileged containers
and the escalation of privileges it is recommended to run pod containers with
'securityContext.priveleged' as 'false' and 'allowPrivilegeEscalation' as 'false'.
spec:
rules:
- name: deny-privileged-priviligedescalation
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
anyPattern:
- spec:
securityContext:
allowPrivilegeEscalation: false
privileged: false
- spec:
containers:
- name: "*"
securityContext:
allowPrivilegeEscalation: false
privileged: false
View git blame Copy permalink