mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 01:46:55 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
treydock 4e0d8ca612
Update kyverno-policies chart with latest pod-security policies (#3126) 
* Update kyverno-policies chart with latest pod-security policies
Fixes #3063
Fixes #2277

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update README to have better example

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use chart testing during e2e to test against ci values

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix e2e tests for Helm chart

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix Kyverno chart testing to actually test values, and fix networkpolicy template

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update README for exclusion

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Allow adding 'other' policies via Helm

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update Chart.yaml for kyverno-policies

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Bump minimum Kubernetes version in charts

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Update kyverno-policies chart readme

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use version that should catch all pre-releases

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use version that should catch all pre-releases (part 2)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use same logic to get git tag by using Makefile target for updating Helm values

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
2022-02-04 14:47:36 +08:00

58 lines
2 KiB
YAML
Raw Blame History

{{- $name := "disallow-capabilities" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow Capabilities
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
kyverno.io/kyverno-version: 1.6.0
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
rules:
- name: adding-capabilities
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
are disallowed.
deny:
conditions:
all:
- key: "{{`{{ request.object.spec.[ephemeralContainers, initContainers, containers][].securityContext.capabilities.add[] }}`}}"
operator: AnyNotIn
value:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
{{- end }}
View git blame Copy permalink