mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00
Code Activity
kyverno/samples/more/policy_validate_container_capabilities.yaml
Shuting Zhao c6d5ec7575 Merge commit '82647670a54ead965c8cb964f3063409d0826070' into 337_policy_description 
# Conflicts:
#	pkg/testrunner/testrunner_test.go
#	samples/README.md
#	samples/best_practices/policy_validate_deny_runasrootuser.yaml
#	test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml
2019-10-15 12:27:22 -07:00

24 lines
746 B
YAML
Raw Blame History

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-container-capablities
annotations:
policies.kyverno.io/category: Security Context
policies.kyverno.io/description: Linux divides the privileges traditionally associated with
superuser into distinct units, known as capabilities, which can be independently enabled
or disabled by listing them in 'securityContext.capabilites'.
spec:
rules:
- name: validate-container-capablities
match:
resources:
kinds:
- Pod
validate:
message: "Allow certain linux capability"
pattern:
spec:
containers:
- securityContext:
capabilities:
add: ["NET_ADMIN"]
View git blame Copy permalink