mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 01:16:55 +00:00
Code Activity
kyverno/samples/DisablePrivilegedContainers.md
Jim Bugwadia 9bbcbb29af reorganize samples
2019-10-23 14:45:27 -07:00

1.3 KiB
Raw Blame History

Disable privileged containers

Privileged containers are defined as any container where the container uid 0 is mapped to the hosts uid 0. A process within privileged containers can get unrestricted host access. With securityContext.allowPrivilegeEscalation enabled a process can gain privileges from its parent.

To disallow privileged containers and the escalation of privileges it is recommended to run pod containers with securityContext.priveleged as false and allowPrivilegeEscalation as false.

Policy YAML

disallow_priviledged_priviligedescalation.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-deny-privileged-priviligedescalation
spec:
  rules:
  - name: deny-privileged-priviligedescalation
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false"
      anyPattern:
      - spec:
          securityContext:
            allowPrivilegeEscalation: false
            privileged: false
      - spec:
          containers:
          - name: "*"
            securityContext:
              allowPrivilegeEscalation: false
              privileged: false