mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
Marco Kilchhofer 91adf68602
feat(policies chart): Add ability to set autogen behavior (#5517) 
* feat(kyverno-policies): Add ability to set autogen behavior

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

* fix(kyverno-policies): Fix missing labels

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

* chore: Apply changes from code review

- Update changelog annotations
- Add test

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

* Update charts/kyverno-policies/Chart.yaml

Signed-off-by: shuting <shutting06@gmail.com>

* fix: Move test-autogen-none.yaml -> test-autogen-none-values.yaml

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

* fix: Run make codegen-helm-all

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Signed-off-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
2022-12-01 10:05:56 +00:00

115 lines
4.9 KiB
YAML
Raw Blame History

{{- $name := "disallow-selinux" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
{{- with .Values.autogenControllers }}
pod-policies.kyverno.io/autogen-controllers: {{ . }}
{{- end }}
policies.kyverno.io/title: Disallow SELinux
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
background: {{ .Values.background }}
failurePolicy: {{ .Values.failurePolicy }}
rules:
- name: selinux-type
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "selinux-type") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "selinux-type") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting the SELinux type is restricted. The fields
spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
, spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
pattern:
spec:
=(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
=(ephemeralContainers):
- =(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
=(initContainers):
- =(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
containers:
- =(securityContext):
=(seLinuxOptions):
=(type): "container_t | container_init_t | container_kvm_t"
- name: selinux-user-role
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "selinux-user-role") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with merge (index .Values "policyPreconditions" "selinux-user-role") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Setting the SELinux user or role is forbidden. The fields
spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role,
spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role,
spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role
must be unset.
pattern:
spec:
=(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
=(ephemeralContainers):
- =(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
=(initContainers):
- =(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
containers:
- =(securityContext):
=(seLinuxOptions):
X(user): "null"
X(role): "null"
{{- end }}
View git blame Copy permalink