mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 01:16:55 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
Matthias Weilinger bb3e7d9ddc
add allowExistingViolations option in policy chart (#11656) 
Until now it was not possible to set the allowExistingViolations for predefined policies in the policies chart. By default it should be set to , identical to how it is set up in the CRDs. Not only does this now allow users to set the config according to their needs, but this also solves a problem with ArgoCD. As the CRDs set it to true, but the template does not specifically declare the field, ArgoCD falls into a constant sync loop of trying to remove the field.

Signed-off-by: ProbstenHias <matthias.weilinger@gmx.de>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
2024-12-02 09:20:26 +05:30

64 lines
2.8 KiB
YAML
Raw Blame History

{{- $name := "disallow-host-namespaces" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
{{- with .Values.autogenControllers }}
pod-policies.kyverno.io/autogen-controllers: {{ . }}
{{- end }}
policies.kyverno.io/title: Disallow Host Namespaces
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
background: {{ .Values.background }}
failurePolicy: {{ .Values.failurePolicy }}
rules:
- name: host-namespaces
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "host-namespaces") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
{{- with index .Values "validationFailureActionByPolicy" $name }}
failureAction: {{ toYaml . }}
{{- else }}
failureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
pattern:
spec:
=(hostPID): "false"
=(hostIPC): "false"
=(hostNetwork): "false"
{{- end }}
View git blame Copy permalink