mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
49 lines
No EOL
1.2 KiB
Markdown
49 lines
No EOL
1.2 KiB
Markdown
# Check userID, groupIP & fsgroup
|
|
|
|
All processes inside the pod can be made to run with specific user and groupID by setting `runAsUser` and `runAsGroup` respectively. `fsGroup` can be specified to make sure any file created in the volume with have the specified groupID. These options can be used to validate the IDs used for user and group.
|
|
|
|
## Policy YAML
|
|
|
|
[policy_validate_user_group_fsgroup_id.yaml](more/restrict_usergroup_fsgroup_id.yaml)
|
|
|
|
````yaml
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: validate-userid-groupid-fsgroup
|
|
spec:
|
|
rules:
|
|
- name: validate-userid
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "User ID should be 1000"
|
|
pattern:
|
|
spec:
|
|
securityContext:
|
|
runAsUser: '1000'
|
|
- name: validate-groupid
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Group ID should be 3000"
|
|
pattern:
|
|
spec:
|
|
securityContext:
|
|
runAsGroup: '3000'
|
|
- name: validate-fsgroup
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "fsgroup should be 2000"
|
|
pattern:
|
|
spec:
|
|
securityContext:
|
|
fsGroup: '2000'
|
|
```` |