mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 08:26:53 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
treydock 3f1a0bfd6c
Allow setting validationFailureActionOverrides for policies (#3201) 
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
2022-02-09 16:24:35 +08:00

48 lines
2 KiB
YAML
Raw Blame History

{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod, Annotation
policies.kyverno.io/minversion: 1.3.0
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict
overrides to an allowed set of profiles. This policy ensures Pods do not
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
background: true
rules:
- name: app-armor
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Specifying other AppArmor profiles is disallowed. The annotation
`container.apparmor.security.beta.kubernetes.io` if defined
must not be set to anything other than `runtime/default` or `localhost/*`.
pattern:
=(metadata):
=(annotations):
=(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"
{{- end }}
View git blame Copy permalink