mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 09:56:55 +00:00
813b80d3d9
* fix: update match conditions for autogen rules Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: autogen match condition prefix Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com>
29 lines
1.2 KiB
YAML
29 lines
1.2 KiB
YAML
apiVersion: policies.kyverno.io/v1alpha1
|
|
kind: ValidatingPolicy
|
|
metadata:
|
|
name: disallow-privilege-escalation
|
|
status:
|
|
autogen:
|
|
rules:
|
|
- matchConditions:
|
|
- expression: "!(object.Kind =='Deployment' || object.Kind =='ReplicaSet' || object.Kind =='StatefulSet' || object.Kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
|
|
&& object.spec.template.metadata.labels.prod == 'true'"
|
|
name: autogen-check-prod-label
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- apps
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- deployments
|
|
- statefulsets
|
|
validations:
|
|
- expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
|
|
&& has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
|
|
== false)
|
|
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
|
|
must be set to `false`.
|