mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/DisallowNewCapabilities.md
Shuting Zhao 051eba058f update api in samples/
2019-11-13 13:56:20 -08:00

39 lines
994 B
Markdown
Raw Blame History

# Disallow new capabilities
Linux allows defining fine-grained permissions using
capabilities. With Kubernetes, it is possible to add capabilities that escalate the
level of kernel access and allow other potentially dangerous behaviors. This policy
enforces that pods cannot add new capabilities. Other policies can be used to set
default capabilities.
## Policy YAML
[disallow_new_capabilities.yaml](best_practices/disallow_new_capabilities.yaml)
````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-new-capabilities
spec:
rules:
- name: validate-add-capabilities
match:
resources:
kinds:
- Pod
validate:
message: "New capabilities cannot be added"
anyPattern:
- spec:
=(securityContext):
=(capabilities):
X(add): null
- spec:
containers:
- name: "*"
=(securityContext):
=(capabilities):
X(add): null
````
View git blame Copy permalink