mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 01:16:55 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
Daniel Schunack 7b31f456c9
[Feature] Add posibility to set validationFailureAction by Policy (#4400) 
* Implement validationFailureActionByPolicy
* Update README.md
* Add artifacthub.io/changes entry
* Add Test Case
Signed-off-by: dschunack <dschunack@web.de>
2022-08-25 15:29:20 +00:00

64 lines
2.5 KiB
YAML
Raw Blame History

{{- $name := "disallow-proc-mount" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/title: Disallow procMount
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required. This policy
ensures nothing but the default procMount can be specified. Note that in order for users
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
{{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
background: {{ .Values.background }}
failurePolicy: {{ .Values.failurePolicy }}
rules:
- name: check-proc-mount
match:
any:
- resources:
kinds:
- Pod
{{- with index .Values "policyExclude" $name }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
and spec.ephemeralContainers[*].securityContext.procMount must be unset or
set to `Default`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(procMount): "Default"
=(initContainers):
- =(securityContext):
=(procMount): "Default"
containers:
- =(securityContext):
=(procMount): "Default"
{{- end }}
View git blame Copy permalink