mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 17:37:12 +00:00
Code Activity
kyverno/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
Matthias Weilinger bb3e7d9ddc
add allowExistingViolations option in policy chart (#11656) 
Until now it was not possible to set the allowExistingViolations for predefined policies in the policies chart. By default it should be set to , identical to how it is set up in the CRDs. Not only does this now allow users to set the config according to their needs, but this also solves a problem with ArgoCD. As the CRDs set it to true, but the template does not specifically declare the field, ArgoCD falls into a constant sync loop of trying to remove the field.

Signed-off-by: ProbstenHias <matthias.weilinger@gmx.de>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
2024-12-02 09:20:26 +05:30

61 lines
2.6 KiB
YAML
Raw Blame History

{{- $name := "disallow-host-path" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
{{- with .Values.autogenControllers }}
pod-policies.kyverno.io/autogen-controllers: {{ . }}
{{- end }}
policies.kyverno.io/title: Disallow hostPath
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod,Volume
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
policies.kyverno.io/description: >-
HostPath volumes let Pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
and should not be allowed. This policy ensures no hostPath volumes are in use.
labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
background: {{ .Values.background }}
failurePolicy: {{ .Values.failurePolicy }}
rules:
- name: host-path
match:
any:
- resources:
kinds:
- Pod
{{- with merge (index .Values "policyExclude" "host-path") (index .Values "policyExclude" $name) }}
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with index .Values "policyPreconditions" $name }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if not (quote .Values.skipBackgroundRequests | empty) }}
skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
{{- end }}
validate:
{{- with index .Values "validationFailureActionByPolicy" $name }}
failureAction: {{ toYaml . }}
{{- else }}
failureAction: {{ .Values.validationFailureAction }}
{{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
failureActionOverrides: {{ toYaml . | nindent 8 }}
{{- end }}
allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
message: >-
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
pattern:
spec:
=(volumes):
- X(hostPath): "null"
{{- end }}
View git blame Copy permalink