mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/DisallowHelmTiller.md
Shuting Zhao e985ee4031 correct misspelled words
2020-11-17 12:01:01 -08:00

825 B
Raw Blame History

Disallow Helm Tiller

Tiller, in the now-deprecated Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilge escalation as restricted users can impact other users.

Policy YAML

disallow_helm_tiller.yaml

apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-helm-tiller
spec:
  validationFailureAction: audit
  rules:
  - name: validate-helm-tiller
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Helm Tiller is not allowed"  
      pattern:
        spec:
          containers:
          - name: "*"
            image: "!*tiller*"