mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
7562bea6db
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
42 lines
1.2 KiB
YAML
42 lines
1.2 KiB
YAML
---
|
||
apiVersion: kyverno.io/v1
|
||
kind: ClusterPolicy
|
||
metadata:
|
||
annotations:
|
||
policies.kyverno.io/category: Security
|
||
policies.kyverno.io/description: Privileged containers are defined as any container
|
||
where the container uid 0 is mapped to the host’s uid 0. A process within a
|
||
privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation`
|
||
enabled, a process can gain privileges from its parent.
|
||
name: disallow-privileged
|
||
spec:
|
||
admission: true
|
||
background: true
|
||
rules:
|
||
- match:
|
||
any:
|
||
- resources:
|
||
kinds:
|
||
- Pod
|
||
name: validate-privileged
|
||
validate:
|
||
message: Privileged mode is not allowed. Set privileged to false
|
||
pattern:
|
||
spec:
|
||
containers:
|
||
- =(securityContext):
|
||
=(privileged): false
|
||
- match:
|
||
any:
|
||
- resources:
|
||
kinds:
|
||
- Pod
|
||
name: validate-allowPrivilegeEscalation
|
||
validate:
|
||
message: Privileged mode is not allowed. Set allowPrivilegeEscalation to false
|
||
pattern:
|
||
spec:
|
||
containers:
|
||
- securityContext:
|
||
allowPrivilegeEscalation: false
|
||
validationFailureAction: Audit
|