mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 09:56:55 +00:00
Code Activity
kyverno/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml
Mariam Fahmy f012241a82
feat: add cel-autogen chainsaw tests (#12135) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2025-02-10 22:30:12 +00:00

29 lines
1 KiB
YAML
Raw Blame History

apiVersion: kyverno.io/v2alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
autogen:
rules:
- matchConditions:
- expression: has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
&& object.spec.template.metadata.labels.prod == 'true'
name: check-prod-label
matchConstraints:
resourceRules:
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
- statefulsets
validations:
- expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
&& has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
== false)
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
must be set to `false`.
View git blame Copy permalink