mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-23 16:20:40 +00:00
19b816ba70
* solves the cronjob autogen nested path issue Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> * format the file using linter Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> * autogen path change in validating-polcies Signed-off-by: Mohd Kamaal <mohdcode@MBA.local> --------- Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> Signed-off-by: Mohd Kamaal <mohdcode@MBA.local> Co-authored-by: Mohd Kamaal <mohdcode@MBA.local>
52 lines
2.2 KiB
YAML
52 lines
2.2 KiB
YAML
apiVersion: policies.kyverno.io/v1alpha1
|
|
kind: ValidatingPolicy
|
|
metadata:
|
|
name: disallow-privilege-escalation
|
|
status:
|
|
autogen:
|
|
rules:
|
|
- matchConditions:
|
|
- expression: '!(object.kind ==''Deployment'' || object.kind ==''ReplicaSet''
|
|
|| object.kind ==''StatefulSet'' || object.kind ==''DaemonSet'') || has(object.spec.template.metadata.labels)
|
|
&& has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod
|
|
== ''true'''
|
|
name: autogen-check-prod-label
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- apps
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- deployments
|
|
validations:
|
|
- expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
|
|
&& has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
|
|
== false)
|
|
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
|
|
must be set to `false`.
|
|
- matchConditions:
|
|
- expression: '!(object.kind ==''CronJob'') || has(object.spec.jobTemplate.spec.template.metadata.labels)
|
|
&& has(object.spec.jobTemplate.spec.template.metadata.labels.prod) &&
|
|
object.spec.jobTemplate.spec.template.metadata.labels.prod == ''true'''
|
|
name: autogen-cronjobs-check-prod-label
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- cronjobs
|
|
validations:
|
|
- expression: object.spec.jobTemplate.spec.template.spec.containers.all(container,
|
|
has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
|
|
&& container.securityContext.allowPrivilegeEscalation == false)
|
|
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
|
|
must be set to `false`.
|