mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-23 16:20:40 +00:00
19b816ba70
* solves the cronjob autogen nested path issue Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> * format the file using linter Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> * autogen path change in validating-polcies Signed-off-by: Mohd Kamaal <mohdcode@MBA.local> --------- Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> Signed-off-by: Mohd Kamaal <mohdcode@MBA.local> Co-authored-by: Mohd Kamaal <mohdcode@MBA.local>
63 lines
No EOL
2.4 KiB
YAML
63 lines
No EOL
2.4 KiB
YAML
apiVersion: policies.kyverno.io/v1alpha1
|
|
kind: ValidatingPolicy
|
|
metadata:
|
|
name: disallow-privilege-escalation
|
|
status:
|
|
autogen:
|
|
rules:
|
|
- matchConditions:
|
|
- expression: "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
|
|
&& object.spec.template.metadata.labels.prod == 'true'"
|
|
name: autogen-check-prod-label
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- apps
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- replicasets
|
|
- statefulsets
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- jobs
|
|
validations:
|
|
- expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
|
|
&& has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
|
|
== false)
|
|
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
|
|
must be set to `false`.
|
|
- matchConditions:
|
|
- expression: "!(object.kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels)
|
|
&& has(object.spec.jobTemplate.spec.template.metadata.labels.prod)
|
|
&& object.spec.jobTemplate.spec.template.metadata.labels.prod
|
|
== 'true'"
|
|
name: autogen-cronjobs-check-prod-label
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- cronjobs
|
|
validations:
|
|
- expression: object.spec.jobTemplate.spec.template.spec.containers.all(container,
|
|
has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
|
|
&& container.securityContext.allowPrivilegeEscalation == false)
|
|
message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
|
|
must be set to `false`. |