policies/kyverno/cluster-policies/2-dep-pod-sec-cont.yaml (114 lines of code) (raw):
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: deployment-pod-security-context
labels:
app: kyverno
owner: jimmy
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: Rules to enforce correct securityContext element
spec:
validationFailureAction: enforce
rules:
- name: pod-validate-privileged
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed. Set privileged to false"
pattern:
spec:
containers:
- =(securityContext):
=(privileged): false
- name: pod-validate-allowPrivilegeEscalation
match:
resources:
kinds:
- Pod
validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
pattern:
spec:
containers:
- securityContext:
allowPrivilegeEscalation: false
rules:
- name: dep-validate-privileged
match:
resources:
kinds:
- Deployment
validate:
message: "Privileged mode is not allowed. Set privileged to false"
pattern:
spec:
template:
spec:
containers:
- =(securityContext):
=(privileged): false
- name: dep-validate-allowPrivilegeEscalation
match:
resources:
kinds:
- Deployment
validate:
message: "Privileged mode is not allowed. Set allowPrivilegeEscalation to false"
pattern:
spec:
template:
spec:
containers:
- securityContext:
allowPrivilegeEscalation: false
- name: pod-validate-runAsNonRoot
match:
resources:
kinds:
- Pod
validate:
message: "Running as root is not allowed. Set runAsNonRoot to true, or use runAsUser"
anyPattern:
- spec:
securityContext:
runAsNonRoot: true
- spec:
securityContext:
runAsUser: ">0"
- spec:
containers:
- securityContext:
runAsNonRoot: true
- spec:
containers:
- securityContext:
runAsUser: ">0"
- name: dep-validate-readOnlyRootFilesystem
match:
resources:
kinds:
- Deployment
validate:
message: "Root filesystem must be read-only"
pattern:
spec:
template:
spec:
containers:
- securityContext:
readOnlyRootFilesystem: true
- name: pod-validate-readOnlyRootFilesystem
match:
resources:
kinds:
- Pod
validate:
message: "Root filesystem must be read-only"
pattern:
spec:
containers:
- securityContext:
readOnlyRootFilesystem: true