policies/opa/classic/configmaps/4-deployment-security-context.yaml (55 lines of code) (raw):
kind: ConfigMap
apiVersion: v1
metadata:
name: deployment-security-context
namespace: opa
labels:
app: opa
owner: jimmy
openpolicyagent.org/policy: rego
data:
main: |
package kubernetes.admission
import data.lib.k8s.helpers as helpers
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.securityContext
msg = sprintf("%q: Valid securityContext element not found in %q container. Resource ID (ns/name/kind): %q.", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
container.securityContext.privileged
msg = sprintf("%q: The securityContext element for %q container is privileged. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
container.securityContext.allowPrivilegeEscalation
msg = sprintf("%q: The securityContext element for container %q allows privilege escalation.Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.securityContext.runAsUser > 0
msg = sprintf("%q: The securityContext element for container %q is set to run as UID 0. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.securityContext.readOnlyRootFilesystem
msg = sprintf("%q: The securityContext element for container %q does not have a readonly root filesystem element.Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
container.securityContext.readOnlyRootFilesystem == false
msg = sprintf("%q: The securityContext element for container %q does not have a readonly root filesystem.Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}