sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
develop
opendesk/.kyverno/policies/_policies.yaml
Dominik Kaminski 3a9468f04d ci(gitlab): Check also for optional lint issues
2024-10-08 15:15:11 +00:00

293 lines
6.5 KiB
YAML
Raw Permalink Blame History

# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
pod:
- name: "require-tag-and-digest"
rule: "require-tag-and-digest"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-default-serviceaccount"
rule: "disallow-default-serviceAccountName"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "template-imagepullsecrets"
rule: "template-imagePullSecrets"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-latest-tag"
rule: "disallow-latest-tag"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-latest-tag"
rule: "require-image-tag-or-digest"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-imagepullpolicy"
rule: "require-imagePullPolicy"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-health-and-liveness-check"
rule: "require-health-and-liveness-check"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Pod"
- "DaemonSet"
- name: "template-storage"
rule: "template-storageClassName-pod"
type: "required"
kinds:
- "PersistentVolumeClaim"
- name: "template-storage"
rule: "template-storageClassName-pvc"
type: "required"
kinds:
- "StatefulSet"
- name: "template-storage"
rule: "template-requests-storage-pod"
type: "required"
kinds:
- "PersistentVolumeClaim"
- name: "template-storage"
rule: "template-requests-storage-pvc"
type: "required"
kinds:
- "StatefulSet"
- name: "require-requests-limits"
rule: "validate-resources"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "template-image-registries"
rule: "template-image-registries"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-ro-rootfs"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-no-privilege-escalation"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-all-capabilities-dropped"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-no-privileged"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-run-as-user"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-run-as-group"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-seccomp-profile"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-run-as-non-root"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-empty-seLinuxOptions"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "require-default-procMount"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "require-containersecuritycontext"
rule: "restrict-sysctls"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-container-sock-mounts"
rule: "validate-docker-sock-mount"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-container-sock-mounts"
rule: "validate-containerd-sock-mount"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-container-sock-mounts"
rule: "validate-crio-sock-mount"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-container-sock-mounts"
rule: "validate-dockerd-sock-mount"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-host-namespaces"
rule: "disallow-host-namespaces"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-host-path"
rule: "disallow-host-path"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-host-ports"
rule: "disallow-host-ports"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "disallow-host-process"
rule: "disallow-host-process"
type: "required"
kinds:
- "StatefulSet"
- "Deployment"
- "Job"
- "Pod"
- "DaemonSet"
- name: "template-ingress"
rule: "template-ingressClassName"
type: "required"
kinds:
- "Ingress"
- name: "template-ingress"
rule: "template-tls-secretName"
type: "required"
kinds:
- "Ingress"
- name: "template-replicas"
rule: "template-replicas"
type: "optional"
kinds:
- "StatefulSet"
- "Deployment"
...
Reference in New Issue View Git Blame Copy Permalink