mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 07:21:36 +01:00
46 lines
1.8 KiB
YAML
46 lines
1.8 KiB
YAML
# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
---
|
|
apiVersion: "kyverno.io/v1"
|
|
kind: "ClusterPolicy"
|
|
metadata:
|
|
name: "disallow-host-process"
|
|
annotations:
|
|
policies.kyverno.io/title: "Disallow hostProcess"
|
|
policies.kyverno.io/subject: "Pod"
|
|
policies.kyverno.io/description: >-
|
|
Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node.
|
|
Privileged access to the host is disallowed in the baseline policy.
|
|
HostProcess pods are an alpha feature as of Kubernetes v1.22.
|
|
This policy ensures the `hostProcess` field, if present, is set to `false`.
|
|
spec:
|
|
background: true
|
|
rules:
|
|
- name: "disallow-host-process"
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- "Pod"
|
|
validate:
|
|
message: >-
|
|
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
|
|
spec.containers[*].securityContext.windowsOptions.hostProcess,
|
|
spec.initContainers[*].securityContext.windowsOptions.hostProcess, and
|
|
spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined or set to
|
|
`false`.
|
|
pattern:
|
|
spec:
|
|
=(ephemeralContainers):
|
|
- =(securityContext):
|
|
=(windowsOptions):
|
|
=(hostProcess): "false"
|
|
=(initContainers):
|
|
- =(securityContext):
|
|
=(windowsOptions):
|
|
=(hostProcess): "false"
|
|
containers:
|
|
- =(securityContext):
|
|
=(windowsOptions):
|
|
=(hostProcess): "false"
|