mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 15:31:38 +01:00
54 lines
1.9 KiB
YAML
54 lines
1.9 KiB
YAML
# Source: https://github.com/kyverno/policies/tree/main/pod-security
|
|
# License: Apache-2.0
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: require-image-checksum
|
|
labels:
|
|
opendesk.eu/security-id: image-sec-003
|
|
annotations:
|
|
policies.kyverno.io/title: Require Images Use SHA-256 Checksums
|
|
policies.kyverno.io/category: Supply Chain Security
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/minversion: 1.6.0
|
|
policies.kyverno.io/description: >-
|
|
Use of a SHA-256 checksum when pulling an image is often preferable because
|
|
tags are mutable and can be overwritten. This policy checks to ensure that
|
|
all images use SHA-256 digests in the format image@sha256:<64-character-hex>.
|
|
spec:
|
|
validationFailureAction: Audit
|
|
background: true
|
|
rules:
|
|
- name: require-image-checksum
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: >-
|
|
Images must use SHA-256 checksums rather than tags.
|
|
Expected format: registry/image:tag@sha256:<64-character-hex> or registry/image@sha256:<64-character-hex>
|
|
foreach:
|
|
- list: "request.object.spec.containers"
|
|
deny:
|
|
conditions:
|
|
any:
|
|
- key: "{{ regex_match('^.*@sha256:[a-f0-9]{64}$', element.image) }}"
|
|
operator: NotEquals
|
|
value: true
|
|
- list: "request.object.spec.initContainers || `[]`"
|
|
deny:
|
|
conditions:
|
|
any:
|
|
- key: "{{ regex_match('^.*@sha256:[a-f0-9]{64}$', element.image) }}"
|
|
operator: NotEquals
|
|
value: true
|
|
- list: "request.object.spec.ephemeralContainers || `[]`"
|
|
deny:
|
|
conditions:
|
|
any:
|
|
- key: "{{ regex_match('^.*@sha256:[a-f0-9]{64}$', element.image) }}"
|
|
operator: NotEquals
|
|
value: true |