mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-07 16:01:37 +01:00
38 lines
1.4 KiB
YAML
38 lines
1.4 KiB
YAML
# Source: https://github.com/kyverno/policies/tree/main/pod-security
|
|
# License: Apache-2.0
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
labels:
|
|
opendesk.eu/security-id: sec-ctx-007
|
|
annotations:
|
|
kyverno.io/kyverno-version: 1.6.0
|
|
policies.kyverno.io/category: Pod Security Standards (Baseline)
|
|
policies.kyverno.io/description: On supported hosts, the 'runtime/default' AppArmor
|
|
profile is applied by default. The default policy should prevent overriding
|
|
or disabling the policy, or restrict overrides to an allowed set of profiles.
|
|
This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default`
|
|
or `localhost/*`.
|
|
policies.kyverno.io/minversion: 1.3.0
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Pod, Annotation
|
|
policies.kyverno.io/title: Restrict AppArmor
|
|
name: restrict-apparmor-profiles
|
|
spec:
|
|
background: true
|
|
rules:
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
name: app-armor
|
|
validate:
|
|
message: Specifying other AppArmor profiles is disallowed. The annotation `container.apparmor.security.beta.kubernetes.io`
|
|
if defined must not be set to anything other than `runtime/default` or `localhost/*`.
|
|
pattern:
|
|
=(metadata):
|
|
=(annotations):
|
|
=(container.apparmor.security.beta.kubernetes.io/*): runtime/default |
|
|
localhost/*
|
|
validationFailureAction: Audit |