mirror of
https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git
synced 2025-12-06 23:41:43 +01:00
84 lines
3.2 KiB
YAML
84 lines
3.2 KiB
YAML
# Source: https://github.com/kyverno/policies/tree/main/pod-security
|
|
# License: Apache-2.0
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
labels:
|
|
opendesk.eu/security-id: sec-ctx-008
|
|
annotations:
|
|
kyverno.io/kyverno-version: 1.6.0
|
|
policies.kyverno.io/category: Pod Security Standards (Baseline)
|
|
policies.kyverno.io/description: SELinux options can be used to escalate privileges
|
|
and should not be allowed. This policy ensures that the `seLinuxOptions` field
|
|
is undefined.
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/title: Disallow SELinux
|
|
name: disallow-selinux
|
|
spec:
|
|
background: true
|
|
rules:
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
name: selinux-type
|
|
validate:
|
|
message: Setting the SELinux type is restricted. The fields spec.securityContext.seLinuxOptions.type,
|
|
spec.containers[*].securityContext.seLinuxOptions.type, , spec.initContainers[*].securityContext.seLinuxOptions,
|
|
and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type must either
|
|
be unset or set to one of the allowed values (container_t, container_init_t,
|
|
or container_kvm_t).
|
|
pattern:
|
|
spec:
|
|
=(ephemeralContainers):
|
|
- =(securityContext):
|
|
=(seLinuxOptions):
|
|
=(type): container_t | container_init_t | container_kvm_t
|
|
=(initContainers):
|
|
- =(securityContext):
|
|
=(seLinuxOptions):
|
|
=(type): container_t | container_init_t | container_kvm_t
|
|
=(securityContext):
|
|
=(seLinuxOptions):
|
|
=(type): container_t | container_init_t | container_kvm_t
|
|
containers:
|
|
- =(securityContext):
|
|
=(seLinuxOptions):
|
|
=(type): container_t | container_init_t | container_kvm_t
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
name: selinux-user-role
|
|
validate:
|
|
message: Setting the SELinux user or role is forbidden. The fields spec.securityContext.seLinuxOptions.user,
|
|
spec.securityContext.seLinuxOptions.role, spec.containers[*].securityContext.seLinuxOptions.user,
|
|
spec.containers[*].securityContext.seLinuxOptions.role, spec.initContainers[*].securityContext.seLinuxOptions.user,
|
|
spec.initContainers[*].securityContext.seLinuxOptions.role, spec.ephemeralContainers[*].securityContext.seLinuxOptions.user,
|
|
and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be
|
|
unset.
|
|
pattern:
|
|
spec:
|
|
=(ephemeralContainers):
|
|
- =(securityContext):
|
|
=(seLinuxOptions):
|
|
X(role): "null"
|
|
X(user): "null"
|
|
=(initContainers):
|
|
- =(securityContext):
|
|
=(seLinuxOptions):
|
|
X(role): "null"
|
|
X(user): "null"
|
|
=(securityContext):
|
|
=(seLinuxOptions):
|
|
X(role): "null"
|
|
X(user): "null"
|
|
containers:
|
|
- =(securityContext):
|
|
=(seLinuxOptions):
|
|
X(role): "null"
|
|
X(user): "null"
|
|
validationFailureAction: Audit |