init

03-mutation/01-basics/add-default-security-context.yaml

@@ -0,0 +1,55 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-default-security-context
+  annotations:
+    policies.kyverno.io/title: "Дефолтный SecurityContext"
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Автоматически применяет безопасный SecurityContext к подам и контейнерам,
+      если поля не заданы явно. Работает в связке с validation политиками
+      (сначала mutate, потом validate).
+spec:
+  rules:
+  - name: add-pod-security-context
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      resources:
+        namespaces:
+        - kube-system
+    mutate:
+      patchStrategicMerge:
+        spec:
+          +(securityContext):
+            +(runAsNonRoot): true
+            +(runAsUser): 1000
+            +(seccompProfile):
+              +(type): RuntimeDefault
+
+  - name: add-container-security-context
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      resources:
+        namespaces:
+        - kube-system
+    mutate:
+      foreach:
+      - list: "request.object.spec.containers"
+        patchStrategicMerge:
+          spec:
+            containers:
+            - name: "{{ element.name }}"
+              +(securityContext):
+                +(allowPrivilegeEscalation): false
+                +(readOnlyRootFilesystem): true
+                +(capabilities):
+                  +(drop):
+                  - ALL