42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: require-drop-all-capabilities
|
|
annotations:
|
|
policies.kyverno.io/title: "Обязательный drop ALL capabilities"
|
|
policies.kyverno.io/category: Pod Security Standards (Restricted)
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/description: >-
|
|
Каждый контейнер должен явно сбросить все capabilities через
|
|
securityContext.capabilities.drop: [ALL].
|
|
Это часть профиля Restricted согласно Pod Security Standards.
|
|
spec:
|
|
validationFailureAction: Enforce
|
|
background: true
|
|
rules:
|
|
- name: require-drop-all
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- kube-system
|
|
validate:
|
|
message: >-
|
|
Контейнер '{{ element.name }}' не сбрасывает все capabilities.
|
|
Добавьте в securityContext:
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
foreach:
|
|
- list: "request.object.spec.containers"
|
|
deny:
|
|
conditions:
|
|
all:
|
|
- key: "ALL"
|
|
operator: NotIn
|
|
value: "{{ element.securityContext.capabilities.drop[] || `[]` }}"
|