60 lines
2.0 KiB
YAML
60 lines
2.0 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: disallow-dangerous-capabilities
|
|
annotations:
|
|
policies.kyverno.io/title: "Запрет опасных Linux Capabilities"
|
|
policies.kyverno.io/category: Pod Security Standards (Baseline)
|
|
policies.kyverno.io/severity: high
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/description: >-
|
|
Запрещает добавление опасных Linux capabilities.
|
|
SYS_ADMIN, NET_ADMIN, SYS_PTRACE и другие дают контейнеру
|
|
привилегированный доступ к ядру и сети хоста.
|
|
Допустима только NET_BIND_SERVICE (порты < 1024).
|
|
spec:
|
|
validationFailureAction: Enforce
|
|
background: true
|
|
rules:
|
|
- name: disallow-dangerous-capabilities
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- kube-system
|
|
validate:
|
|
message: >-
|
|
Контейнер '{{ element.name }}' добавляет запрещённые capabilities:
|
|
{{ element.securityContext.capabilities.add }}.
|
|
Разрешена только NET_BIND_SERVICE.
|
|
Пересмотрите необходимость этих привилегий.
|
|
foreach:
|
|
- list: >-
|
|
request.object.spec.containers[] |
|
|
merge(request.object.spec.initContainers[] || `[]`, @)
|
|
deny:
|
|
conditions:
|
|
any:
|
|
- key: "{{ element.securityContext.capabilities.add[] }}"
|
|
operator: AnyIn
|
|
value:
|
|
- SYS_ADMIN
|
|
- NET_ADMIN
|
|
- SYS_PTRACE
|
|
- SYS_MODULE
|
|
- SYS_RAWIO
|
|
- SYS_BOOT
|
|
- SYS_NICE
|
|
- SYS_RESOURCE
|
|
- SYS_TIME
|
|
- AUDIT_CONTROL
|
|
- MAC_ADMIN
|
|
- MAC_OVERRIDE
|
|
- SETUID
|
|
- SETGID
|
|
- KILL
|
|
- MKNOD
|