pub/kyverno-2026-example
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
34fbdd14124eb5ed68a58ad25b5b894fb4d75678
kyverno-2026-example/03-mutation/01-basics/add-default-security-context.yaml
Vassiliy Yegorov 34fbdd1412 init
2026-04-08 20:22:14 +07:00

56 lines
1.6 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-security-context
annotations:
policies.kyverno.io/title: "Дефолтный SecurityContext"
policies.kyverno.io/category: Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Автоматически применяет безопасный SecurityContext к подам и контейнерам,
если поля не заданы явно. Работает в связке с validation политиками
(сначала mutate, потом validate).
spec:
rules:
- name: add-pod-security-context
match:
resources:
kinds:
- Pod
exclude:
resources:
namespaces:
- kube-system
mutate:
patchStrategicMerge:
spec:
+(securityContext):
+(runAsNonRoot): true
+(runAsUser): 1000
+(seccompProfile):
+(type): RuntimeDefault
- name: add-container-security-context
match:
resources:
kinds:
- Pod
exclude:
resources:
namespaces:
- kube-system
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
+(securityContext):
+(allowPrivilegeEscalation): false
+(readOnlyRootFilesystem): true
+(capabilities):
+(drop):
- ALL
Reference in New Issue View Git Blame Copy Permalink