pub/kyverno-2026-example
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
815bc94a3d618b600d7dd23ede726c84fda6bd9e
kyverno-2026-example/03-mutation/01-basics/add-default-security-context.yaml
Vassiliy Yegorov 34fbdd1412 init
2026-04-08 20:22:14 +07:00

56 lines
1.6 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-default-security-context
annotations:
policies.kyverno.io/title: "Дефолтный SecurityContext"
policies.kyverno.io/category: Security
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Автоматически применяет безопасный SecurityContext к подам и контейнерам,
если поля не заданы явно. Работает в связке с validation политиками
(сначала mutate, потом validate).
spec:
rules:
- name: add-pod-security-context
match:
resources:
kinds:
- Pod
exclude:
resources:
namespaces:
- kube-system
mutate:
patchStrategicMerge:
spec:
+(securityContext):
+(runAsNonRoot): true
+(runAsUser): 1000
+(seccompProfile):
+(type): RuntimeDefault
- name: add-container-security-context
match:
resources:
kinds:
- Pod
exclude:
resources:
namespaces:
- kube-system
mutate:
foreach:
- list: "request.object.spec.containers"
patchStrategicMerge:
spec:
containers:
- name: "{{ element.name }}"
+(securityContext):
+(allowPrivilegeEscalation): false
+(readOnlyRootFilesystem): true
+(capabilities):
+(drop):
- ALL
Reference in New Issue View Git Blame Copy Permalink