chore(kyverno): Adding kyverno pod security policies for litmus pods (#504)

* chore(kyverno): Adding security policies Signed-off-by: shubham chaudhary <shubham@chaosnative.com> * chore(kyverno): updating policies Signed-off-by: shubham chaudhary <shubham@chaosnative.com> * chore(kyverno): updating policies Signed-off-by: shubham chaudhary <shubham@chaosnative.com> * chore(kyverno): changed the file names Signed-off-by: shubham chaudhary <shubham@chaosnative.com>
2021-10-13 16:00:11 +05:30
parent aff27bc0ee
commit 14c472265f
8 changed files with 278 additions and 0 deletions
--- a/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml
+++ b/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml
@@ -0,0 +1,63 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: require-user-groups
+  annotations:
+    policies.kyverno.io/category: Pod Security Standards
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Containers should allow to run with a root primary or supplementary GID.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: allow users
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              app.kubernetes.io/component: experiment-job
+      validate:
+        message: >-
+          Running the user IDs are allowed.
+        pattern:
+          spec:
+            =(securityContext):
+              =(runAsUser): '>=0'
+            containers:
+            - =(securityContext):
+                =(runAsUser): ">=0"
+    - name: allow supplementary groups 
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              app.kubernetes.io/component: experiment-job
+      validate:
+        message: >-
+           Adding of supplemental group IDs is allowed.
+        pattern:
+          spec:
+             =(securityContext):
+               =(supplementalGroups):
+               - ">=0"
+    - name: allow gs groups
+      match:
+        resources:
+          kinds:
+            - Pod
+          selector:
+            matchLabels:
+              app.kubernetes.io/component: experiment-job
+      validate:
+        message: >-
+          Changing to root group ID is allowed.
+        pattern:
+           spec:
+             =(securityContext):
+               =(fsGroup): ">=0"