ivanch/litmus-hub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
840fa6861bbe174d89cded68681ced2822770158
litmus-hub/security/kyverno-policies/allow-user-groups-for-litmus-experiments.yaml
Shubham Chaudhary 14c472265f chore(kyverno): Adding kyverno pod security policies for litmus pods (#504) 
* chore(kyverno): Adding security policies

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

* chore(kyverno): updating policies

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

* chore(kyverno): updating policies

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

* chore(kyverno): changed the file names

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>
2021-10-13 16:00:11 +05:30

63 lines
1.7 KiB
YAML
Raw Blame History

apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-user-groups
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Containers should allow to run with a root primary or supplementary GID.
spec:
validationFailureAction: audit
background: true
rules:
- name: allow users
match:
resources:
kinds:
- Pod
selector:
matchLabels:
app.kubernetes.io/component: experiment-job
validate:
message: >-
Running the user IDs are allowed.
pattern:
spec:
=(securityContext):
=(runAsUser): '>=0'
containers:
- =(securityContext):
=(runAsUser): ">=0"
- name: allow supplementary groups
match:
resources:
kinds:
- Pod
selector:
matchLabels:
app.kubernetes.io/component: experiment-job
validate:
message: >-
Adding of supplemental group IDs is allowed.
pattern:
spec:
=(securityContext):
=(supplementalGroups):
- ">=0"
- name: allow gs groups
match:
resources:
kinds:
- Pod
selector:
matchLabels:
app.kubernetes.io/component: experiment-job
validate:
message: >-
Changing to root group ID is allowed.
pattern:
spec:
=(securityContext):
=(fsGroup): ">=0"
Reference in New Issue View Git Blame Copy Permalink