asd

2026-02-17 13:36:24 +02:00
parent a95fad4423
commit 0cf4f155de
1 changed files with 54 additions and 54 deletions
--- a/templates/kyverno.yaml
+++ b/templates/kyverno.yaml
@@ -1,54 +1,54 @@
---
+# ---
-apiVersion: kyverno.io/v1
+# apiVersion: kyverno.io/v1
-kind: Policy
+# kind: Policy
-metadata:
+# metadata:
-  name: add-default-securitycontext
+#   name: add-default-securitycontext
-  namespace: memelord-raiko
+#   namespace: memelord-raiko
-spec:
+# spec:
-  rules:
+#   rules:
-    - name: add-default-securitycontext
+#     - name: add-default-securitycontext
-      match:
+#       match:
-        any:
+#         any:
-          - resources:
+#           - resources:
-              kinds:
+#               kinds:
-                - Pod
+#                 - Pod
-      mutate:
+#       mutate:
-        patchStrategicMerge:
+#         patchStrategicMerge:
-          spec:
+#           spec:
-            securityContext:
+#             securityContext:
-              +(runAsNonRoot): true
+#               +(runAsNonRoot): true
-              +(runAsUser): 1000
+#               +(runAsUser): 1000
-              +(runAsGroup): 3000
+#               +(runAsGroup): 3000
-              +(fsGroup): 2000
+#               +(fsGroup): 2000
-
+#
---
+# ---
-apiVersion: kyverno.io/v1
+# apiVersion: kyverno.io/v1
-kind: Policy
+# kind: Policy
-metadata:
+# metadata:
-  name: require-run-as-non-root-user
+#   name: require-run-as-non-root-user
-  namespace: memelord-raiko
+#   namespace: memelord-raiko
-spec:
+# spec:
-  validationFailureAction: Enforce
+#   validationFailureAction: Enforce
-  background: false
+#   background: false
-  rules:
+#   rules:
-    - name: run-as-non-root-user
+#     - name: run-as-non-root-user
-      match:
+#       match:
-        any:
+#         any:
-          - resources:
+#           - resources:
-              kinds:
+#               kinds:
-                - Pod
+#                 - Pod
-      validate:
+#       validate:
-        message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
+#         message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
-        pattern:
+#         pattern:
-          spec:
+#           spec:
-            "=(securityContext)":
+#             "=(securityContext)":
-              "=(runAsUser)": ">0"
+#               "=(runAsUser)": ">0"
-            "=(ephemeralContainers)":
+#             "=(ephemeralContainers)":
-              - "=(securityContext)":
+#               - "=(securityContext)":
-                  "=(runAsUser)": ">0"
+#                   "=(runAsUser)": ">0"
-            "=(initContainers)":
+#             "=(initContainers)":
-              - "=(securityContext)":
+#               - "=(securityContext)":
-                  "=(runAsUser)": ">0"
+#                   "=(runAsUser)": ">0"
-            containers:
+#             containers:
-              - "=(securityContext)":
+#               - "=(securityContext)":
-                  "=(runAsUser)": ">0"
+#                   "=(runAsUser)": ">0"