55 lines
1.6 KiB
YAML
55 lines
1.6 KiB
YAML
# ---
|
|
# apiVersion: kyverno.io/v1
|
|
# kind: Policy
|
|
# metadata:
|
|
# name: add-default-securitycontext
|
|
# namespace: memelord-raiko
|
|
# spec:
|
|
# rules:
|
|
# - name: add-default-securitycontext
|
|
# match:
|
|
# any:
|
|
# - resources:
|
|
# kinds:
|
|
# - Pod
|
|
# mutate:
|
|
# patchStrategicMerge:
|
|
# spec:
|
|
# securityContext:
|
|
# +(runAsNonRoot): true
|
|
# +(runAsUser): 1000
|
|
# +(runAsGroup): 3000
|
|
# +(fsGroup): 2000
|
|
#
|
|
# ---
|
|
# apiVersion: kyverno.io/v1
|
|
# kind: Policy
|
|
# metadata:
|
|
# name: require-run-as-non-root-user
|
|
# namespace: memelord-raiko
|
|
# spec:
|
|
# validationFailureAction: Enforce
|
|
# background: false
|
|
# rules:
|
|
# - name: run-as-non-root-user
|
|
# match:
|
|
# any:
|
|
# - resources:
|
|
# kinds:
|
|
# - Pod
|
|
# validate:
|
|
# message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
|
|
# pattern:
|
|
# spec:
|
|
# "=(securityContext)":
|
|
# "=(runAsUser)": ">0"
|
|
# "=(ephemeralContainers)":
|
|
# - "=(securityContext)":
|
|
# "=(runAsUser)": ">0"
|
|
# "=(initContainers)":
|
|
# - "=(securityContext)":
|
|
# "=(runAsUser)": ">0"
|
|
# containers:
|
|
# - "=(securityContext)":
|
|
# "=(runAsUser)": ">0"
|