-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkyverno-test.yaml
82 lines (82 loc) · 2.57 KB
/
kyverno-test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: disallow_latest_tag
policies:
- ./policies/disallow_latest_tag.yaml
- ./policies/disallow_no_host_ingress.yaml
- ./policies/disallow_nodeport.yaml
- ./policies/disallow_privileged_containers.yaml
- ./policies/disallow_privileged_escalation.yaml
- ./policies/require_ro_rootfs.yaml
- ./policies/require_run_asnonroot.yaml
resources:
- ./resources/resource.yaml
- ./resources/ingress_host.yaml
- ./resources/ingress_no_host.yaml
- ./resources/latest_pod_nginx.yaml
- ./resources/nodeport.yaml
- ./resources/resource_ro_rootfs.yaml
results:
#################### Disallow latest tag ####################
- policy: disallow-latest-tag
rule: require-image-tag
resource: myapp-pod
kind: Pod
result: pass
- policy: disallow-latest-tag
rule: require-image-tag
resource: nginx-deployment
kind: Deployment
result: fail
- policy: disallow-latest-tag
rule: validate-image-tag
resource: myapp-pod
kind: Pod
result: pass
#################### Disallow ingress with empty host ####################
- policy: disallow-empty-ingress-host
rule: disallow-empty-ingress-host
resource: cafe-ingress
kind: Ingress
result: pass
- policy: disallow-empty-ingress-host
rule: disallow-empty-ingress-host
resource: minimal-ingress
kind: Ingress
result: fail
#################### Restrict nodeport service ####################
- policy: restrict-nodeport
rule: validate-nodeport
resource: my-service-node
kind: Service
result: fail
######################################################
#################### Pod security ####################
######################################################
#################### ReadOnly root filesystem ####################
- policy: require-ro-rootfs
rule: validate-readOnlyRootFilesystem
resource: myapp-pod
kind: Pod
result: fail
- policy: require-ro-rootfs
rule: validate-readOnlyRootFilesystem
resource: myapp-pod-ro-rootfs
kind: Pod
result: pass
#################### Require runAsNonRoot ####################
- policy: require-run-as-nonroot
rule: run-as-non-root
resource: myapp-pod
kind: Pod
result: fail
#################### Disallow Privileged Containers ####################
- policy: disallow-privileged-containers
rule: privileged-containers
resource: myapp-pod
kind: Pod
result: fail
#################### Disallow Privilege Escalation ####################
- policy: disallow-privilege-escalation
rule: privilege-escalation
resource: myapp-pod
kind: Pod
result: fail