Konformitätstest Openshift LHM
oc kustomize k8s-manifests/ | oc apply -f -
Click to expand
conform:
must:
- expectation: Forbidden
podname: disallow-add-capabilities-bad-1
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-add-capabilities/bad-resource.yaml
- expectation: Forbidden
podname: disallow-add-capabilities-bad-2
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-add-capabilities/bad-resource.yaml
- expectation: Forbidden
podname: host-namespaces-bad
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-host-namespaces/bad-resource.yaml
- expectation: Forbidden
podname: disallow-host-path-bad
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-host-paths/bad-resource.yaml
- expectation: Forbidden
podname: disallow-host-ports-bad-1
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-host-ports/bad-resource.yaml
- expectation: Forbidden
podname: disallow-host-ports-bad-2
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-host-ports/bad-resource.yaml
- expectation: Forbidden
podname: disallow-privileged-containers-bad
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-priviliged-containers/bad-resource.yaml
should:
- expectation: Forbidden
podname: deny-privilege-escalation-bad
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/deny-privilege-escalation/bad-resource.yaml
- expectation: Forbidden
podname: disallow-selinux-options-bad-1
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-selinux-options/bad-resource.yaml
- expectation: Forbidden
podname: disallow-selinux-options-bad-2
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-selinux-options/bad-resource.yaml
- expectation: Forbidden
podname: disallow-selinux-options-bad-3
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-selinux-options/bad-resource.yaml
- expectation: Forbidden
podname: require-non-root-groups-bad-3
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-gid-greater-2000/bad-resource.yaml
- expectation: Forbidden
podname: require-uid-greater-than-2000-bad-2
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-uid-greater-than-2000/bad-resource.yaml
- expectation: Forbidden
podname: already-taken-user
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-unique-uid-per-workload/bad-resource.yaml
- expectation: Forbidden
podname: restrict-sysctls-bad
result: Forbidden
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/restrict-sysctls/bad-resource.yaml
nonconform:
must:
- expectation: Forbidden
podname: disallow-latest-tag-bad-1
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-latest-tag/bad-resource.yaml
- expectation: Forbidden
podname: disallow-latest-tag-bad-2
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-latest-tag/bad-resource.yaml
- expectation: Forbidden
podname: require-default-proc-mount-bad-1
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-default-proc-mount/bad-resource.yaml
- expectation: Forbidden
podname: require-default-proc-mount-bad-2
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-default-proc-mount/bad-resource.yaml
- expectation: Forbidden
podname: restrict-external-ips-bad
result: Bad Request
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/restrict-external-ips/bad-resource.yaml
- expectation: Forbidden
podname: restrict-image-registries-bad
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/restrict-image-registries/bad-resource.yaml
should:
- expectation: Forbidden
podname: disallow-default-serviceaccount-bad-1
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-default-serviceaccount/bad-resource.yaml
- expectation: Forbidden
podname: disallow-default-serviceaccount-bad-2
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/disallow-default-serviceaccount/bad-resource.yaml
- expectation: Forbidden
podname: always-pullpolicy-bad
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/imagepullpolicy-always/bad-resource.yaml
- expectation: Forbidden
podname: require-non-root-groups-bad-1
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-gid-greater-2000/bad-resource.yaml
- expectation: Forbidden
podname: require-non-root-groups-bad-2
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-gid-greater-2000/bad-resource.yaml
- expectation: Forbidden
podname: require-non-root-groups-bad-4
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-gid-greater-2000/bad-resource.yaml
- expectation: Forbidden
podname: require-non-root-groups-bad-5
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-gid-greater-2000/bad-resource.yaml
- expectation: Forbidden
podname: require-health-and-liveness-check-bad-1
result: Unprocessable Entity
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-health-and-liveness-check/bad-resource.yaml
- expectation: Forbidden
podname: require-health-and-liveness-check-bad-2
result: Unprocessable Entity
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-health-and-liveness-check/bad-resource.yaml
- expectation: Forbidden
podname: require-limits-and-requests-bad-1
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-limits-and-requests/bad-resource.yaml
- expectation: Forbidden
podname: require-limits-and-requests-bad-2
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-limits-and-requests/bad-resource.yaml
- expectation: Forbidden
podname: require-limits-and-requests-bad-3
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-limits-and-requests/bad-resource.yaml
- expectation: Forbidden
podname: require-run-as-non-root-bad-1
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-run-as-non-root/bad-resource.yaml
- expectation: Forbidden
podname: require-run-as-non-root-bad-2
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-run-as-non-root/bad-resource.yaml
- expectation: Forbidden
podname: require-run-as-non-root-bad-3
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-run-as-non-root/bad-resource.yaml
- expectation: Forbidden
podname: require-uid-greater-than-2000-bad-1
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require-uid-greater-than-2000/bad-resource.yaml
- expectation: Forbidden
podname: ghost-without-readonly-rootfilesystem
result: created
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/require_ro_rootfs/bad-resource.yaml
- expectation: Forbidden
podname: restrict-apparmor-bad
result: Unprocessable Entity
testsrc: https://gitlab.opencode.de/ig-bvc/ig-bvc-poc-2/ig-bvc-poc-ii-ap-4.1-ff-policy-entwicklung/rl-kyverno/-/blob/master/tests/policies/restrict-apparmor/bad-resource.yaml
Violations
- disallow-latest-tag-bad-1
- disallow-latest-tag-bad-2
- require-default-proc-mount-bad-1
- require-default-proc-mount-bad-2
- restrict-external-ips-bad
- restrict-image-registries-bad
Edited by Klaus Mueller