Update require-default-proc-mount
Based on disallow-proc-mount.
failurePolicy: Fail, ein bisschen Wording und ephemeralContainers.
@chris @klimpel @schober BTW wollen wir die Policy nach disallow-proc-mount umbenennen, damit das Ding so heisst wie das Original von Kyverno selber? Da gäbe es noch so ein paar Kandidaten.
helm template hat bei mir das ergeben:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-proc-mount
annotations:
policies.kyverno.io/title: Disallow procMount
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required. This policy
ensures nothing but the default procMount can be specified. Note that in order for users
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-policies
app.kubernetes.io/part-of: kyverno-policies
app.kubernetes.io/version: "3.2.6"
helm.sh/chart: kyverno-policies-3.2.6
spec:
validationFailureAction: Audit
background: true
failurePolicy: Fail
rules:
- name: check-proc-mount
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
and spec.ephemeralContainers[*].securityContext.procMount must be unset or
set to `Default`.
pattern:
spec:
=(ephemeralContainers):
- =(securityContext):
=(procMount): "Default"
=(initContainers):
- =(securityContext):
=(procMount): "Default"
containers:
- =(securityContext):
=(procMount): "Default"