From d694674f7c56eaa2e54f95e952f5cf8b10b51951 Mon Sep 17 00:00:00 2001 From: Tim Missal <t.missal@dvz-mv.de> Date: Mon, 21 Nov 2022 13:14:10 +0000 Subject: [PATCH] =?UTF-8?q?Resolve=20""background"=3Dtrue=20und=20action?= =?UTF-8?q?=3Daudit=20=C3=BCberall=20gleich=20setzen"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- policies/disallow-privileged-containers.yaml | 2 +- policies/imagepullpolicy-always.yaml | 4 ++-- policies/require-health-and-liveness-check.yaml | 1 + policies/require-limits-and-requests.yaml | 1 + policies/require-unique-uid-per-workload.yaml | 6 +++--- policies/require_ro_rootfs.yaml | 3 ++- policies/restrict-external-ips.yaml | 1 + policies/restrict-image-registries.yaml | 4 ++-- 8 files changed, 13 insertions(+), 9 deletions(-) diff --git a/policies/disallow-privileged-containers.yaml b/policies/disallow-privileged-containers.yaml index be9b8f5..81769ea 100644 --- a/policies/disallow-privileged-containers.yaml +++ b/policies/disallow-privileged-containers.yaml @@ -32,4 +32,4 @@ spec: =(privileged): "false" containers: - =(securityContext): - =(privileged): "false" \ No newline at end of file + =(privileged): "false" diff --git a/policies/imagepullpolicy-always.yaml b/policies/imagepullpolicy-always.yaml index d75111d..21e752c 100644 --- a/policies/imagepullpolicy-always.yaml +++ b/policies/imagepullpolicy-always.yaml @@ -15,7 +15,7 @@ metadata: policies.o4oe.de/category: should spec: validationFailureAction: audit - background: false + background: true rules: - name: imagepullpolicy-always match: @@ -29,4 +29,4 @@ spec: spec: containers: - (image): "*:latest | !*:*" - imagePullPolicy: "Always" \ No newline at end of file + imagePullPolicy: "Always" diff --git a/policies/require-health-and-liveness-check.yaml b/policies/require-health-and-liveness-check.yaml index 613099a..efbe1ee 100644 --- a/policies/require-health-and-liveness-check.yaml +++ b/policies/require-health-and-liveness-check.yaml @@ -21,6 +21,7 @@ metadata: policies.o4oe.de/bsi-protection-requirement: standard policies.o4oe.de/category: should spec: + background: true validationFailureAction: audit rules: - name: validate-livenessProbe-readinessProbe diff --git a/policies/require-limits-and-requests.yaml b/policies/require-limits-and-requests.yaml index d89fa0b..7022f09 100644 --- a/policies/require-limits-and-requests.yaml +++ b/policies/require-limits-and-requests.yaml @@ -19,6 +19,7 @@ metadata: policies.o4oe.de/bsi-protection-requirement: standard policies.o4oe.de/category: should spec: + background: true validationFailureAction: audit rules: - name: validate-resources diff --git a/policies/require-unique-uid-per-workload.yaml b/policies/require-unique-uid-per-workload.yaml index 21ea77e..e88cf90 100644 --- a/policies/require-unique-uid-per-workload.yaml +++ b/policies/require-unique-uid-per-workload.yaml @@ -18,8 +18,8 @@ metadata: labels: policies.o4oe.de/category: must spec: - background: false - validationFailureAction: enforce + background: true + validationFailureAction: audit rules: - name: require-unique-uid match: @@ -46,4 +46,4 @@ spec: # this checks uids for ALL containers in any pod of the workload - key: "{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}" operator: In - value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}" \ No newline at end of file + value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}" diff --git a/policies/require_ro_rootfs.yaml b/policies/require_ro_rootfs.yaml index fbfefcd..890298e 100644 --- a/policies/require_ro_rootfs.yaml +++ b/policies/require_ro_rootfs.yaml @@ -17,6 +17,7 @@ metadata: policies.o4oe.de/bsi-protection-requirement: standard policies.o4oe.de/category: should spec: + background: true validationFailureAction: audit rules: - name: validate-readOnlyRootFilesystem @@ -30,4 +31,4 @@ spec: spec: containers: - securityContext: - readOnlyRootFilesystem: true \ No newline at end of file + readOnlyRootFilesystem: true diff --git a/policies/restrict-external-ips.yaml b/policies/restrict-external-ips.yaml index 263c084..4ce4747 100644 --- a/policies/restrict-external-ips.yaml +++ b/policies/restrict-external-ips.yaml @@ -16,6 +16,7 @@ metadata: This Policy applies to all types of kind "Service", including ClusterIP and LoadBalancer. spec: + background: true validationFailureAction: audit rules: - name: check-ips diff --git a/policies/restrict-image-registries.yaml b/policies/restrict-image-registries.yaml index 44447d2..4e73971 100644 --- a/policies/restrict-image-registries.yaml +++ b/policies/restrict-image-registries.yaml @@ -16,8 +16,8 @@ metadata: policies.o4oe.de/bsi-protection-requirement: basic policies.o4oe.de/category: must spec: - background: false - validationFailureAction: enforce + background: true + validationFailureAction: audit rules: - name: validate-registries match: -- GitLab