-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added policy for require-run-as-containeruser for windows pods #1024
base: main
Are you sure you want to change the base?
Conversation
DCO is required here. |
Signed-off-by: Anudeep Nalla <anudeep.nalla@nirmata.com>
70f37ba
to
4f1f918
Compare
Please sign off on your PR. |
Signed-off-by: Anudeep Nalla <anudeep.nalla@nirmata.com>
da9e751
to
79962a5
Compare
@chipzoller , signed off the PR |
Signed-off-by: Anudeep Nalla <anudeep.nalla@nirmata.com>
Signed-off-by: Anudeep Nalla <anudeep.nalla@nirmata.com>
policies.kyverno.io/subject: Pod | ||
kyverno.io/kyverno-version: 1.6.0 | ||
kyverno.io/kubernetes-version: "1.22-1.28" | ||
policies.nirmata.io/remediation-docs: "N/A" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
policies.nirmata.io/remediation-docs: "N/A" |
No proprietary annotations, please.
name: require-run-as-containeruser | ||
annotations: | ||
policies.kyverno.io/title: Require Run As ContainerUser | ||
policies.kyverno.io/category: Pod Security Standards (Restricted) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not in the official restricted profile. Please use a different category ensuring you also update Artfact Hub metadata.
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: require-run-as-containeruser |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest putting "Windows" somewhere in this title so it's clear to users.
metadata: | ||
name: require-run-as-containeruser | ||
annotations: | ||
policies.kyverno.io/title: Require Run As ContainerUser |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here with regard to "Windows" in the title.
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Eliminate excess new lines.
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excessive new lines.
Description
Containers must be required to run as ContainerUser. This policy ensures that the fields spec.securityContext.windowsOptions.runAsUserName, spec.containers[].securityContext.windowsOptions.runAsUserName, spec.initContainers[].securityContext.windowsOptions.runAsUserName is either unset or set to ContainerUser.
Checklist