Skip to content

Commit

Permalink
Merge branch 'master' into wildcard-support-read-only-root-filesystem
Browse files Browse the repository at this point in the history
  • Loading branch information
apeabody authored Aug 29, 2024
2 parents 7871572 + 3acd611 commit 35f5b72
Show file tree
Hide file tree
Showing 7 changed files with 61 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ spec:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
exemptImages: ["nonexistent/*"]
exemptImages: ["safeimages.com/*"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-privilege-escalation-disallowed
labels:
app: nginx-privilege-escalation
spec:
containers:
- name: nginx
image: "safeimages.com/nginx"
securityContext:
allowPrivilegeEscalation: true
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,7 @@ tests:
object: samples/psp-allow-privilege-escalation-container/update.yaml
assertions:
- violations: no
- name: exempted-path
object: samples/psp-allow-privilege-escalation-container/example_allowed_exempt.yaml
assertions:
- violations: no
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ spec:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
exemptImages: ["nonexistent/*"]
exemptImages: ["safeimages.com/*"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: nginx-privilege-escalation-disallowed
labels:
app: nginx-privilege-escalation
spec:
containers:
- name: nginx
image: "safeimages.com/nginx"
securityContext:
allowPrivilegeEscalation: true
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,7 @@ tests:
object: samples/psp-allow-privilege-escalation-container/update.yaml
assertions:
- violations: no
- name: exempted-path
object: samples/psp-allow-privilege-escalation-container/example_allowed_exempt.yaml
assertions:
- violations: no
28 changes: 27 additions & 1 deletion website/docs/validation/allow-privilege-escalation.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ spec:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
exemptImages: ["nonexistent/*"]
exemptImages: ["safeimages.com/*"]

```

Expand Down Expand Up @@ -262,6 +262,32 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
```

</details>
<details>
<summary>exempted-path</summary>

```yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-privilege-escalation-disallowed
labels:
app: nginx-privilege-escalation
spec:
containers:
- name: nginx
image: "safeimages.com/nginx"
securityContext:
allowPrivilegeEscalation: true

```

Usage

```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/example_allowed_exempt.yaml
```

</details>


Expand Down

0 comments on commit 35f5b72

Please sign in to comment.