forked from kubewarden/helm-charts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpod-privileged-policy.yaml
38 lines (37 loc) · 1.51 KB
/
pod-privileged-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{{ if .Values.recommendedPolicies.enabled }}
apiVersion: {{ $.Values.crdVersion }}
kind: ClusterAdmissionPolicy
metadata:
labels:
{{- include "kubewarden-defaults.labels" . | nindent 4 }}
app.kubernetes.io/component: policy
annotations:
io.kubewarden.policy.category: PSP
io.kubewarden.policy.severity: medium
{{- include "kubewarden-defaults.annotations" . | nindent 4 }}
name: {{ $.Values.recommendedPolicies.podPrivilegedPolicy.name }}
spec:
mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }}
module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.repository }}:{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.tag }}
{{ include "policy-namespace-selector" . | indent 2}}
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["replicationcontrollers"]
operations: ["CREATE", "UPDATE"]
- apiGroups: ["apps"]
apiVersions: ["v1"]
resources: ["deployments","replicasets","statefulsets","daemonsets"]
operations: ["CREATE", "UPDATE"]
- apiGroups: ["batch"]
apiVersions: ["v1"]
resources: ["jobs","cronjobs"]
operations: ["CREATE", "UPDATE"]
mutating: false
settings:
{{- toYaml .Values.recommendedPolicies.podPrivilegedPolicy.settings | replace "|\n" "" | nindent 4 }}
{{ end }}