-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathrequire-security-context.yaml
37 lines (37 loc) · 1.15 KB
/
require-security-context.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-security-context
annotations:
policies.kyverno.io/title: Require securityContext for each Tekton TaskRun.step
policies.kyverno.io/category: Tekton
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: TaskRun
kyverno.io/kyverno-version: 1.7.2
policies.kyverno.io/minversion: 1.7.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
A securityContext is required for each TaskRun step
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-step
match:
resources:
kinds:
- tekton.dev/v1beta1/TaskRun.status
validate:
message: "A securityContext is required"
pattern:
=(status):
=(taskSpec):
steps:
# TODO: missing securityContext for digest-to-results
- (name): "!digest-to-results"
securityContext:
# TODO: ideally all tasks run as non-root
#runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false