sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

디렉토리 구조 및 각 서비스 추가

Browse Source
This commit is contained in:
dsk-minchulahn
2024-01-03 17:29:11 +09:00
parent 98de2a7627
commit d601d0f259
1632 changed files with 207616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
helm/openebs/templates/kyverno/allow-capabilities.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-add-capabilities
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Provides a list of capabilities that are allowed to be added to a container.
spec:
validationFailureAction: enforce
background: true
rules:
- name: capabilities
match:
resources:
kinds:
- Pod
validate:
message: >-
Default set of capabilities are allowed.
pattern:
spec:
containers:
- =(securityContext):
=(capabilities):
=(add): "*"
{{- end }}

32
helm/openebs/templates/kyverno/allow-host-namespaces.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-host-namespaces
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should allowed access to host namespaces.
spec:
validationFailureAction: enforce
background: true
rules:
- name: host-namespaces
match:
resources:
kinds:
- Pod
validate:
message: >-
Sharing the host namespaces is allowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be set to true.
pattern:
spec:
=(hostPID): "true"
=(hostIPC): "true"
=(hostNetwork): "true"
{{- end }}

31
helm/openebs/templates/kyverno/allow-host-ports.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-host-ports
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should be
allowed, or at minimum restricted to a known list.
spec:
validationFailureAction: enforce
background: true
rules:
- name: host-ports
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of host ports is allowed. The fields spec.containers[*].ports[*].hostPort
should contain value in range [1,65535).
pattern:
spec:
containers:
- =(ports):
- =(hostPort): ">0 & <65535"
{{- end }}

30
helm/openebs/templates/kyverno/allow-privilege-escalation.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-privileged-escalation
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should be allowed.
spec:
validationFailureAction: enforce
background: true
rules:
- name: priviledged-escalation
match:
resources:
kinds:
- Pod
validate:
message: >-
Privilege escalation is allowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation
must be defined or set to `true`.
pattern:
spec:
containers:
- =(securityContext):
=(allowPrivilegeEscalation): "true"
{{- end }}

30
helm/openebs/templates/kyverno/allow-privileged-containers.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-privileged-containers
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Privileged policies only allow the OpenEBS containers to use privileged mode.
spec:
validationFailureAction: enforce
background: true
rules:
- name: priviledged-containers
match:
resources:
kinds:
- Pod
validate:
message: >-
Privileged mode is allowed. The fields spec.containers[*].securityContext.privileged
must be defined or set to true.
pattern:
spec:
containers:
- =(securityContext):
=(privileged): "true"
{{- end }}

31
helm/openebs/templates/kyverno/allow-proc-mount.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-default-proc-mount
annotations:
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required.
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-proc-mount
match:
resources:
kinds:
- Pod
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount should be defined or set
to Default
pattern:
spec:
containers:
- =(securityContext):
=(procMount): "Default"
{{- end }}

34
helm/openebs/templates/kyverno/allow-selinux.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-selinux
annotations:
policies.kyverno.io/title: Allow SELinux
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should be allowed.
spec:
validationFailureAction: enforce
background: true
rules:
- name: seLinux
match:
resources:
kinds:
- Pod
validate:
message: >-
Setting custom SELinux options is allowed. The fields
spec.securityContext.seLinuxOptions, spec.containers[*].securityContext.seLinuxOptions,
and spec.initContainers[*].securityContext.seLinuxOptions must be empty.
pattern:
spec:
=(securityContext):
=(seLinuxOptions): "on"
containers:
- =(securityContext):
=(seLinuxOptions): "on"
{{- end }}

56
helm/openebs/templates/kyverno/require-user-groups.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-user-groups
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Containers should allow to run with a root primary or supplementary GID.
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-runasuser
match:
resources:
kinds:
- Pod
validate:
message: >-
Running the user IDs are allowed.
pattern:
spec:
=(securityContext):
=(runAsUser): ">=0"
containers:
- =(securityContext):
=(runAsUser): ">=0"
- name: check-supplementalGroups
match:
resources:
kinds:
- Pod
validate:
message: >-
Adding of supplemental group IDs is allowed.
pattern:
spec:
=(securityContext):
=(supplementalGroups):
- ">=0"
- name: check-fsGroup
match:
resources:
kinds:
- Pod
validate:
message: >-
Changing to root group ID is allowed.
pattern:
spec:
=(securityContext):
=(fsGroup): ">=0"
{{- end }}