forked from kubewarden/readonly-root-filesystem-psp-policy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmetadata.yml
33 lines (28 loc) · 1.3 KB
/
metadata.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE", "UPDATE"]
mutating: false
contextAware: false
executionMode: kubewarden-wapc
annotations:
io.kubewarden.policy.title: readonly-root-filesystem-psp-policy
io.kubewarden.policy.description: Enforce all the containers to have a readonly root filesystem
io.kubewarden.policy.author: Flavio Castelli <fcastelli@suse.com>
io.kubewarden.policy.url: https://github.com/kubewarden/readonly-root-filesystem-psp-policy
io.kubewarden.policy.source: https://github.com/kubewarden/readonly-root-filesystem-psp-policy
io.kubewarden.policy.license: Apache-2.0
io.kubewarden.policy.usage: |
The policy inspects the `securityContext` of each container defined inside of
a Pod and ensures all the containers have the `readOnlyRootFilesystem` attribute
set to `true`.
The policy checks the both the `pod.spec.containers` and the init containers
too.
Containers that do not have a `securityContext` defined are rejected too.
That happens because, by default, the root filesystem of a container is
considered to be writable.
Ephemeral containers are not checked because, by Kubernetes definition, they
cannot have a `securityContext`.
## Configuration
The policy doesn't have any configuration.