NDEV-17894: correct mutate resource for disallow-previliged containers

nirmata · Feb 6, 2024 · a73c57e · a73c57e
1 parent 5257982
commit a73c57e
Showing 1 changed file with 56 additions and 0 deletions.
diff --git a/...ity/baseline/disallow-privileged-containers/remediate-disallow-privileged-containers.yaml b/...ity/baseline/disallow-privileged-containers/remediate-disallow-privileged-containers.yaml
@@ -0,0 +1,56 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: remediate-disallow-privileged-containers
+  annotations:
+    policies.kyverno.io/title: Remediate Disallow Privileged Containers
+    policies.kyverno.io/category: Pod Security Standards (Baseline)
+    policies.kyverno.io/description: >-
+      This policy remediates the disallow-privileged-containers violation
+spec:
+  background: false
+  rules:
+    - name: remove-privileged-containers
+      match:
+        any:
+          - resources:
+              kinds:
+                - Deployment
+                - StatefulSet
+                - Job
+                - DaemonSet
+      mutate:
+        foreach:
+          - list: request.object.spec.template.spec.containers[]
+            order: Descending
+            preconditions:
+              all:
+              - key: "{{ element.securityContext && element.securityContext.privileged || 'false' }}"
+                operator: Equals
+                value: true
+            patchesJson6902: |-
+              - path: /spec/template/spec/containers/{{elementIndex}}/securityContext/privileged
+                op: replace
+                value: false
+          - list: request.object.spec.template.spec.initContainers[]
+            order: Descending
+            preconditions:
+              all:
+              - key: "{{ element.securityContext && element.securityContext.privileged || 'false'  }}"
+                operator: Equals
+                value: true
+            patchesJson6902: |-
+              - path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext/privileged
+                op: replace
+                value: false
+          - list: request.object.spec.template.spec.ephemeralContainers[]
+            order: Descending
+            preconditions:
+              all:
+              - key: "{{ element.securityContext && element.securityContext.privileged || 'false'  }}"
+                operator: Equals
+                value: true
+            patchesJson6902: |-
+              - path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/privileged
+                op: replace
+                value: false