Skip to content

Instantly share code, notes, and snippets.

@treydock

treydock/configmap.yaml

Last active July 27, 2021 12:40
Show Gist options
  • Save treydock/2d0cf1c4814295a76736956b3478bcd5 to your computer and use it in GitHub Desktop.
Save treydock/2d0cf1c4814295a76736956b3478bcd5 to your computer and use it in GitHub Desktop.
Download ZIP
pod-groups-validation
Raw
configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
namespace: k8-ldap-configmap
name: user-gids-map
data:
user-tdockendorf: '[5356, 5509]'
Raw
pod-groups-validation.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: pod-groups-validation
namespace: kyverno
spec:
background: false
validationFailureAction: enforce
rules:
- name: pods-user-authorized-for-groups
match:
resources:
kinds:
- Pod
namespaces:
- "user-?*"
preconditions:
- key: "{{ request.operation }}"
operator: In
value: ["CREATE","UPDATE"]
context:
- name: userGIDMap
configMap:
name: user-gids-map
namespace: k8-ldap-configmap
validate:
message: "{{ request.object.metadata.namespace }} not authorized to use those supplemental groups"
deny:
conditions:
- key: "{{ request.object.spec.securityContext.supplementalGroups }}"
operator: NotIn
value: "{{ userGIDMap.data.\"{{ request.object.metadata.namespace }}\" }}"
Raw
resources.yaml
---
apiVersion: v1
kind: Pod
metadata:
name: test-skip
namespace: test
spec:
containers:
- name: nginx
image: nginx:1.12
---
apiVersion: v1
kind: Pod
metadata:
name: test-skip-op
namespace: user-test
labels:
account: PZS0001
spec:
containers:
- name: nginx
image: nginx:1.12
---
apiVersion: v1
kind: Pod
metadata:
name: test-pass
namespace: user-test
spec:
securityContext:
supplementalGroups:
- 1000
- 1001
containers:
- name: nginx
image: nginx:1.12
---
apiVersion: v1
kind: Pod
metadata:
name: test-fail
namespace: user-test
spec:
securityContext:
supplementalGroups:
- 1002
containers:
- name: nginx
image: nginx:1.12
Raw
test.yaml
---
name: pod-groups-validation
policies:
- ../../policies/pod-groups-validation.yaml
resources:
- resources.yaml
variables: variables.yaml
results:
- policy: pod-groups-validation
rule: pods-user-authorized-for-groups
resource: test-skip
status: skip
- policy: pod-groups-validation
rule: pods-user-authorized-for-groups
resource: test-skip-op
status: skip
- policy: pod-groups-validation
rule: pods-user-authorized-for-groups
resource: test-pass
status: pass
- policy: pod-groups-validation
rule: pods-user-authorized-for-groups
resource: test-fail
status: fail
Raw
variables.yaml
policies:
- name: pod-groups-validation
rules:
- name: pods-user-authorized-for-groups
values:
userGIDMap.data.user-test: '["1000", "1001"]'
resources:
- name: test-skip
values:
request.object.metadata.namespace: test
request.operation: CREATE
- name: test-skip-op
values:
request.object.metadata.namespace: user-test
request.operation: DELETE
- name: test-pass
values:
request.object.metadata.namespace: user-test
request.object.spec.securityContext.supplementalGroups: '["1000", "1001"]'
request.operation: CREATE
- name: test-fail
values:
request.object.metadata.namespace: user-test
request.object.spec.securityContext.supplementalGroups: '["1002"]'
request.operation: CREATE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment