From 2d8b3a44888a847c736e0855e53340fc5199f010 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 2 Aug 2024 17:56:43 +0530 Subject: [PATCH 1/3] feat: add best practices check-deprecated-apis policy in CEL expressions (#1042) * copy check-deprecated-apis Signed-off-by: Chandan-DK * convert policy Signed-off-by: Chandan-DK --------- Signed-off-by: Chandan-DK Co-authored-by: Mariam Fahmy Co-authored-by: Chip Zoller Co-authored-by: shuting --- .../.kyverno-test/kyverno-test.yaml | 27 ++++++ .../.kyverno-test/resource.yaml | 52 ++++++++++ .../check-deprecated-apis/artifacthub-pkg.yml | 23 +++++ .../check-deprecated-apis.yaml | 95 +++++++++++++++++++ 4 files changed, 197 insertions(+) create mode 100644 best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml create mode 100644 best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml create mode 100644 best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml create mode 100644 best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..7b7f6b6b4 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,27 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-deprecated-apis +policies: +- ../check-deprecated-apis.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: check-deprecated-apis + resources: + - bad-cronjob + result: fail + rule: validate-v1-25-removals +- kind: CronJob + policy: check-deprecated-apis + resources: + - good-cronjob + result: skip + rule: validate-v1-25-removals +- kind: FlowSchema + policy: check-deprecated-apis + resources: + - bad-flowschema + result: fail + rule: validate-v1-29-removals diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml new file mode 100644 index 000000000..c62c18ee1 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml @@ -0,0 +1,52 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: bad-cronjob +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.28 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +--- + +apiVersion: batch/v1 +kind: CronJob +metadata: + name: good-cronjob +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.28 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +--- +apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 +kind: FlowSchema +metadata: + name: bad-flowschema +spec: + matchingPrecedence: 1000 + priorityLevelConfiguration: + name: exempt + \ No newline at end of file diff --git a/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml new file mode 100644 index 000000000..1c20b08fa --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: check-deprecated-apis-cel +version: 1.0.0 +displayName: Check deprecated APIs in CEL expressions +description: >- + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml + ``` +keywords: + - kyverno + - Best Practices + - CEL Expressions +readme: | + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Best Practices in CEL" + kyverno/kubernetesVersion: "1.26-1.27" + kyverno/subject: "Kubernetes APIs" +digest: da368de7982e748983a14198e8f8ef46d455023e8938031444f832919fabba6e +createdAt: "2024-05-31T09:44:23Z" diff --git a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml new file mode 100644 index 000000000..f01488b1e --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml @@ -0,0 +1,95 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deprecated-apis + annotations: + policies.kyverno.io/title: Check deprecated APIs in CEL expressions + policies.kyverno.io/category: Best Practices in CEL + policies.kyverno.io/subject: Kubernetes APIs + kyverno.io/kyverno-version: 1.12.1 + kyverno.io/kubernetes-version: "1.26-1.27" + policies.kyverno.io/description: >- + Kubernetes APIs are sometimes deprecated and removed after a few releases. + As a best practice, older API versions should be replaced with newer versions. + This policy validates for APIs that are deprecated or scheduled for removal. + Note that checking for some of these resources may require modifying the Kyverno + ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 + so therefore the validate-v1-25-removals rule may not completely work on 1.25+. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-v1-25-removals + match: + any: + - resources: + # NOTE: PodSecurityPolicy is completely removed in 1.25. + kinds: + - batch/*/CronJob + - discovery.k8s.io/*/EndpointSlice + - events.k8s.io/*/Event + - policy/*/PodDisruptionBudget + - policy/*/PodSecurityPolicy + - node.k8s.io/*/RuntimeClass + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + - name: validate-v1-26-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + - autoscaling/*/HorizontalPodAutoscaler + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + - name: validate-v1-27-removals + match: + any: + - resources: + kinds: + - storage.k8s.io/*/CSIStorageCapacity + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['storage.k8s.io/v1beta1']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + - name: validate-v1-29-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + celPreconditions: + - name: "object.apiVersion" + expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']" + validate: + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' + From 438bfca7391bec24985d5966b60a4f909a11d4f5 Mon Sep 17 00:00:00 2001 From: Nikhil Maheshwari <36232275+nikhilmaheshwari24@users.noreply.github.com> Date: Fri, 2 Aug 2024 18:49:04 +0530 Subject: [PATCH 2/3] Add InitContainers and EphermalContainers to Require Limits and Requests (#1103) * updated require-pod-requests-limits.yaml Signed-off-by: Nikhil Maheshwari nikhil.m2498@gmail.com Signed-off-by: Nikhil Maheshwari <36232275+nikhilmaheshwari24@users.noreply.github.com> * updated require-pod-requests-limits.yaml Signed-off-by: Nikhil Maheshwari nikhil.m2498@gmail.com Signed-off-by: Nikhil Maheshwari <36232275+nikhilmaheshwari24@users.noreply.github.com> * Updated best-practices/require-pod-requests-limits/artifacthub-pkg.yml Signed-off-by: Nikhil Maheshwari <36232275+nikhilmaheshwari24@users.noreply.github.com> --------- Signed-off-by: Nikhil Maheshwari nikhil.m2498@gmail.com Signed-off-by: Nikhil Maheshwari <36232275+nikhilmaheshwari24@users.noreply.github.com> Co-authored-by: Chip Zoller --- .../artifacthub-pkg.yml | 2 +- .../require-pod-requests-limits.yaml | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/best-practices/require-pod-requests-limits/artifacthub-pkg.yml b/best-practices/require-pod-requests-limits/artifacthub-pkg.yml index d5dec6926..c09dc9d67 100644 --- a/best-practices/require-pod-requests-limits/artifacthub-pkg.yml +++ b/best-practices/require-pod-requests-limits/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: 6fba669ac94197333cb28249ab01deb6461cc6f909645b721fe66bef78d674ec +digest: bc2fa8b9aed1893274a8bc60abd34fdbe5fbc25d032b7be74214cc1496b77ce1 diff --git a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml index 652e46f85..b36c4b8de 100644 --- a/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml +++ b/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml @@ -16,7 +16,7 @@ metadata: This policy validates that all containers have something specified for memory and CPU requests and memory limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-resources @@ -26,10 +26,24 @@ spec: kinds: - Pod validate: - message: "CPU and memory resource requests and limits are required." + message: "CPU and memory resource requests and memory limits are required for containers." pattern: spec: containers: + - resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + =(initContainers): + - resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + =(ephemeralContainers): - resources: requests: memory: "?*" From bc1a92befd30a061dcfdf517bde94ad33bd5a3a3 Mon Sep 17 00:00:00 2001 From: Anudeep Nalla <121174814+anuddeeph1@users.noreply.github.com> Date: Fri, 2 Aug 2024 19:30:02 +0530 Subject: [PATCH 3/3] Added policy for require-run-as-containeruser for windows pods (#1024) * Added policy for require-run-as-containeruser Signed-off-by: Anudeep Nalla * modified digest Signed-off-by: Anudeep Nalla * added windows-pod-security directory to test.yaml in workflows Signed-off-by: Anudeep Nalla * modified require-run-as-containeruser Signed-off-by: root * modified require-run-as-containeruser Signed-off-by: root * modified require-run-as-containeruser.yaml Signed-off-by: Anudeep Nalla * added windows-security in workflows test.yml Signed-off-by: anuddeeph1 * added windows-security in test.yml Signed-off-by: anuddeeph1 * resolving conflict in test.yml Signed-off-by: anuddeeph1 * added windows-security in test.yml Signed-off-by: anuddeeph1 * added proper digest in artifacthub-pkg.yml Signed-off-by: anuddeeph1 * resolving conflict in test.yaml Signed-off-by: anuddeeph1 * resolving conflict in test.yaml Signed-off-by: anuddeeph1 * resolving conflict in test.yaml Signed-off-by: anuddeeph1 * Update .github/workflows/test.yml Signed-off-by: Chip Zoller * Update windows-security/require-run-as-containeruser/artifacthub-pkg.yml Signed-off-by: Chip Zoller --------- Signed-off-by: Anudeep Nalla Signed-off-by: root Signed-off-by: anuddeeph1 Signed-off-by: Anudeep Nalla <121174814+anuddeeph1@users.noreply.github.com> Signed-off-by: Chip Zoller Co-authored-by: Anudeep Nalla Co-authored-by: Chip Zoller --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 37 ++++++++++++++++ .../.chainsaw-test/pod-bad.yaml | 17 ++++++++ .../.chainsaw-test/pod-good.yaml | 18 ++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 26 +++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 27 ++++++++++++ .../artifacthub-pkg.yml | 23 ++++++++++ .../require-run-as-containeruser.yaml | 43 +++++++++++++++++++ 8 files changed, 197 insertions(+) create mode 100755 windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml create mode 100644 windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml create mode 100644 windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml create mode 100644 windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml create mode 100644 windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml create mode 100644 windows-security/require-run-as-containeruser/artifacthub-pkg.yml create mode 100644 windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..9fb95c569 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-containeruser +status: + ready: true diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..93d87ea58 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-containeruser +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-run-as-containeruser.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-run-as-containeruser + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..bbade42c8 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: bad-windows-pod +spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\Local service" + hostNetwork: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..75c040c16 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/pod-good.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: good-windows-pod +spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + runAsNonRoot: true + windowsOptions: + hostProcess: false + runAsUserName: "ContainerUser" + hostNetwork: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..97b454eaa --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\Local service" + hostNetwork: true + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..5d8bbf602 --- /dev/null +++ b/windows-security/require-run-as-containeruser/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-windows-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: windows-app + template: + metadata: + labels: + app: windows-app + spec: + nodeSelector: + kubernetes.io/arch: amd64 + kubernetes.io/os: windows + securityContext: + runAsNonRoot: true + windowsOptions: + hostProcess: false + runAsUserName: "ContainerUser" + hostNetwork: false + containers: + - name: windows-container + image: mcr.microsoft.com/windows/servercore:ltsc2019 + command: ["cmd", "/c", "echo", "Hello from Windows Container && timeout", "/t", "300"] diff --git a/windows-security/require-run-as-containeruser/artifacthub-pkg.yml b/windows-security/require-run-as-containeruser/artifacthub-pkg.yml new file mode 100644 index 000000000..d11205de7 --- /dev/null +++ b/windows-security/require-run-as-containeruser/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: require-run-as-containeruser +version: 1.0.0 +displayName: Require runAsContainerUser (Windows) +createdAt: "2024-05-21T09:05:16.000Z" +description: >- + Containers must be required to run as ContainerUser. This policy ensures that the fields spec.securityContext.windowsOptions.runAsUserName, spec.containers[*].securityContext.windowsOptions.runAsUserName, spec.initContainers[*].securityContext.windowsOptions.runAsUserName is either unset or set to ContainerUser. + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml + ``` +keywords: + - kyverno + - Windows Security +readme: | + Containers must be required to run as ContainerUser. This policy ensures that the fields spec.securityContext.windowsOptions.runAsUserName, spec.containers[*].securityContext.windowsOptions.runAsUserName, spec.initContainers[*].securityContext.windowsOptions.runAsUserName is either unset or set to ContainerUser. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Windows Security" + kyverno/kubernetesVersion: "1.22-1.28" + kyverno/subject: "Pod" +digest: e51c72783f9c92d0ba3337d8e41bb5383b7ce15f583d7e1732ef75d7c1acd811 diff --git a/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml b/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml new file mode 100644 index 000000000..547bb2a34 --- /dev/null +++ b/windows-security/require-run-as-containeruser/require-run-as-containeruser.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-containeruser + annotations: + policies.kyverno.io/title: Require Run As ContainerUser (Windows) + policies.kyverno.io/category: Windows Security + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kyverno-version: 1.6.0 + kyverno.io/kubernetes-version: "1.22-1.28" + policies.kyverno.io/description: >- + Containers must be required to run as ContainerUser. This policy ensures that the fields + spec.securityContext.windowsOptions.runAsUserName, + spec.containers[*].securityContext.windowsOptions.runAsUserName, + spec.initContainers[*].securityContext.windowsOptions.runAsUserName, + and is either unset or set to ContainerUser. +spec: + validationFailureAction: audit + background: true + rules: + - name: require-run-as-containeruser + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Running the container as ContainerAdministrator,NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE is not allowed. + pattern: + spec: + =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + =(initContainers): + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser" + containers: + - =(securityContext): + =(windowsOptions): + =(runAsUserName): "ContainerUser"