mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-13 04:36:51 +00:00
cbc15ad069
* update runAsPrivileged to test at pod level * update runAsPrivileged to test at pod level * add pod level success/failure tests * add insuecure capabilities pod level testing * update checks to include good/bad security * update checks for good/bad security * remove good security from runAsPrivileged
56 lines
1.5 KiB
YAML
56 lines
1.5 KiB
YAML
successMessage: Container does not have any insecure capabilities
|
|
failureMessage: Container should not have insecure capabilities
|
|
category: Security
|
|
target: Container
|
|
schema:
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
required:
|
|
- securityContext
|
|
properties:
|
|
securityContext:
|
|
type: object
|
|
required:
|
|
- capabilities
|
|
properties:
|
|
capabilities:
|
|
type: object
|
|
required:
|
|
- drop
|
|
properties:
|
|
drop:
|
|
type: array
|
|
oneOf:
|
|
- contains:
|
|
const: ALL
|
|
- allOf:
|
|
- contains:
|
|
const: NET_ADMIN
|
|
- contains:
|
|
const: CHOWN
|
|
- contains:
|
|
const: DAC_OVERRIDE
|
|
- contains:
|
|
const: FSETID
|
|
- contains:
|
|
const: FOWNER
|
|
- contains:
|
|
const: MKNOD
|
|
- contains:
|
|
const: NET_RAW
|
|
- contains:
|
|
const: SETGID
|
|
- contains:
|
|
const: SETUID
|
|
- contains:
|
|
const: SETFCAP
|
|
- contains:
|
|
const: SETPCAP
|
|
- contains:
|
|
const: NET_BIND_SERVICE
|
|
- contains:
|
|
const: SYS_CHROOT
|
|
- contains:
|
|
const: KILL
|
|
- contains:
|
|
const: AUDIT_WRITE |