mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-17 06:36:48 +00:00
08682075c6
* add more mutations * fix tests * add more test cases * Update insecureCapabilities.yaml * Update dangerousCapabilities.yaml * fix tests * fix tests * add pullPolicyNotAlways as default mutation
63 lines
1.8 KiB
YAML
63 lines
1.8 KiB
YAML
successMessage: Container does not have any insecure capabilities
|
|
failureMessage: Container should not have insecure capabilities
|
|
category: Security
|
|
target: Container
|
|
schema:
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
required:
|
|
- securityContext
|
|
properties:
|
|
securityContext:
|
|
type: object
|
|
required:
|
|
- capabilities
|
|
properties:
|
|
capabilities:
|
|
type: object
|
|
required:
|
|
- drop
|
|
properties:
|
|
drop:
|
|
type: array
|
|
oneOf:
|
|
- contains:
|
|
pattern: '^(?i)ALL$'
|
|
- allOf:
|
|
- contains:
|
|
pattern: '^(?i)NET_ADMIN$'
|
|
- contains:
|
|
pattern: '^(?i)CHOWN$'
|
|
- contains:
|
|
pattern: '^(?i)DAC_OVERRIDE$'
|
|
- contains:
|
|
pattern: '^(?i)FSETID$'
|
|
- contains:
|
|
pattern: '^(?i)FOWNER$'
|
|
- contains:
|
|
pattern: '^(?i)MKNOD$'
|
|
- contains:
|
|
pattern: '^(?i)NET_RAW$'
|
|
- contains:
|
|
pattern: '^(?i)SETGID$'
|
|
- contains:
|
|
pattern: '^(?i)SETUID$'
|
|
- contains:
|
|
pattern: '^(?i)SETFCAP$'
|
|
- contains:
|
|
pattern: '^(?i)SETPCAP$'
|
|
- contains:
|
|
pattern: '^(?i)NET_BIND_SERVICE$'
|
|
- contains:
|
|
pattern: '^(?i)SYS_CHROOT$'
|
|
- contains:
|
|
pattern: '^(?i)KILL$'
|
|
- contains:
|
|
pattern: '^(?i)AUDIT_WRITE$'
|
|
mutations:
|
|
- op: remove
|
|
path: /securityContext/capabilities
|
|
- op: add
|
|
path: /securityContext/capabilities
|
|
value: {"drop": ["ALL"]}
|