Skip to content

YunosukeY/policy-for-pss

Repository files navigation

Conftest Policy for Pod Security Standards

opa Coverage gator

This repository implements Pod Security Standards as Conftest policy.
It also corresponds to Gatekeeper policy.

Usage

For Conftest:

$ conftest test --update https://github.com/YunosukeY/policy-for-pss/raw/1.28/bundle.tar.gz <file-to-test>

For Gatekeeper:

$ kubectl apply -f https://github.com/YunosukeY/policy-for-pss/raw/1.28/k8s/template_PodSecurityStandards.yaml
$ kubectl apply -f https://github.com/YunosukeY/policy-for-pss/raw/1.28/k8s/constraint_PodSecurityStandards.yaml

Features

If you want to allow violations for specific resources, you can use allowXxx labels.

For baseline level rules:

  • allowHostProcess
  • allowHostNamespace
  • allowPrivileged
  • allowPrivilegedLevelCapabilities
  • allowHostPath
  • allowHostPort
  • allowAllAppArmorProfile
  • allowAllSeLinuxOptions
  • allowUnmaskedProcMount
  • allowPrivilegedLevelSeccompTypes
  • allowAllSysctls

For restricted level rules:

  • allowAllVolumeTypes
  • allowPrivilegeEscalation
  • allowRunAsRoot
  • allowRunAsRootUser
  • allowBaselineLevelSeccompTypes
  • allowBaselineLevelCapabilities

Example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    allowPrivilegeEscalation: "true"
    allowRunAsRoot: "true"
    allowBaselineLevelSeccompTypes: "true"
    allowBaselineLevelCapabilities: "true"
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.14.2