-
Notifications
You must be signed in to change notification settings - Fork 9.2k
/
goss.yaml
29 lines (28 loc) · 1.23 KB
/
goss.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
command:
{{- if .Vars.controller.containerSecurityContext.enabled }}
check-no-capabilities:
exec: cat /proc/1/status
exit-status: 0
stdout:
- "CapInh: 0000000000000000"
- "CapPrm: 0000000000000000"
- "CapEff: 0000000000000000"
- "CapBnd: 0000000000000000"
- "CapAmb: 0000000000000000"
{{- end }}
{{- $uid := .Vars.controller.containerSecurityContext.runAsUser }}
{{- $gid := .Vars.controller.podSecurityContext.fsGroup }}
check-user-info:
# The UID and GID should always be either the one specified as vars (always a bigger number that the default)
# or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value.
exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi
exit-status: 0
{{ if .Vars.controller.automountServiceAccountToken }}
check-sa:
exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d
exit-status: 0
stdout:
- /serviceaccount.*name.*{{.Env.BITNAMI_APP_NAME }}/
{{ end }}