dynatrace-otel-collector/.github/workflows/kyverno/policies/collector-securitycontext.yaml at eeb62d9ac94e30ac7a5263fe81a48b19be5f43c8 · Dynatrace/dynatrace-otel-collector · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: collector-workloads-securitycontext
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: require-hardened-securitycontext-on-collector-workloads
      match:
        any:
          - resources:
              kinds:
                - Deployment
                - DaemonSet
                - StatefulSet
        # Exempt all matching resources in this namespace
      exclude:
        resources:
          namespaces:
            - e2ehostmetrics
      preconditions:
        all:
          - key: "{{ request.object.spec.template.metadata.labels.\"app.kubernetes.io/name\" }}"
            operator: Equals
            value: opentelemetry-collector

      validate:
        message: "Collector workloads must run with hardened container securityContext."
        pattern:
          spec:
            template:
              spec:
                containers:
                  - name: "?*"
                    securityContext:
                      privileged: false
                      readOnlyRootFilesystem: true
                      allowPrivilegeEscalation: false
                      runAsNonRoot: true
                      runAsUser: 10001
                      runAsGroup: 10001
                      seccompProfile:
                        type: RuntimeDefault
                      capabilities:
                        drop:
                          - ALL