Adding deny to polices

Signed-off-by: Amit Schendel <[email protected]>

Author: amitschendel

runtime-policies/attach/policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: cluster-policy-attach
+  name: cluster-policy-deny-attach
 spec:
   matchConstraints:
     resourceRules:
@@ -18,8 +18,9 @@ spec:
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: cluster-policy-attach-binding
+  name: cluster-policy-deny-attach-binding
 spec:
-  policyName: cluster-policy-attach
+  policyName: cluster-policy-deny-attach
   validationActions:
+  - Deny
   - Audit

runtime-policies/exec/policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: cluster-policy-exec
+  name: cluster-policy-deny-exec
 spec:
   matchConstraints:
     resourceRules:
@@ -18,8 +18,8 @@ spec:
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: cluster-policy-exec-binding
+  name: cluster-policy-deny-exec-binding
 spec:
-  policyName: cluster-policy-exec
+  policyName: cluster-policy-deny-exec
   validationActions:
   - Audit

runtime-policies/hostmount/policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: cluster-policy-hostMount
+  name: cluster-policy-deny-hostMount
 spec:
   matchConstraints:
     resourceRules:
@@ -32,8 +32,9 @@ spec:
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: cluster-policy-hostMount-binding
+  name: cluster-policy-deny-hostMount-binding
 spec:
-  policyName: cluster-policy-hostMount
+  policyName: cluster-policy-deny-hostMount
   validationActions:
+  - Deny
   - Audit

runtime-policies/insecure-capabilities/policy.yaml

@@ -21,7 +21,7 @@ settings:
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: cluster-policy-insecure-capabilities
+  name: cluster-policy-deny-insecure-capabilities
 spec:
   failurePolicy: Fail
   paramKind:
@@ -70,10 +70,11 @@ spec:
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: cluster-policy-insecure-capabilities-binding
+  name: cluster-policy-deny-insecure-capabilities-binding
 spec:
-  policyName: cluster-policy-insecure-capabilities
+  policyName: cluster-policy-deny-insecure-capabilities
   paramRef:
     name: basic-policy-configuration
   validationActions:
+  - Deny
   - Audit

runtime-policies/portforward/policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: cluster-policy-portforward
+  name: cluster-policy-deny-portforward
 spec:
   matchConstraints:
     resourceRules:
@@ -18,8 +18,9 @@ spec:
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: cluster-policy-portforward-binding
+  name: cluster-policy-deny-portforward-binding
 spec:
-  policyName: cluster-policy-portforward
+  policyName: cluster-policy-deny-portforward
   validationActions:
+  - Deny
   - Audit

runtime-policies/privileged/policy.yaml

@@ -1,7 +1,7 @@
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicy
 metadata:
-  name: cluster-policy-priviliged-flag
+  name: cluster-policy-deny-priviliged-flag
 spec:
   failurePolicy: Fail
   matchConstraints:
@@ -50,8 +50,9 @@ spec:
 apiVersion: admissionregistration.x-k8s.io/v1alpha1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
-  name: cluster-policy-privileged-flag-binding
+  name: cluster-policy-deny-privileged-flag-binding
 spec:
-  policyName: cluster-policy-priviliged-flag
+  policyName: cluster-policy-deny-priviliged-flag
   validationActions:
+  - Deny
   - Audit