Skip to main content

Sample Policies

Choose a Language#

rego json 

Policy Samples#

Deny a Specific Container Image#

match[{"msg": msg}] {
input.request.operation == "CREATE"
input.request.kind.kind == "Pod"
input.request.resource.resource == "pods"
input.request.object.spec.containers[_].image == "nginx"
msg := "It's not allowed to use the nginx Image!"
}

Deny Exposing a Specific Container Port#

match[{"msg": msg}] {
input.request.operation == "CREATE"
input.request.kind.kind == "Pod"
input.request.resource.resource == "pods"
input.request.object.spec.containers[_].ports[_].containerPort == 80
msg := "It's not allowed to use port 80 (HTTP) with a Pod configuration!"
}

Deny Privileged Pod#

match[{"msg": msg}] {
input.request.operation == "CREATE"
input.request.kind.kind == "Pod"
input.request.resource.resource == "pods"
input.request.object.spec.containers[_].securityContext.privileged
msg := "Privileged pod created"
}

Deny Namespace Creation#

match[{"msg": msg}] {
input.request.operation == "CREATE"
input.request.kind.kind == "Namespace"
msg := "It's not allowed to create new namespace!"
}

"kubectl exec" is not allowed for group1 users#

match[{"msg": msg}] {
input.request.operation == "CONNECT"
input.request.userInfo.groups[_] == "group1"
msg := "It's not allowed for group1 users to exec into a pod"
}

Audit all kubectl CONNECT operations#

match[{"msg": msg}] {
input.request.operation == "CONNECT"
input.request.resource.resource == "pods"
exec_or_attach(input.request.subResource)
msg := "Exec or attach to a pod"
}
exec_or_attach(v) {
v == "exec"
}
exec_or_attach(v) {
v == "attach"
}

Audit all Pods with Linux Capabilities#

match[{"msg": msg}] {
input.request.operation == "CREATE"
input.request.kind.kind == "Pod"
input.request.resource.resource == "pods"
input.request.object.spec.containers[_].securityContext.capabilities.add
msg := "Pod created with Linux Capabilities"
}
Last updated on by Charlie Sestito