diff --git a/artifacthub/library/general/disallowinteractive/1.0.0/artifacthub-pkg.yml b/artifacthub/library/general/disallowinteractive/1.0.0/artifacthub-pkg.yml new file mode 100644 index 000000000..ce76a2d24 --- /dev/null +++ b/artifacthub/library/general/disallowinteractive/1.0.0/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.0 +name: k8sdisallowinteractivetty +displayName: Disallow Interactive TTY Containers +createdAt: "2023-04-27T21:41:24Z" +description: Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. +digest: c462c392ee271922f97e53d084646857dbbc97f496382e9b5c117532ccf3b5bc +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/disallowinteractive +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Disallow Interactive TTY Containers + Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/disallowinteractive/1.0.0/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/disallowinteractive/1.0.0/kustomization.yaml b/artifacthub/library/general/disallowinteractive/1.0.0/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/disallowinteractive/1.0.0/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/constraint.yaml b/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/constraint.yaml new file mode 100644 index 000000000..cf5eac82b --- /dev/null +++ b/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sDisallowInteractiveTTY +metadata: + name: no-interactive-tty-containers +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/example_allowed.yaml b/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/example_allowed.yaml new file mode 100644 index 000000000..bed6b5954 --- /dev/null +++ b/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-interactive-tty-allowed + labels: + app: nginx-interactive-tty +spec: + containers: + - name: nginx + image: nginx + stdin: false + tty: false diff --git a/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/example_disallowed.yaml b/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/example_disallowed.yaml new file mode 100644 index 000000000..aa4949323 --- /dev/null +++ b/artifacthub/library/general/disallowinteractive/1.0.0/samples/no-interactive-containers/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation +spec: + containers: + - name: nginx + image: nginx + stdin: true + tty: true diff --git a/artifacthub/library/general/disallowinteractive/1.0.0/suite.yaml b/artifacthub/library/general/disallowinteractive/1.0.0/suite.yaml new file mode 100644 index 000000000..ed9acb08f --- /dev/null +++ b/artifacthub/library/general/disallowinteractive/1.0.0/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: disallowinteractive +tests: +- name: disallow-interactive + template: template.yaml + constraint: samples/no-interactive-containers/constraint.yaml + cases: + - name: example-allowed + object: samples/no-interactive-containers/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/no-interactive-containers/example_disallowed.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/general/disallowinteractive/1.0.0/template.yaml b/artifacthub/library/general/disallowinteractive/1.0.0/template.yaml new file mode 100644 index 000000000..63bc5d179 --- /dev/null +++ b/artifacthub/library/general/disallowinteractive/1.0.0/template.yaml @@ -0,0 +1,88 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sdisallowinteractivetty + annotations: + metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. +spec: + crd: + spec: + names: + kind: K8sDisallowInteractiveTTY + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and + `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sdisallowinteractivetty + + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + c := input_containers[_] + not is_exempt(c) + input_allow_interactive_fields(c) + msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image]) + } + + input_allow_interactive_fields(c) { + has_field(c, "stdin") + not c.stdin == false + } + input_allow_interactive_fields(c) { + has_field(c, "tty") + not c.tty == false + } + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/library/general/disallowinteractive/kustomization.yaml b/library/general/disallowinteractive/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/library/general/disallowinteractive/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/library/general/disallowinteractive/samples/no-interactive-containers/constraint.yaml b/library/general/disallowinteractive/samples/no-interactive-containers/constraint.yaml new file mode 100644 index 000000000..cf5eac82b --- /dev/null +++ b/library/general/disallowinteractive/samples/no-interactive-containers/constraint.yaml @@ -0,0 +1,9 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sDisallowInteractiveTTY +metadata: + name: no-interactive-tty-containers +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/library/general/disallowinteractive/samples/no-interactive-containers/example_allowed.yaml b/library/general/disallowinteractive/samples/no-interactive-containers/example_allowed.yaml new file mode 100644 index 000000000..bed6b5954 --- /dev/null +++ b/library/general/disallowinteractive/samples/no-interactive-containers/example_allowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-interactive-tty-allowed + labels: + app: nginx-interactive-tty +spec: + containers: + - name: nginx + image: nginx + stdin: false + tty: false diff --git a/library/general/disallowinteractive/samples/no-interactive-containers/example_disallowed.yaml b/library/general/disallowinteractive/samples/no-interactive-containers/example_disallowed.yaml new file mode 100644 index 000000000..aa4949323 --- /dev/null +++ b/library/general/disallowinteractive/samples/no-interactive-containers/example_disallowed.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation +spec: + containers: + - name: nginx + image: nginx + stdin: true + tty: true diff --git a/library/general/disallowinteractive/suite.yaml b/library/general/disallowinteractive/suite.yaml new file mode 100644 index 000000000..ed9acb08f --- /dev/null +++ b/library/general/disallowinteractive/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: disallowinteractive +tests: +- name: disallow-interactive + template: template.yaml + constraint: samples/no-interactive-containers/constraint.yaml + cases: + - name: example-allowed + object: samples/no-interactive-containers/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/no-interactive-containers/example_disallowed.yaml + assertions: + - violations: yes diff --git a/library/general/disallowinteractive/template.yaml b/library/general/disallowinteractive/template.yaml new file mode 100644 index 000000000..63bc5d179 --- /dev/null +++ b/library/general/disallowinteractive/template.yaml @@ -0,0 +1,88 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sdisallowinteractivetty + annotations: + metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. +spec: + crd: + spec: + names: + kind: K8sDisallowInteractiveTTY + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and + `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sdisallowinteractivetty + + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + c := input_containers[_] + not is_exempt(c) + input_allow_interactive_fields(c) + msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image]) + } + + input_allow_interactive_fields(c) { + has_field(c, "stdin") + not c.stdin == false + } + input_allow_interactive_fields(c) { + has_field(c, "tty") + not c.tty == false + } + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/library/general/kustomization.yaml b/library/general/kustomization.yaml index 12a3a5a7c..5e7cf5c01 100644 --- a/library/general/kustomization.yaml +++ b/library/general/kustomization.yaml @@ -10,9 +10,12 @@ resources: - containerlimits - containerrequests - containerresourceratios -- disallowedrepos +- containerresources - disallowanonymous +- disallowedrepos - disallowedtags +- disallowinteractive +- ephemeralstoragelimit - externalip - horizontalpodautoscaler - httpsonly @@ -26,6 +29,4 @@ resources: - uniqueingresshost - uniqueserviceselector - verifydeprecatedapi -- containerresources - storageclass -- ephemeralstoragelimit diff --git a/src/general/disallowinteractive/constraint.tmpl b/src/general/disallowinteractive/constraint.tmpl new file mode 100644 index 000000000..7af7d52c3 --- /dev/null +++ b/src/general/disallowinteractive/constraint.tmpl @@ -0,0 +1,39 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sdisallowinteractivetty + annotations: + metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. +spec: + crd: + spec: + names: + kind: K8sDisallowInteractiveTTY + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and + `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | +{{ file.Read "src/general/disallowinteractive/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/general/disallowinteractive/lib_exempt_container.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} diff --git a/src/general/disallowinteractive/lib_exempt_container.rego b/src/general/disallowinteractive/lib_exempt_container.rego new file mode 100644 index 000000000..c483416be --- /dev/null +++ b/src/general/disallowinteractive/lib_exempt_container.rego @@ -0,0 +1,19 @@ +package lib.exempt_container + +is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) +} + +_matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img +} + +_matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) +} diff --git a/src/general/disallowinteractive/src.rego b/src/general/disallowinteractive/src.rego new file mode 100644 index 000000000..355220695 --- /dev/null +++ b/src/general/disallowinteractive/src.rego @@ -0,0 +1,32 @@ +package k8sdisallowinteractivetty + +import data.lib.exempt_container.is_exempt + +violation[{"msg": msg, "details": {}}] { + c := input_containers[_] + not is_exempt(c) + input_allow_interactive_fields(c) + msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image]) +} + +input_allow_interactive_fields(c) { + has_field(c, "stdin") + not c.stdin == false +} +input_allow_interactive_fields(c) { + has_field(c, "tty") + not c.tty == false +} +input_containers[c] { + c := input.review.object.spec.containers[_] +} +input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] +} +input_containers[c] { + c := input.review.object.spec.initContainers[_] +} +# has_field returns whether an object has a field +has_field(object, field) = true { + object[field] +} diff --git a/src/general/disallowinteractive/src_test.rego b/src/general/disallowinteractive/src_test.rego new file mode 100644 index 000000000..78af2ca2d --- /dev/null +++ b/src/general/disallowinteractive/src_test.rego @@ -0,0 +1,165 @@ +package k8sdisallowinteractivetty + +test_input_container_not_tty_allowed { + input := { "review": input_review} + results := violation with input as input + count(results) == 0 +} +test_input_container_stdin_not_allowed { + input := { "review": input_review_stdin} + results := violation with input as input + count(results) == 1 +} +test_input_container_tty_not_allowed { + input := { "review": input_review_tty} + results := violation with input as input + count(results) == 1 +} +test_input_one_container_with_exemption { + input := { "review": input_review_stdin, "parameters": {"exemptImages": ["one/*"]}} + results := violation with input as input + count(results) == 0 +} +test_input_container_many_not_stdin_allowed { + input := { "review": input_review_many} + results := violation with input as input + count(results) == 1 +} +test_input_container_many_mixed_stdin_not_allowed { + input := { "review": input_review_many_mixed} + results := violation with input as input + count(results) == 2 +} +test_input_container_many_mixed_stdin_not_allowed_one_exempted { + input := { "review": input_review_many_mixed, "parameters": {"exemptImages": ["one/*"]}} + results := violation with input as input + count(results) == 1 +} +test_input_container_many_mixed_stdin_not_allowed_all_exempted { + input := { "review": input_review_many_mixed, "parameters": {"exemptImages": ["one/*", "two/*", "three/*"]}} + results := violation with input as input + count(results) == 0 +} +test_input_container_many_mixed_stdin_not_allowed_two { + input := { "review": input_review_many_mixed_two} + results := violation with input as input + count(results) == 2 +} + +input_review = { + "object": { + "metadata": { + "name": "nginx" + }, + "spec": { + "containers": input_containers_one + } + } +} + +input_review_stdin = { + "object": { + "metadata": { + "name": "nginx" + }, + "spec": { + "containers": input_containers_one_stdin, + } + } +} + +input_review_tty = { + "object": { + "metadata": { + "name": "nginx" + }, + "spec": { + "containers": input_containers_one_tty, + } + } +} + +input_review_many = { + "object": { + "metadata": { + "name": "nginx" + }, + "spec": { + "containers": input_containers_many, + "initContainers": input_containers_one + } + } +} + +input_review_many_mixed = { + "object": { + "metadata": { + "name": "nginx" + }, + "spec": { + "containers": input_containers_many, + "initContainers": input_containers_one_stdin + } + } +} + +input_review_many_mixed_two = { + "object": { + "metadata": { + "name": "nginx" + }, + "spec": { + "containers": input_containers_many_mixed, + "initContainers": input_containers_one_stdin + } + } +} + +input_containers_one = [ +{ + "name": "nginx", + "image": "one/nginx", +}] + +input_containers_one_stdin = [ +{ + "name": "nginx", + "image": "one/nginx", + "stdin": true +}] + +input_containers_one_tty = [ +{ + "name": "nginx", + "image": "one/nginx", + "tty": true +}] + +input_containers_many = [ +{ + "name": "nginx", + "image": "one/nginx", + "stdin": false +}, +{ + "name": "nginx1", + "image": "two/nginx" +}, +{ + "name": "nginx2", + "image": "three/nginx", + "stdin": true + +}] + +input_containers_many_mixed = [ +{ + "name": "nginx", + "image": "one/nginx", + "stdin": false +}, +{ + "name": "nginx1", + "image": "two/nginx", + "tty": true +}] diff --git a/website/docs/validation/disallowinteractive.md b/website/docs/validation/disallowinteractive.md new file mode 100644 index 000000000..4c1f9d1a0 --- /dev/null +++ b/website/docs/validation/disallowinteractive.md @@ -0,0 +1,190 @@ +--- +id: disallowinteractive +title: Disallow Interactive TTY Containers +--- + +# Disallow Interactive TTY Containers + +## Description +Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. + +## Template +```yaml +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sdisallowinteractivetty + annotations: + metadata.gatekeeper.sh/title: "Disallow Interactive TTY Containers" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Requires that objects have the fields `spec.tty` and `spec.stdin` set to false or unset. +spec: + crd: + spec: + names: + kind: K8sDisallowInteractiveTTY + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + description: >- + Controls use of fields related to gaining an interactive session. Corresponds to the `tty` and + `stdin` fields in the Pod `spec.containers`, `spec.ephemeralContainers`, and `spec.initContainers`. + properties: + exemptImages: + description: >- + Any container that uses an image that matches an entry in this list will be excluded + from enforcement. Prefix-matching can be signified with `*`. For example: `my-image-*`. + + It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) + in order to avoid unexpectedly exempting images from an untrusted repository. + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sdisallowinteractivetty + + import data.lib.exempt_container.is_exempt + + violation[{"msg": msg, "details": {}}] { + c := input_containers[_] + not is_exempt(c) + input_allow_interactive_fields(c) + msg := sprintf("Containers using tty or stdin (%v) are not allowed running image: %v", [c.name, c.image]) + } + + input_allow_interactive_fields(c) { + has_field(c, "stdin") + not c.stdin == false + } + input_allow_interactive_fields(c) { + has_field(c, "tty") + not c.tty == false + } + input_containers[c] { + c := input.review.object.spec.containers[_] + } + input_containers[c] { + c := input.review.object.spec.ephemeralContainers[_] + } + input_containers[c] { + c := input.review.object.spec.initContainers[_] + } + # has_field returns whether an object has a field + has_field(object, field) = true { + object[field] + } + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } + +``` + +### Usage +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowinteractive/template.yaml +``` +## Examples +
+disallow-interactive
+ +
+constraint + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sDisallowInteractiveTTY +metadata: + name: no-interactive-tty-containers +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowinteractive/samples/no-interactive-containers/constraint.yaml +``` + +
+ +
+example-allowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-interactive-tty-allowed + labels: + app: nginx-interactive-tty +spec: + containers: + - name: nginx + image: nginx + stdin: false + tty: false + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowinteractive/samples/no-interactive-containers/example_allowed.yaml +``` + +
+
+example-disallowed + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: nginx-privilege-escalation-disallowed + labels: + app: nginx-privilege-escalation +spec: + containers: + - name: nginx + image: nginx + stdin: true + tty: true + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/disallowinteractive/samples/no-interactive-containers/example_disallowed.yaml +``` + +
+ + +
\ No newline at end of file diff --git a/website/sidebars.js b/website/sidebars.js index 0d88e156e..a14f9496c 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -31,6 +31,7 @@ module.exports = { 'validation/disallowanonymous', 'validation/disallowedrepos', 'validation/disallowedtags', + 'validation/disallowinteractive', 'validation/ephemeralstoragelimit', 'validation/externalip', 'validation/horizontalpodautoscaler',