generated from kubewarden/go-policy-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
artifacthub-pkg.yml
86 lines (86 loc) · 2.71 KB
/
artifacthub-pkg.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Kubewarden Artifacthub Package config
#
# Use this config to submit the policy to https://artifacthub.io.
#
# This config can be saved to its default location with:
# kwctl scaffold artifacthub > artifacthub-pkg.yml
version: 0.1.12
name: sysctl-psp
displayName: Sysctl PSP
createdAt: 2023-10-16T07:26:55.16907141Z
description: A Pod Security Policy that controls usage of sysctls in pods
license: Apache-2.0
homeURL: https://github.com/kubewarden/sysctl-psp-policy
containersImages:
- name: policy
image: ghcr.io/kubewarden/policies/sysctl-psp:v0.1.12
keywords:
- sysctl
- psp
- pod
links:
- name: policy
url: https://github.com/kubewarden/sysctl-psp-policy/releases/download/v0.1.12/policy.wasm
- name: source
url: https://github.com/kubewarden/sysctl-psp-policy
install: |
The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
```console
kwctl pull ghcr.io/kubewarden/policies/sysctl-psp:v0.1.12
```
Then, generate the policy manifest and tune it to your liking. For example:
```console
kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/sysctl-psp:v0.1.12
```
maintainers:
- name: Kubewarden developers
email: [email protected]
provider:
name: kubewarden
recommendations:
- url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller
annotations:
kubewarden/mutation: 'false'
kubewarden/questions-ui: |
questions:
- default: null
description: >-
This policy validates which sysctls can get set in pods by specifying lists
of sysctls or sysctl patterns to be allowed or forbidden. You can then
modify the securityContext of Pods to make use of the Sysctls as permitted
by this policy.
group: Settings
label: Description
required: false
hide_input: true
type: string
variable: description
- default: []
description: >-
A list of plain sysctl names or sysctl patterns (which end with *) to be
forbidden. You can forbid a combination of safe and unsafe sysctls in the
list. To forbid setting any sysctls, use * on its own.
group: Settings
label: Forbidden sysctls
required: false
type: array[
variable: forbiddenSysctls
- default: []
description: >-
A list of plain sysctl names that can be used in Pods. * cannot be used. Has
precedence over forbiddenSysctls.
group: Settings
label: Allowed unsafe sysctls
required: false
type: array[
variable: allowedUnsafeSysctls
kubewarden/resources: Pod
kubewarden/rules: |
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE