-
Notifications
You must be signed in to change notification settings - Fork 4
/
artifacthub-pkg.yml
260 lines (260 loc) · 8.01 KB
/
artifacthub-pkg.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
# Kubewarden Artifacthub Package config
#
# Use this config to submit the policy to https://artifacthub.io.
#
# This config can be saved to its default location with:
# kwctl scaffold artifacthub > artifacthub-pkg.yml
version: 0.6.2
name: user-group-psp
displayName: User Group PSP
createdAt: 2024-07-31T13:55:22.670292486Z
description: Kubewarden Policy that controls containers user and groups
license: Apache-2.0
homeURL: https://github.com/kubewarden/user-group-psp-policy
containersImages:
- name: policy
image: ghcr.io/kubewarden/policies/user-group-psp:v0.6.2
keywords:
- psp
- container
- user
- group
links:
- name: policy
url: https://github.com/kubewarden/user-group-psp-policy/releases/download/v0.6.2/policy.wasm
- name: source
url: https://github.com/kubewarden/user-group-psp-policy
install: |
The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
```console
kwctl pull ghcr.io/kubewarden/policies/user-group-psp:v0.6.2
```
Then, generate the policy manifest and tune it to your liking. For example:
```console
kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/user-group-psp:v0.6.2
```
maintainers:
- name: Kubewarden developers
email: [email protected]
provider:
name: kubewarden
recommendations:
- url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller
annotations:
kubewarden/mutation: 'true'
kubewarden/questions-ui: |
questions:
- default: null
description: >-
This policy is a replacement for the Kubernetes Pod Security Policy that
controls containers user and groups.
group: Settings
label: Description
required: false
hide_input: true
type: string
variable: description
- default: {}
description: Controls which user ID the containers are run with.
group: Settings
label: Run as user
hide_input: true
type: map[
variable: run_as_user
subquestions:
- default: ''
tooltip: >-
Defines the strategy used by the policy to enforce users and groups used
in containers.
group: Settings
label: Rule
options:
- MustRunAs
- MustRunAsNonRoot
- RunAsAny
type: enum
variable: run_as_user.rule
- default: false
group: Settings
label: Overwrite
show_if: run_as_user.rule=MustRunAs
title: Overwrite
tooltip: >-
The overwrite attribute can be set only with the MustRunAs rule. This
flag configures the policy to mutate the runAsUser or runAsGroup despite
of the value present in the request - even if the value is a valid one.
The default value of this attribute is false.
type: boolean
variable: run_as_user.overwrite
- default: []
description: >-
Ranges is a list of JSON objects with two attributes: min and max. Each
range object define the user/group ID range used by the rule.
group: Settings
label: Ranges
show_if: run_as_user.rule=MustRunAs||run_as_user.rule=MustRunAsNonRoot
hide_input: true
type: sequence[
variable: run_as_user.ranges
sequence_questions:
- default: 0
group: Settings
label: min
show_if: run_as_user.rule=MustRunAs||run_as_user.rule=MustRunAsNonRoot
tooltip: Minimum UID or GID
type: int
variable: min
- default: 0
group: Settings
label: max
show_if: run_as_user.rule=MustRunAs||run_as_user.rule=MustRunAsNonRoot
tooltip: Maxium UID or GID
type: int
variable: max
- default: {}
description: Controls which primary group ID the containers are run with.
group: Settings
label: Run as group
hide_input: true
type: map[
variable: run_as_group
subquestions:
- default: ''
tooltip: >-
Defines the strategy used by the policy to enforce users and groups used
in containers.
group: Settings
label: Rule
options:
- MustRunAs
- MayRunAs
- RunAsAny
type: enum
variable: run_as_group.rule
- default: false
group: Settings
label: Overwrite
show_if: run_as_group.rule=MustRunAs
type: boolean
variable: run_as_group.overwrite
- default: []
description: >-
Ranges is a list of JSON objects with two attributes: min and max. Each
range object define the user/group ID range used by the rule.
group: Settings
label: Ranges
show_if: run_as_group.rule=MustRunAs||run_as_group.rule=MayRunAs
hide_input: true
type: sequence[
variable: run_as_group.ranges
sequence_questions:
- default: 0
group: Settings
label: min
show_if: run_as_group.rule=MustRunAs||run_as_group.rule=MayRunAs
tooltip: Minimum UID or GID
type: int
variable: min
- default: 0
group: Settings
label: max
show_if: run_as_group.rule=MustRunAs||run_as_group.rule=MayRunAs
tooltip: Maxium UID or GID
type: int
variable: max
- default: {}
description: Controls which group IDs containers add.
group: Settings
label: Supplemental groups
hide_input: true
type: map[
variable: supplemental_groups
subquestions:
- default: ''
tooltip: >-
Defines the strategy used by the policy to enforce users and groups used
in containers.
group: Settings
label: Rule
options:
- MustRunAs
- MayRunAs
- RunAsAny
type: enum
variable: supplemental_groups.rule
- default: false
group: Settings
label: Overwrite
show_if: >-
supplemental_groups.rule=MustRunAs
type: boolean
variable: supplemental_groups.overwrite
- default: []
description: >-
Ranges is a list of JSON objects with two attributes: min and max. Each
range object define the user/group ID range used by the rule.
group: Settings
label: Ranges
show_if: >-
supplemental_groups.rule=MustRunAs||supplemental_groups.rule=MayRunAs
hide_input: true
type: sequence[
variable: supplemental_groups.ranges
sequence_questions:
- default: 0
group: Settings
label: min
show_if: >-
supplemental_groups.rule=MustRunAs||supplemental_groups.rule=MayRunAs
tooltip: Minimum UID or GID
type: int
variable: min
- default: 0
group: Settings
label: max
show_if: >-
supplemental_groups.rule=MustRunAs||supplemental_groups.rule=MayRunAs
tooltip: Maxium UID or GID
type: int
variable: max
kubewarden/resources: Pod
kubewarden/rules: |
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
- apiGroups:
- ''
apiVersions:
- v1
resources:
- replicationcontrollers
operations:
- CREATE
- UPDATE
- apiGroups:
- apps
apiVersions:
- v1
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
operations:
- CREATE
- UPDATE
- apiGroups:
- batch
apiVersions:
- v1
resources:
- jobs
- cronjobs
operations:
- CREATE
- UPDATE