-
Notifications
You must be signed in to change notification settings - Fork 3
/
artifacthub-pkg.yml
108 lines (108 loc) · 3.18 KB
/
artifacthub-pkg.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Kubewarden Artifacthub Package config
#
# Use this config to submit the policy to https://artifacthub.io.
#
# This config can be saved to its default location with:
# kwctl scaffold artifacthub > artifacthub-pkg.yml
version: 0.1.12
name: selinux-psp
displayName: Selinux PSP
createdAt: 2023-10-16T07:24:37.086889634Z
description: Replacement for the Kubernetes Pod Security Policy that controls the usage of SELinux
license: Apache-2.0
homeURL: https://github.com/kubewarden/selinux-psp-policy
containersImages:
- name: policy
image: ghcr.io/kubewarden/policies/selinux-psp:v0.1.12
keywords:
- psp
- container
- runtime
- selinux
links:
- name: policy
url: https://github.com/kubewarden/selinux-psp-policy/releases/download/v0.1.12/policy.wasm
- name: source
url: https://github.com/kubewarden/selinux-psp-policy
install: |
The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
```console
kwctl pull ghcr.io/kubewarden/policies/selinux-psp:v0.1.12
```
Then, generate the policy manifest and tune it to your liking. For example:
```console
kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/selinux-psp:v0.1.12
```
maintainers:
- name: Kubewarden developers
email: [email protected]
provider:
name: kubewarden
recommendations:
- url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller
annotations:
kubewarden/mutation: 'true'
kubewarden/questions-ui: |
questions:
- default: null
description: >-
This policy is a replacement for the Kubernetes Pod Security Policy that
controls the usage of SELinux in the pod security context and on containers,
init containers and ephemeral containers. This policy will inspect the
`.spec.securityContext.seLinuxOptions` of the pod if the container has no
specific `.spec.securityContext.seLinuxOptions`. In other words, the
`seLinuxOptions` of the container, init container and ephemeral containers
take precendence over the pod `seLinuxOptions`, if any.
group: Settings
label: Description
required: false
hide_input: true
type: string
variable: description
- default: MustRunAs
tooltip: >-
Defines what seLinuxOptions can be set at the pod level and at the container
level.
group: Settings
label: SE Linux Options
options:
- MustRunAs
- RunAsAny
required: false
type: enum
variable: rule
- default: ''
group: Settings
label: User
show_if: rule=MustRunAs
type: string
variable: user
- default: ''
group: Settings
label: Role
show_if: rule=MustRunAs
type: string
variable: role
- default: ''
group: Settings
label: Type
show_if: rule=MustRunAs
type: string
variable: type
- default: ''
group: Settings
label: Level
show_if: rule=MustRunAs
type: string
variable: level
kubewarden/resources: Pod
kubewarden/rules: |
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
- UPDATE