All Policies
Deny Commands in Exec Probe in CEL expressions
Developers may feel compelled to use simple shell commands as a workaround to creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged via detection of those commands. This policy prevents the use of certain commands `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe.
Policy Definition
/other-cel/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml
1apiVersion: kyverno.io/v2beta1
2kind: ClusterPolicy
3metadata:
4 name: deny-commands-in-exec-probe
5 annotations:
6 policies.kyverno.io/title: Deny Commands in Exec Probe in CEL expressions
7 policies.kyverno.io/category: Other in CEL
8 policies.kyverno.io/subject: Pod
9 kyverno.io/kyverno-version: 1.11.0
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kubernetes-version: "1.26-1.27"
12 policies.kyverno.io/description: >-
13 Developers may feel compelled to use simple shell commands as a workaround to
14 creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged
15 via detection of those commands. This policy prevents the use of certain commands
16 `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe.
17spec:
18 validationFailureAction: Audit
19 background: false
20 rules:
21 - name: check-commands
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 operations:
28 - CREATE
29 - UPDATE
30 celPreconditions:
31 - name: "check-liveness-probes-commands-exist"
32 expression: >-
33 object.spec.containers.exists(container, size(container.?livenessProbe.?exec.?command.orValue([])) > 0)
34 validate:
35 cel:
36 expressions:
37 - expression: >-
38 object.spec.containers.all(container,
39 !container.?livenessProbe.?exec.?command.orValue([]).exists(command,
40 command.matches('\\bjcmd\\b') || command.matches('\\bps\\b') || command.matches('\\bls\\b')))
41 message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes.