Sample policy to add a volume and volumeMount.
Sample policy to add Pod anti-affinity
Sample policy to disallow using secrets from environment variables which are visible in resource definitions.
Sample policy to check that liveness and readiness probes are not set to the same values.
Sample policy that sets imagePullPolicy to “Always” when the “latest” tag is used.
Sample policy that injects a sidecar container into Pods that match an annotation.
Sample policy that requires more than one replica for deployments.
Kubernetes automatically mounts service account credentials in each pod. The service account may be assigned roles allowing pods to access API resources. To restrict access, opt out of auto-mounting tokens by setting automountServiceAccountToken to false.
It can be useful to restrict Ingress resources to a set of known ingress classes that are allowed in the cluster. You can customize this policy to allow ingress classes that are configured in the cluster.
Sample policy to restrict use of Service type LoadBalancer.
All processes inside the pod can be made to run with specific user and groupID by setting ‘runAsUser’ and ‘runAsGroup’ respectively. ‘fsGroup’ can be specified to make sure any file created in the volume with have the specified groupID. These options can be used to validate the IDs used for user and group.
Sample policy to spread pods matching a label across nodes.