Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: block-ephemeral-containersannotations:policies.kyverno.io/title: Block Ephemeral Containerspolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.6.0policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers.spec:validationFailureAction: Auditbackground: truerules:- name: block-ephemeral-containersmatch:any:- resources:kinds:- Podvalidate:message: Ephemeral (debug) containers are not permitted.pattern:spec:X(ephemeralContainers): "null"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.