All Policies

Deny Commands in Exec Probe

Developers may feel compelled to use simple shell commands as a workaround to creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged via detection of those commands. This policy prevents the use of certain commands `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe.

Policy Definition

/other/b-d/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-commands-in-exec-probe
 5  annotations:
 6    policies.kyverno.io/title: Deny Commands in Exec Probe
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: Pod
 9    kyverno.io/kyverno-version: 1.1.0
10    policies.kyverno.io/minversion: 1.9.0
11    kyverno.io/kubernetes-version: "1.26"
12    policies.kyverno.io/description: >-
13      Developers may feel compelled to use simple shell commands as a workaround to
14      creating "proper" liveness or readiness probes for a Pod. Such a practice can be discouraged
15      via detection of those commands. This policy prevents the use of certain commands
16      `jcmd`, `ps`, or `ls` if found in a Pod's liveness exec probe.      
17spec:
18  validationFailureAction: Audit
19  background: false
20  rules:
21    - name: check-commands
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      preconditions:
28        all:
29        - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}"
30          operator: GreaterThan
31          value: 0
32        - key: "{{ request.operation }}"
33          operator: NotEquals
34          value: DELETE
35      validate:
36        message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes.
37        deny:
38          conditions:
39            any:
40            - key:
41              - true
42              operator: AnyIn
43              value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}"
44            - key:
45              - true
46              operator: AnyIn
47              value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bps\\b',@) }}"
48            - key:
49              - true
50              operator: AnyIn
51              value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bls\\b',@) }}"
Create policy issue