open-policy-agent
OpenShift Constraints Category
Would the gatekeeper-library repo owners be interested in having a category for OpenShift policies (ie. library/openshift) and accept PRs for it?
@ctrought can you provide some examples of policies that would apply to OpenShift (but not general Kubernetes)?
@ctrought can you provide some examples of policies that would apply to OpenShift (but not general Kubernetes)?
A few examples
- Require TLS on OpenShift Routes (Different than Ingress)
- Require unique OpenShift Route hostname across namespaces unless permitted
- Out of box this is already true and using hostnames across namespaces is not enabled. But with a custom policy you could allow sharing a hostname across specific namespaces if the namespaces were annotated with the hostname as a flag to allow it
- Require unique SCC UID ranges for all namespaces (by default it's true, but if a user can patch/update a namespace they can overwrite the SCC UID range)
- Disallow imagestreamtag that are scheduled
- Disallow imagestreamtag if the ref image size is greater than X MiB
- Disallow imagestreamtag is dockerImageMetadata created date is older than X days/months
- Enforce etcd encryption
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.