Slide 22
Slide 22 text
Demo: privileged container の禁⽌
22
package admission
import data.k8s.matches
deny[{
"id": "deny-privileged",
"resource": {"kind": "pods", "namespace": namespace, "name": name},
"resolution": {"message": "privileged container is not allowed"},
}] {
matches[["pods", namespace, name, matched_pods]]
# privileged コンテナを拒否する
matched_pods.spec.containers[_].securityContext.privileged
}