only warn for some policies
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
d14fbc6e17
commit
6820c0ae9e
|
@ -4,7 +4,6 @@ name: conftest
|
||||||
steps:
|
steps:
|
||||||
- name: policies
|
- name: policies
|
||||||
image: instrumenta/conftest:latest
|
image: instrumenta/conftest:latest
|
||||||
failure: ignore
|
|
||||||
commands:
|
commands:
|
||||||
- conftest test -p ./_test/policies ./
|
- conftest test -p ./_test/policies ./
|
||||||
- name: deprek8
|
- name: deprek8
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
deny[msg] {
|
warn[msg] {
|
||||||
input.kind = "Deployment"
|
input.kind = "Deployment"
|
||||||
not input.spec.template.spec.securityContext.runAsNonRoot = true
|
not input.spec.template.spec.securityContext.runAsNonRoot = true
|
||||||
msg = "Containers must not run as root"
|
msg = "Containers must not run as root"
|
||||||
}
|
}
|
||||||
|
|
||||||
deny[msg] {
|
warn[msg] {
|
||||||
input.kind = "Deployment"
|
input.kind = "Deployment"
|
||||||
not input.spec.selector.matchLabels.app
|
not input.spec.selector.matchLabels.app
|
||||||
msg = "Containers must provide app label for pod selectors"
|
msg = "Containers must provide app label for pod selectors"
|
||||||
|
|
Reference in a new issue