All Policies
Drop All Capabilities in CEL expressions
Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards.
Policy Definition
/best-practices-cel/require-drop-all/require-drop-all.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: drop-all-capabilities
5 annotations:
6 policies.kyverno.io/title: Drop All Capabilities in CEL expressions
7 policies.kyverno.io/category: Best Practices in CEL
8 policies.kyverno.io/severity: medium
9 kyverno.io/kubernetes-version: "1.26-1.27"
10 policies.kyverno.io/minversion: 1.11.0
11 policies.kyverno.io/subject: Pod
12 policies.kyverno.io/description: >-
13 Capabilities permit privileged actions without giving full root access. All
14 capabilities should be dropped from a Pod, with only those required added back.
15 This policy ensures that all containers explicitly specify the `drop: ["ALL"]`
16 ability. Note that this policy also illustrates how to cover drop entries in any
17 case although this may not strictly conform to the Pod Security Standards.
18spec:
19 validationFailureAction: Audit
20 background: true
21 rules:
22 - name: require-drop-all
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 operations:
29 - CREATE
30 - UPDATE
31 validate:
32 cel:
33 variables:
34 - name: allContainers
35 expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
36 expressions:
37 - expression: >-
38 variables.allContainers.all(container,
39 container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() == 'ALL'))
40 message: "Containers must drop `ALL` capabilities."