Drop CAP_NET_RAW in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: drop-cap-net-raw
 5  annotations:
 6    policies.kyverno.io/title: Drop CAP_NET_RAW in CEL expressions
 7    policies.kyverno.io/category: Best Practices in CEL 
 8    policies.kyverno.io/minversion: 1.11.0
 9    kyverno.io/kubernetes-version: "1.26-1.27"
10    policies.kyverno.io/severity: medium
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Capabilities permit privileged actions without giving full root access. The
14      CAP_NET_RAW capability, enabled by default, allows processes in a container to
15      forge packets and bind to any interface potentially leading to MitM attacks.
16      This policy ensures that all containers explicitly drop the CAP_NET_RAW
17      ability. Note that this policy also illustrates how to cover drop entries in any
18      case although this may not strictly conform to the Pod Security Standards.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23    - name: require-drop-cap-net-raw
24      match:
25        any:
26        - resources:
27            kinds:
28              - Pod
29            operations:
30            - CREATE
31            - UPDATE
32      validate:
33        cel:
34          variables:
35            - name: mustDropCapabilities
36              expression: "['CAP_NET_RAW','NET_RAW']"
37            - name: allContainers
38              expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
39          expressions:
40            - expression: >-
41                variables.allContainers.all(container, 
42                container.?securityContext.?capabilities.?drop.orValue([]).exists(capability, capability.upperAscii() in variables.mustDropCapabilities))
43              message: >-
44                Containers must drop the `CAP_NET_RAW` capability.