Drop All Capabilities

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: drop-all-capabilities
 5  annotations:
 6    policies.kyverno.io/title: Drop All Capabilities
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Capabilities permit privileged actions without giving full root access. All
13      capabilities should be dropped from a Pod, with only those required added back.
14      This policy ensures that all containers explicitly specify the `drop: ["ALL"]`
15      ability. Note that this policy also illustrates how to cover drop entries in any
16      case although this may not strictly conform to the Pod Security Standards.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21    - name: require-drop-all
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      preconditions:
28        all:
29        - key: "{{ request.operation || 'BACKGROUND' }}"
30          operator: NotEquals
31          value: DELETE
32      validate:
33        message: >-
34          Containers must drop `ALL` capabilities.
35        foreach:
36          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
37            deny:
38              conditions:
39                all:
40                - key: ALL
41                  operator: AnyNotIn
42                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"