Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: ["ALL"]` ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: drop-all-capabilitiesannotations:policies.kyverno.io/title: Drop All Capabilitiespolicies.kyverno.io/category: Best Practicespolicies.kyverno.io/severity: mediumpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/subject: Podpolicies.kyverno.io/description: "Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify the `drop: [\"ALL\"]` ability. Note that this policy also illustrates how to cover drop entries in any case although this may not strictly conform to the Pod Security Standards."spec:validationFailureAction: Auditbackground: truerules:- name: require-drop-allmatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETEvalidate:message: Containers must drop `ALL` capabilities.foreach:- list: request.object.spec.[ephemeralContainers, initContainers, containers][]deny:conditions:all:- key: ALLoperator: AnyNotInvalue: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.