Drop All Capabilities

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a pod, with only those required added back.

Policy Definition

/best-practices/require_drop_all.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: drop-all-capabilities
  annotations:
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/description: >-
      Capabilities permit privileged actions without giving full root access. All 
      capabilities should be dropped from a pod, with only those required added back.
spec:
  validationFailureAction: audit
  rules:
  - name: check-containers
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "All capabilities should be dropped with only those required added back."
      pattern:
        spec:
          containers:
          - securityContext:
              capabilities:
                drop: ["ALL"]
  - name: check-init-containers
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "All capabilities should be dropped with only those required added back."
      pattern:
        spec:
          initContainers:
          - securityContext:
              capabilities:
                drop: ["ALL"]
Last modified January 2, 2021: fix titles (9a0d72f)