All Policies
Service Mesh Disallow Capabilities
This policy is a variation of the disallow-capabilities policy that is a part of the Pod Security Standards (Baseline) category. It enforces the same control but with provisions for common service mesh initContainers from Istio and Linkerd which need the additional capabilities, NET_ADMIN and NET_RAW. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.
Policy Definition
/istio/service-mesh-disallow-capabilities/service-mesh-disallow-capabilities.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: service-mesh-disallow-capabilities
5 annotations:
6 policies.kyverno.io/title: Service Mesh Disallow Capabilities
7 policies.kyverno.io/category: Istio, Linkerd, Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.12.3
10 kyverno.io/kubernetes-version: "1.28"
11 policies.kyverno.io/subject: Pod
12 policies.kyverno.io/description: >-
13 This policy is a variation of the disallow-capabilities policy that is a part of the
14 Pod Security Standards (Baseline) category. It enforces the same control but with
15 provisions for common service mesh initContainers from Istio and Linkerd which need
16 the additional capabilities, NET_ADMIN and NET_RAW. For more information and context,
17 see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.
18spec:
19 validationFailureAction: Audit
20 background: true
21 rules:
22 - name: adding-capabilities-istio-linkerd
23 match:
24 any:
25 - resources:
26 kinds:
27 - Pod
28 preconditions:
29 all:
30 - key: "{{ request.operation || 'BACKGROUND' }}"
31 operator: NotEquals
32 value: DELETE
33 context:
34 - name: capabilities
35 variable:
36 value: ["AUDIT_WRITE","CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","MKNOD","NET_BIND_SERVICE","SETFCAP","SETGID","SETPCAP","SETUID","SYS_CHROOT"]
37 validate:
38 message: >-
39 Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
40 FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)
41 are disallowed. Service mesh initContainers may additionally add NET_ADMIN and NET_RAW.
42 foreach:
43 - list: request.object.spec.initContainers[]
44 preconditions:
45 all:
46 - key: "{{ element.image }}"
47 operator: AnyIn
48 value:
49 - "*/istio/proxyv2*"
50 - "*/linkerd/proxy-init*"
51 - key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
52 operator: AnyNotIn
53 value:
54 - NET_ADMIN
55 - NET_RAW
56 - "{{ capabilities }}"
57 deny:
58 conditions:
59 all:
60 - key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
61 operator: AnyNotIn
62 value: "{{ capabilities }}"
63 message: The service mesh initContainer {{ element.name }} is attempting to add forbidden capabilities.
64 - list: request.object.spec.initContainers[]
65 preconditions:
66 all:
67 - key: "{{ element.image }}"
68 operator: AnyNotIn
69 value:
70 - "*/istio/proxyv2*"
71 - "*/linkerd/proxy-init*"
72 deny:
73 conditions:
74 all:
75 - key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
76 operator: AnyNotIn
77 value: "{{ capabilities }}"
78 message: The initContainer {{ element.name }} is attempting to add forbidden capabilities.
79 - list: request.object.spec.[ephemeralContainers, containers][]
80 deny:
81 conditions:
82 all:
83 - key: "{{ element.securityContext.capabilities.add[] || `[]` }}"
84 operator: AnyNotIn
85 value: "{{ capabilities }}"
86 message: The container {{ element.name }} is attempting to add forbidden capabilities.