This policy is a variation of the disallow-capabilities policy that is a part of the Pod Security Standards (Baseline) category. It enforces the same control but with provisions for common service mesh initContainers from Istio and Linkerd which need the additional capabilities, NET_ADMIN and NET_RAW. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: service-mesh-disallow-capabilitiesannotations:policies.kyverno.io/title: Service Mesh Disallow Capabilitiespolicies.kyverno.io/category: Istio, Linkerd, Pod Security Standards (Baseline)policies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.12.3kyverno.io/kubernetes-version: "1.28"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: This policy is a variation of the disallow-capabilities policy that is a part of the Pod Security Standards (Baseline) category. It enforces the same control but with provisions for common service mesh initContainers from Istio and Linkerd which need the additional capabilities, NET_ADMIN and NET_RAW. For more information and context, see the Kyverno blog post at https://kyverno.io/blog/2024/02/04/securing-services-meshes-easier-with-kyverno/.spec:validationFailureAction: Auditbackground: truerules:- name: adding-capabilities-istio-linkerdmatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETEcontext:- name: capabilitiesvariable:value:- AUDIT_WRITE- CHOWN- DAC_OVERRIDE- FOWNER- FSETID- KILL- MKNOD- NET_BIND_SERVICE- SETFCAP- SETGID- SETPCAP- SETUID- SYS_CHROOTvalidate:message: Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) are disallowed. Service mesh initContainers may additionally add NET_ADMIN and NET_RAW.foreach:- list: request.object.spec.initContainers[]preconditions:all:- key: "{{ element.image }}"operator: AnyInvalue:- "*/istio/proxyv2*"- "*/linkerd/proxy-init*"- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"operator: AnyNotInvalue:- NET_ADMIN- NET_RAW- "{{ capabilities }}"deny:conditions:all:- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"operator: AnyNotInvalue: "{{ capabilities }}"message: The service mesh initContainer {{ element.name }} is attempting to add forbidden capabilities.- list: request.object.spec.initContainers[]preconditions:all:- key: "{{ element.image }}"operator: AnyNotInvalue:- "*/istio/proxyv2*"- "*/linkerd/proxy-init*"deny:conditions:all:- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"operator: AnyNotInvalue: "{{ capabilities }}"message: The initContainer {{ element.name }} is attempting to add forbidden capabilities.- list: request.object.spec.[ephemeralContainers, containers][]deny:conditions:all:- key: "{{ element.securityContext.capabilities.add[] || `[]` }}"operator: AnyNotInvalue: "{{ capabilities }}"message: The container {{ element.name }} is attempting to add forbidden capabilities.
This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.