Block Ephemeral Containers in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-ephemeral-containers
 5  annotations:
 6    policies.kyverno.io/title: Block Ephemeral Containers in CEL expressions
 7    policies.kyverno.io/category: Other in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the
15      `kubectl debug` functionality and attach a temporary container to an existing Pod.
16      This may potentially be used to gain access to unauthorized information executing inside
17      one or more containers in that Pod. This policy blocks the use of ephemeral containers.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: block-ephemeral-containers
23    match:
24      any:
25      - resources:
26          kinds:
27            - Pod
28          operations:
29          - CREATE
30          - UPDATE
31    validate:
32      cel:
33        expressions:
34          - expression: "!has(object.spec.ephemeralContainers)"
35            message: "Ephemeral (debug) containers are not permitted."