Disallow Privilege Escalation in CEL

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-privilege-escalation
 5  annotations:
 6    policies.kyverno.io/title: Disallow Privilege Escalation in CEL
 7    policies.kyverno.io/category: Pod Security Standards (Restricted) in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kyverno-version: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
15      This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20    - name: privilege-escalation
21      match:
22        any:
23        - resources:
24            kinds:
25              - Pod
26            operations:
27            - CREATE
28            - UPDATE
29      validate:
30        cel:
31          variables:
32            - name: allContainers
33              expression: >-
34               object.spec.containers + 
35               object.spec.?initContainers.orValue([]) + 
36               object.spec.?ephemeralContainers.orValue([])
37          expressions:
38            - expression: >- 
39                variables.allContainers.all(container, 
40                container.?securityContext.allowPrivilegeEscalation.orValue(true) == false)
41              message: >-
42                Privilege escalation is disallowed. 
43                All containers must set the securityContext.allowPrivilegeEscalation field to `false`.