All Policies

Disallow Privileged Containers

Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.

Policy Definition

/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-privileged-containers
 5  annotations:
 6    policies.kyverno.io/title: Disallow Privileged Containers
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      Privileged mode disables most security mechanisms and must not be allowed. This policy
14      ensures Pods do not call for privileged mode.      
15spec:
16  validationFailureAction: audit
17  background: true
18  rules:
19    - name: privileged-containers
20      match:
21        any:
22        - resources:
23            kinds:
24              - Pod
25      validate:
26        message: >-
27          Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
28          and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.          
29        pattern:
30          spec:
31            =(ephemeralContainers):
32              - =(securityContext):
33                  =(privileged): "false"
34            =(initContainers):
35              - =(securityContext):
36                  =(privileged): "false"
37            containers:
38              - =(securityContext):
39                  =(privileged): "false"
Create policy issue