All Policies
Disallow Privileged Containers
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.
Policy Definition
/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-privileged-containers
5 annotations:
6 policies.kyverno.io/title: Disallow Privileged Containers
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 Privileged mode disables most security mechanisms and must not be allowed. This policy
14 ensures Pods do not call for privileged mode.
15spec:
16 validationFailureAction: Audit
17 background: true
18 rules:
19 - name: privileged-containers
20 match:
21 any:
22 - resources:
23 kinds:
24 - Pod
25 validate:
26 message: >-
27 Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged,
28 spec.initContainers[*].securityContext.privileged, and spec.ephemeralContainers[*].securityContext.privileged must be unset or set to `false`.
29 pattern:
30 spec:
31 =(ephemeralContainers):
32 - =(securityContext):
33 =(privileged): "false"
34 =(initContainers):
35 - =(securityContext):
36 =(privileged): "false"
37 containers:
38 - =(securityContext):
39 =(privileged): "false"