Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: disallow-privileged-containersannotations:policies.kyverno.io/title: Disallow Privileged Containerspolicies.kyverno.io/category: Pod Security Standards (Baseline)policies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: 1.22-1.23policies.kyverno.io/description: Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.spec:validationFailureAction: Auditbackground: truerules:- name: privileged-containersmatch:any:- resources:kinds:- Podvalidate:message: Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged, spec.initContainers[*].securityContext.privileged, and spec.ephemeralContainers[*].securityContext.privileged must be unset or set to `false`.pattern:spec:"=(ephemeralContainers)":- "=(securityContext)":"=(privileged)": "false""=(initContainers)":- "=(securityContext)":"=(privileged)": "false"containers:- "=(securityContext)":"=(privileged)": "false"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.