All Policies
Disallow SELinux
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.
Policy Definition
/pod-security/baseline/disallow-selinux/disallow-selinux.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-selinux
5 annotations:
6 policies.kyverno.io/title: Disallow SELinux
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 SELinux options can be used to escalate privileges and should not be allowed. This policy
14 ensures that the `seLinuxOptions` field is undefined.
15spec:
16 validationFailureAction: audit
17 background: true
18 rules:
19 - name: selinux-type
20 match:
21 any:
22 - resources:
23 kinds:
24 - Pod
25 validate:
26 message: >-
27 Setting the SELinux type is restricted. The fields
28 spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
29 , spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
30 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
31 pattern:
32 spec:
33 =(securityContext):
34 =(seLinuxOptions):
35 =(type): "container_t | container_init_t | container_kvm_t"
36 =(ephemeralContainers):
37 - =(securityContext):
38 =(seLinuxOptions):
39 =(type): "container_t | container_init_t | container_kvm_t"
40 =(initContainers):
41 - =(securityContext):
42 =(seLinuxOptions):
43 =(type): "container_t | container_init_t | container_kvm_t"
44 containers:
45 - =(securityContext):
46 =(seLinuxOptions):
47 =(type): "container_t | container_init_t | container_kvm_t"
48 - name: selinux-user-role
49 match:
50 any:
51 - resources:
52 kinds:
53 - Pod
54 validate:
55 message: >-
56 Setting the SELinux user or role is forbidden. The fields
57 spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
58 spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role,
59 spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role,
60 spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role
61 must be unset.
62 pattern:
63 spec:
64 =(securityContext):
65 =(seLinuxOptions):
66 X(user): "null"
67 X(role): "null"
68 =(ephemeralContainers):
69 - =(securityContext):
70 =(seLinuxOptions):
71 X(user): "null"
72 X(role): "null"
73 =(initContainers):
74 - =(securityContext):
75 =(seLinuxOptions):
76 X(user): "null"
77 X(role): "null"
78 containers:
79 - =(securityContext):
80 =(seLinuxOptions):
81 X(user): "null"
82 X(role): "null"