All Policies

Disallow SELinux

SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.

Policy Definition

/pod-security/baseline/disallow-selinux/disallow-selinux.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-selinux
 5  annotations:
 6    policies.kyverno.io/title: Disallow SELinux
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      SELinux options can be used to escalate privileges and should not be allowed. This policy
14      ensures that the `seLinuxOptions` field is undefined.      
15spec:
16  validationFailureAction: audit
17  background: true
18  rules:
19    - name: selinux-type
20      match:
21        any:
22        - resources:
23            kinds:
24              - Pod
25      validate:
26        message: >-
27          Setting the SELinux type is restricted. The fields
28          spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
29          , spec.initContainers[*].securityContext.seLinuxOptions, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
30          must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).          
31        pattern:
32          spec:
33            =(securityContext):
34              =(seLinuxOptions):
35                =(type): "container_t | container_init_t | container_kvm_t"
36            =(ephemeralContainers):
37              - =(securityContext):
38                  =(seLinuxOptions):
39                    =(type): "container_t | container_init_t | container_kvm_t"
40            =(initContainers):
41              - =(securityContext):
42                  =(seLinuxOptions):
43                    =(type): "container_t | container_init_t | container_kvm_t"
44            containers:
45              - =(securityContext):
46                  =(seLinuxOptions):
47                    =(type): "container_t | container_init_t | container_kvm_t"
48    - name: selinux-user-role
49      match:
50        any:
51        - resources:
52            kinds:
53              - Pod
54      validate:
55        message: >-
56          Setting the SELinux user or role is forbidden. The fields
57          spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,
58          spec.containers[*].securityContext.seLinuxOptions.user, spec.containers[*].securityContext.seLinuxOptions.role,
59          spec.initContainers[*].securityContext.seLinuxOptions.user, spec.initContainers[*].securityContext.seLinuxOptions.role,
60          spec.ephemeralContainers[*].securityContext.seLinuxOptions.user, and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role
61          must be unset.          
62        pattern:
63          spec:
64            =(securityContext):
65              =(seLinuxOptions):
66                X(user): "null"
67                X(role): "null"
68            =(ephemeralContainers):
69              - =(securityContext):
70                  =(seLinuxOptions):
71                    X(user): "null"
72                    X(role): "null"
73            =(initContainers):
74              - =(securityContext):
75                  =(seLinuxOptions):
76                    X(user): "null"
77                    X(role): "null"
78            containers:
79              - =(securityContext):
80                  =(seLinuxOptions):
81                    X(user): "null"
82                    X(role): "null"