Minimally restrictive policy to prevent known privilege escalations.

To apply the Baseline/Default policies install Kyverno and run the following kustomize command:

kustomize build | kubectl apply -f -

This command installs policies with validateFailureAction: enforce and hence will block resources that violate policies. Alternatively, you can clone the Git repo to install the policies.

Disallow Add Capabilities

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed.

Disallow Host Namespaces

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces.

Disallow Host Path

HostPath volumes let pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed.

Disallow Host Ports

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list.

Disallow Privileged Containers

Privileged mode disables most security mechanisms and must not be allowed.

Require Default Proc Mount

The default /proc masks are set up to reduce attack surface and should be required.

Disallow SELinux

SELinux options can be used to escalate privileges and should not be allowed.

Restrict AppArmor

On supported hosts, the ‘runtime/default’ AppArmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles.

Restrict Sysctls

Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed “safe” subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node.

Last modified January 22, 2021: add kustomize links and details (154604d)