Disallow Add Capabilities

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed.

Policy Definition

/pod-security/default/disallow-adding-capabilities.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-add-capabilities
  annotations:
    policies.kyverno.io/category: Pod Security Standards (Default)
    policies.kyverno.io/description: >-
      Capabilities permit privileged actions without giving full root access.
      Adding capabilities beyond the default set must not be allowed.
spec:
  validationFailureAction: audit
  background: true
  rules:
  - name: capabilities
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: >-
        Adding of additional capabilities beyond the default set is not allowed.
        The fields spec.containers[*].securityContext.capabilities.add and 
        spec.initContainers[*].securityContext.capabilities.add must be empty.
      pattern:
        spec:
          containers:
          - =(securityContext):
              =(capabilities):
                X(add): null
          =(initContainers):
          - =(securityContext):
              =(capabilities):
                X(add): null

Last modified January 2, 2021: fix titles (9a0d72f)