Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: disallow-privilege-escalationannotations:policies.kyverno.io/title: Disallow Privilege Escalationpolicies.kyverno.io/category: Pod Security Standards (Restricted)policies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: 1.22-1.23policies.kyverno.io/description: Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`.spec:validationFailureAction: Auditbackground: truerules:- name: privilege-escalationmatch:any:- resources:kinds:- Podvalidate:message: Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, spec.initContainers[*].securityContext.allowPrivilegeEscalation, and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation must be set to `false`.pattern:spec:"=(ephemeralContainers)":- securityContext:allowPrivilegeEscalation: "false""=(initContainers)":- securityContext:allowPrivilegeEscalation: "false"containers:- securityContext:allowPrivilegeEscalation: "false"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.