All Policies

Disallow Privilege Escalation

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`.

Policy Definition

/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-privilege-escalation
 5  annotations:
 6    policies.kyverno.io/title: Disallow Privilege Escalation
 7    policies.kyverno.io/category: Pod Security Standards (Restricted)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
14      This policy ensures the `allowPrivilegeEscalation` field is set to `false`.      
15spec:
16  validationFailureAction: audit
17  background: true
18  rules:
19    - name: privilege-escalation
20      match:
21        any:
22        - resources:
23            kinds:
24              - Pod
25      validate:
26        message: >-
27          Privilege escalation is disallowed. The fields
28          spec.containers[*].securityContext.allowPrivilegeEscalation,
29          spec.initContainers[*].securityContext.allowPrivilegeEscalation,
30          and spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation
31          must be set to `false`.          
32        pattern:
33          spec:
34            =(ephemeralContainers):
35            - securityContext:
36                allowPrivilegeEscalation: "false"
37            =(initContainers):
38            - securityContext:
39                allowPrivilegeEscalation: "false"
40            containers:
41            - securityContext:
42                allowPrivilegeEscalation: "false"