Restricted Pod Security Standards with Container-Level Control Exemption

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: podsecurity-subrule-restricted-capabilities
 5  annotations:
 6    policies.kyverno.io/title: Restricted Pod Security Standards with Container-Level Control Exemption
 7    policies.kyverno.io/category: Pod Security
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.8.0
10    policies.kyverno.io/minversion: 1.8.0
11    kyverno.io/kubernetes-version: "1.24"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      The restricted profile of the Pod Security Standards, which is inclusive of
15      the baseline profile, is a collection of all the most common configurations
16      that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile
17      may be assigned to the cluster through a single rule. In some cases, specific exemptions
18      must be made on a per-control basis. This policy configures the
19      restricted profile through the latest version of the Pod Security Standards cluster wide while
20      exempting `nginx` and `redis` container images from the Capabilities control check.
21spec:
22  background: true
23  validationFailureAction: Enforce
24  rules:
25  - name: restricted-exempt-capabilities
26    match:
27      any:
28      - resources:
29          kinds:
30          - Pod
31    validate:
32      podSecurity:
33        level: restricted
34        version: latest
35        exclude:
36        - controlName: Capabilities
37          images:
38          - ghcr.io/kyverno/test-nginx*
39          - redis*