Restrict Adding Capabilities in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: psp-restrict-adding-capabilities
 5  annotations:
 6    policies.kyverno.io/title: Restrict Adding Capabilities in CEL expressions
 7    policies.kyverno.io/category: PSP Migration in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Adding capabilities is a way for containers in a Pod to request higher levels
15      of ability than those with which they may be provisioned. Many capabilities
16      allow system-level control and should be prevented. Pod Security Policies (PSP)
17      allowed a list of "good" capabilities to be added. This policy checks
18      ephemeralContainers, initContainers, and containers to ensure the only
19      capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN.
20spec:
21  validationFailureAction: Audit
22  background: true
23  rules:
24    - name: allowed-capabilities
25      match:
26        any:
27        - resources:
28            kinds:
29              - Pod
30            operations:
31            - CREATE
32            - UPDATE
33      validate:
34        cel:
35          variables:
36          - name: allContainers
37            expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])"
38          - name: allowedCapabilities
39            expression: "['NET_BIND_SERVICE', 'CAP_CHOWN']"
40          expressions:
41            - expression: >-
42                variables.allContainers.all(container, 
43                container.?securityContext.?capabilities.?add.orValue([]).all(capability, capability in variables.allowedCapabilities))
44              message: >-
45                Any capabilities added other than NET_BIND_SERVICE or CAP_CHOWN are disallowed.