All Policies

Add Capabilities

In the earlier Pod Security Policy controller, it was possible to configure a policy to add capabilities to containers within a Pod. This made it easier to assign some basic defaults rather than blocking Pods or to simply provide capabilities for certain workloads if not specified. This policy mutates Pods to add the capabilities SETFCAP and SETUID so long as they are not listed as dropped capabilities first.

Policy Definition

/psp-migration/add-capabilities/add-capabilities.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-capabilities
 5  annotations:
 6    policies.kyverno.io/title: Add Capabilities
 7    policies.kyverno.io/category: PSP Migration
 8    policies.kyverno.io/subject: Pod
 9    kyverno.io/kyverno-version: 1.10.0
10    kyverno.io/kubernetes-version: "1.24"
11    pod-policies.kyverno.io/autogen-controllers: none
12    policies.kyverno.io/description: >-
13      In the earlier Pod Security Policy controller, it was possible to configure a policy
14      to add capabilities to containers within a Pod. This made it easier to assign some basic defaults
15      rather than blocking Pods or to simply provide capabilities for certain workloads if not specified.
16      This policy mutates Pods to add the capabilities SETFCAP and SETUID so long as they are not listed
17      as dropped capabilities first.
18spec:
19  rules:
20  - name: add-setfcap-setuid
21    match:
22      any:
23      - resources:
24          kinds:
25          - Pod
26    preconditions:
27      all:
28      - key: "{{request.operation || 'BACKGROUND'}}"
29        operator: AnyIn
30        value:
31          - CREATE
32          - UPDATE
33    mutate:
34      foreach:
35      - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
36        preconditions:
37          all:
38          - key: SETFCAP
39            operator: AnyNotIn
40            value: "{{ element.securityContext.capabilities.drop[] || `[]` }}"
41        patchesJson6902: |-
42          - path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/-
43            op: add
44            value: SETFCAP
45      - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
46        preconditions:
47          all:
48          - key: SETUID
49            operator: AnyNotIn
50            value: "{{ element.securityContext.capabilities.drop[] || `[]` }}"
51        patchesJson6902: |-
52          - path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/-
53            op: add
54            value: SETUID
Create policy issue