In the earlier Pod Security Policy controller, it was possible to configure a policy to add capabilities to containers within a Pod. This made it easier to assign some basic defaults rather than blocking Pods or to simply provide capabilities for certain workloads if not specified. This policy mutates Pods to add the capabilities SETFCAP and SETUID so long as they are not listed as dropped capabilities first.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-capabilitiesannotations:policies.kyverno.io/title: Add Capabilitiespolicies.kyverno.io/category: PSP Migrationpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.10.0kyverno.io/kubernetes-version: "1.24"pod-policies.kyverno.io/autogen-controllers: nonepolicies.kyverno.io/description: In the earlier Pod Security Policy controller, it was possible to configure a policy to add capabilities to containers within a Pod. This made it easier to assign some basic defaults rather than blocking Pods or to simply provide capabilities for certain workloads if not specified. This policy mutates Pods to add the capabilities SETFCAP and SETUID so long as they are not listed as dropped capabilities first.spec:rules:- name: add-setfcap-setuidmatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: AnyInvalue:- CREATE- UPDATEmutate:foreach:- list: request.object.spec.[ephemeralContainers, initContainers, containers][]preconditions:all:- key: SETFCAPoperator: AnyNotInvalue: "{{ element.securityContext.capabilities.drop[] || `[]` }}"patchesJson6902: |-- path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/-op: addvalue: SETFCAP- list: request.object.spec.[ephemeralContainers, initContainers, containers][]preconditions:all:- key: SETUIDoperator: AnyNotInvalue: "{{ element.securityContext.capabilities.drop[] || `[]` }}"patchesJson6902: |-- path: /spec/containers/{{elementIndex}}/securityContext/capabilities/add/-op: addvalue: SETUID
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.
A read-only root file system helps to enforce an immutable infrastructure strategy; the container only needs to write on the mounted volume that persists the state. An immutable root filesystem can also prevent malicious binaries from writing to the host system. This policy validates that containers define a securityContext with `readOnlyRootFilesystem: true`.