Restrict Adding Capabilities

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: psp-restrict-adding-capabilities
 5  annotations:
 6    policies.kyverno.io/title: Restrict Adding Capabilities
 7    policies.kyverno.io/category: PSP Migration
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Adding capabilities is a way for containers in a Pod to request higher levels
15      of ability than those with which they may be provisioned. Many capabilities
16      allow system-level control and should be prevented. Pod Security Policies (PSP)
17      allowed a list of "good" capabilities to be added. This policy checks
18      ephemeralContainers, initContainers, and containers to ensure the only
19      capabilities that can be added are either NET_BIND_SERVICE or CAP_CHOWN.
20spec:
21  validationFailureAction: Audit
22  background: true
23  rules:
24    - name: allowed-capabilities
25      match:
26        any:
27        - resources:
28            kinds:
29              - Pod
30      preconditions:
31        all:
32        - key: "{{ request.operation || 'BACKGROUND' }}"
33          operator: NotEquals
34          value: DELETE
35      validate:
36        message: >-
37          Any capabilities added other than NET_BIND_SERVICE or CAP_CHOWN are disallowed.
38        foreach:
39          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
40            deny:
41              conditions:
42                all:
43                - key: "{{ element.securityContext.capabilities.add[] || '' }}"
44                  operator: AnyNotIn
45                  value:
46                  - NET_BIND_SERVICE
47                  - CAP_CHOWN
48                  - ''