homelab-gitops/platform/kyverno/policies/20-require/require-no-privilege-escalation.yaml
gwg313 baa0216960
add kyverno policies
Signed-off-by: gwg313 <gwg313@pm.me>
2026-05-28 20:09:06 -04:00

43 lines
1.2 KiB
YAML

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-no-privilege-escalation
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-no-privilege-escalation
match:
any:
- resources:
kinds:
- Pod
validate:
message: "allowPrivilegeEscalation must be false."
foreach:
- list: "request.object.spec.containers"
deny:
conditions:
any:
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
operator: Equals
value: true
- list: "request.object.spec.initContainers || []"
deny:
conditions:
any:
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
operator: Equals
value: true
- list: "request.object.spec.ephemeralContainers || []"
deny:
conditions:
any:
- key: "{{ element.securityContext.allowPrivilegeEscalation || `false` }}"
operator: Equals
value: true