2019-10-31 18:40:54 -07:00
# Disallow new capabilities
2020-11-11 15:55:02 -05:00
Linux allows defining fine-grained permissions using capabilities. With Kubernetes, it is possible to add capabilities that escalate the level of kernel access and allow other potentially dangerous behaviors. This policy enforces that containers cannot add new capabilities. Other policies can be used to set default capabilities.
2019-10-31 18:40:54 -07:00
## Policy YAML
[disallow_new_capabilities.yaml ](best_practices/disallow_new_capabilities.yaml )
````yaml
2019-11-13 13:56:20 -08:00
apiVersion: kyverno.io/v1
2019-10-31 18:40:54 -07:00
kind: ClusterPolicy
metadata:
2019-11-09 16:07:16 -08:00
name: disallow-new-capabilities
2020-08-18 21:44:11 -07:00
annotations:
pod-policies.kyverno.io/autogen-controllers: none
2019-10-31 18:40:54 -07:00
spec:
2020-08-19 14:04:58 -07:00
validationFailureAction: audit
2019-10-31 18:40:54 -07:00
rules:
2019-11-09 16:07:16 -08:00
- name: validate-add-capabilities
2019-10-31 18:40:54 -07:00
match:
resources:
kinds:
- Pod
validate:
2019-11-09 16:07:16 -08:00
message: "New capabilities cannot be added"
2020-06-26 18:28:52 -07:00
pattern:
2020-08-19 01:08:53 -07:00
spec:
2019-10-31 18:40:54 -07:00
containers:
2020-08-19 01:08:53 -07:00
- name: "*"
=(securityContext):
=(capabilities):
X(add): null
2019-10-31 18:40:54 -07:00
````
