add drop all policy

2025-03-13 19:28:55 +00:00 · 2020-12-01 10:37:46 -05:00 · 2020-12-01 10:37:46 -05:00 · 42b101d8b3
commit 42b101d8b3
parent b0177625c7
3 changed files with 83 additions and 0 deletions
--- a/samples/README.md
+++ b/samples/README.md
@ -44,6 +44,7 @@ These policies provide additional best practices and are worthy of close conside
 1. [Ensure Pod `livenessProbe` and `readinessProbe` are different](EnsurePodProbesDifferent.md)
 1. [Disallow mounting Secrets as environment variables](DisallowSecretsFromEnvVars.md)
 1. [Add default labels](AddDefaultLabels.md)
+1. [Require all Pods drop all capabilities](RequirePodsDropAll.md)

 ## Miscellaneous Policies

--- a/samples/RequirePodsDropAll.md
+++ b/samples/RequirePodsDropAll.md
@ -0,0 +1,49 @@
+# Require Pods Drop All Capabilities
+
+Containers may optionally ask for specific Linux capabilities without requiring root on the node. As a security best practice, containers should only specify exactly which capabilities they need. This starts with dropping all capabilities and only selectively adding ones back.
+
+This example policy requires that all containers drop all capabilities.
+
+## More information
+
+* [Set Capabilities for a Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container)
+
+## Policy YAML
+
+[require_drop_all.yaml](more/require_drop_all.yaml)
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: drop-all-capabilities
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: drop-all-containers
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Drop all must be defined for every container in the Pod."
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              capabilities:
+                drop: ["ALL"]
+  - name: drop-all-initcontainers
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Drop all must be defined for every container in the Pod."
+      pattern:
+        spec:
+          initContainers:
+          - securityContext:
+              capabilities:
+                drop: ["ALL"]
+```
--- a/samples/more/require_drop_all.yaml
+++ b/samples/more/require_drop_all.yaml
@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: drop-all-capabilities
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: drop-all-containers
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Drop all must be defined for every container in the Pod."
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              capabilities:
+                drop: ["ALL"]
+  - name: drop-all-initcontainers
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Drop all must be defined for every container in the Pod."
+      pattern:
+        spec:
+          initContainers:
+          - securityContext:
+              capabilities:
+                drop: ["ALL"]