add YAML and description

2025-03-31 03:45:17 +00:00 · 2019-10-31 18:40:54 -07:00 · 2019-10-31 18:40:54 -07:00 · eebfab87e5
commit eebfab87e5
parent bf196be7a2
2 changed files with 69 additions and 0 deletions
--- a/samples/DisallowNewCapabilities.md
+++ b/samples/DisallowNewCapabilities.md
@ -0,0 +1,38 @@
+# Disallow new capabilities
+
+Linux allows defining fine-grained permissions using
+capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+level of kernel access and allow other potentially dangerous behaviors. This policy 
+enforces that pods cannot add new capabilities. Other policies can be used to set 
+default capabilities. 
+
+## Policy YAML
+
+[disallow_new_capabilities.yaml](best_practices/disallow_new_capabilities.yaml)
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+          securityContext:
+            capabilities:
+              X(add): null    
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              (capabilities):
+                X(add): null
+````
--- a/samples/best_practices/disallow_new_capabilities.yaml
+++ b/samples/best_practices/disallow_new_capabilities.yaml
@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: Linux allows defining fine-grained permissions using
+      capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+      level of kernel access and allow other potentially dangerous behaviors. This policy 
+      enforces that pods cannot add new capabilities. Other policies can be used to set 
+      default capabilities. 
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+          securityContext:
+            capabilities:
+              X(add): null    
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              (capabilities):
+                X(add): null