From eebfab87e5d3df74da485a382f982090786d85da Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Thu, 31 Oct 2019 18:40:54 -0700
Subject: [PATCH] add YAML and description

---
 samples/DisallowNewCapabilities.md            | 38 +++++++++++++++++++
 .../disallow_new_capabilities.yaml            | 31 +++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 samples/DisallowNewCapabilities.md
 create mode 100644 samples/best_practices/disallow_new_capabilities.yaml

diff --git a/samples/DisallowNewCapabilities.md b/samples/DisallowNewCapabilities.md
new file mode 100644
index 0000000000..a6aa3be642
--- /dev/null
+++ b/samples/DisallowNewCapabilities.md
@@ -0,0 +1,38 @@
+# Disallow new capabilities
+
+Linux allows defining fine-grained permissions using
+capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+level of kernel access and allow other potentially dangerous behaviors. This policy 
+enforces that pods cannot add new capabilities. Other policies can be used to set 
+default capabilities. 
+
+## Policy YAML
+
+[disallow_new_capabilities.yaml](best_practices/disallow_new_capabilities.yaml)
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+          securityContext:
+            capabilities:
+              X(add): null    
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              (capabilities):
+                X(add): null
+````
diff --git a/samples/best_practices/disallow_new_capabilities.yaml b/samples/best_practices/disallow_new_capabilities.yaml
new file mode 100644
index 0000000000..d197ca4ac7
--- /dev/null
+++ b/samples/best_practices/disallow_new_capabilities.yaml
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-new-capabilities
+  annotations:
+    policies.kyverno.io/category: Security Context
+    policies.kyverno.io/description: Linux allows defining fine-grained permissions using
+      capabilities. With Kubernetes, it is possible to add capabilities that escalate the
+      level of kernel access and allow other potentially dangerous behaviors. This policy 
+      enforces that pods cannot add new capabilities. Other policies can be used to set 
+      default capabilities. 
+spec:
+  rules:
+  - name: deny-new-capabilities
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Capabilities cannot be added"
+      anyPattern:
+      - spec:
+          securityContext:
+            capabilities:
+              X(add): null    
+      - spec:
+          containers:
+          - name: "*"
+            securityContext:
+              (capabilities):
+                X(add): null
\ No newline at end of file