---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: Privileged containers are defined as any container
      where the container uid 0 is mapped to the host’s uid 0. A process within a
      privileged container can get unrestricted host access. With `securityContext.allowPrivilegeEscalation`
      enabled, a process can gain privileges from its parent.
  name: disallow-privileged
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-privileged
    validate:
      message: Privileged mode is not allowed. Set privileged to false
      pattern:
        spec:
          containers:
          - =(securityContext):
              =(privileged): false
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-allowPrivilegeEscalation
    validate:
      message: Privileged mode is not allowed. Set allowPrivilegeEscalation to false
      pattern:
        spec:
          containers:
          - securityContext:
              allowPrivilegeEscalation: false
  validationFailureAction: Audit