apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-privilege-escalation status: autogen: rules: - celPreconditions: - expression: has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == 'true' name: Only for prod match: any: - resources: kinds: - DaemonSet - Deployment - Job - ReplicaSet - ReplicationController - StatefulSet operations: - CREATE - UPDATE resources: {} name: autogen-privilege-escalation skipBackgroundRequests: true validate: allowExistingViolations: true cel: expressions: - expression: object.spec.template.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. failureAction: Enforce - celPreconditions: - expression: has(object.spec.jobTemplate.spec.template.metadata.labels) && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod == 'true' name: Only for prod match: any: - resources: kinds: - CronJob operations: - CREATE - UPDATE resources: {} name: autogen-cronjob-privilege-escalation skipBackgroundRequests: true validate: allowExistingViolations: true cel: expressions: - expression: object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. failureAction: Enforce