apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privilege-escalation
spec:
  rules:
    - name: privilege-escalation
      match:
        any:
        - resources:
            kinds:
              - Pod
            operations:
              - CREATE
              - UPDATE
      celPreconditions:
        - name: "Only for prod"  
          expression: "has(object.metadata.labels) && has(object.metadata.labels.prod) && object.metadata.labels.prod == 'true'"
      validate:
        failureAction: Enforce
        cel:
          expressions:
            - expression: >- 
                object.spec.containers.all(container, has(container.securityContext) &&
                has(container.securityContext.allowPrivilegeEscalation) &&
                container.securityContext.allowPrivilegeEscalation == false)
              message: >-
                Privilege escalation is disallowed. The field
                spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`.