apiVersion: kyverno.io/v2alpha1
kind: ValidatingPolicy
metadata:
  name: disallow-privilege-escalation
status:
  autogen:
    rules:
    - matchConditions:
      - expression: has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
          && object.spec.template.metadata.labels.prod == 'true'
        name: check-prod-label
      matchConstraints:
        resourceRules:
        - apiGroups:
          - apps
          apiVersions:
          - v1
          operations:
          - CREATE
          - UPDATE
          resources:
          - deployments
          - statefulsets
      validations:
      - expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
          && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
          == false)
        message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
          must be set to `false`.