apiVersion: policies.kyverno.io/v1alpha1 kind: ValidatingPolicy metadata: name: disallow-privilege-escalation status: autogen: rules: - matchConditions: - expression: "!(object.Kind =='Deployment' || object.Kind =='ReplicaSet' || object.Kind =='StatefulSet' || object.Kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == 'true'" name: autogen-check-prod-label matchConstraints: resourceRules: - apiGroups: - apps apiVersions: - v1 operations: - CREATE - UPDATE resources: - deployments validations: - expression: object.spec.template.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - matchConditions: - expression: "!(object.Kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels) && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod == 'true'" name: autogen-cronjobs-check-prod-label matchConstraints: resourceRules: - apiGroups: - batch apiVersions: - v1 operations: - CREATE - UPDATE resources: - cronjobs validations: - expression: object.spec.jobTemplate.spec.template.spec.template.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation == false) message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`.