kyverno/test/conformance/chainsaw/autogen/cel-preconditions/check-autogen.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privilege-escalation
status:
  autogen:
    rules:
    - celPreconditions:
      - expression: has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
          && object.spec.template.metadata.labels.prod == 'true'
        name: Only for prod
      match:
        any:
        - resources:
            kinds:
            - DaemonSet
            - Deployment
            - Job
            - ReplicaSet
            - ReplicationController
            - StatefulSet
            operations:
            - CREATE
            - UPDATE
        resources: {}
      name: autogen-privilege-escalation
      skipBackgroundRequests: true
      validate:
        allowExistingViolations: true
        cel:
          expressions:
          - expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
              && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
              == false)
            message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
              must be set to `false`.
        failureAction: Enforce
    - celPreconditions:
      - expression: has(object.spec.jobTemplate.spec.template.metadata.labels) &&
          has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod
          == 'true'
        name: Only for prod
      match:
        any:
        - resources:
            kinds:
            - CronJob
            operations:
            - CREATE
            - UPDATE
        resources: {}
      name: autogen-cronjob-privilege-escalation
      skipBackgroundRequests: true
      validate:
        allowExistingViolations: true
        cel:
          expressions:
          - expression: object.spec.jobTemplate.spec.template.spec.containers.all(container,
              has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
              && container.securityContext.allowPrivilegeEscalation == false)
            message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
              must be set to `false`.
        failureAction: Enforce