All Policies
Disallow Add Capabilities
Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add any additional capabilities to a Pod.
Policy Definition
/pod-security/baseline/disallow-adding-capabilities/disallow-adding-capabilities.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-add-capabilities
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Baseline)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 Capabilities permit privileged actions without giving full root access.
11 Adding capabilities beyond the default set must not be allowed. This policy
12 ensures users cannot add any additional capabilities to a Pod.
13spec:
14 validationFailureAction: audit
15 background: true
16 rules:
17 - name: capabilities
18 match:
19 resources:
20 kinds:
21 - Pod
22 validate:
23 message: >-
24 Adding of additional capabilities beyond the default set is not allowed.
25 The fields spec.containers[*].securityContext.capabilities.add and
26 spec.initContainers[*].securityContext.capabilities.add must be empty.
27 pattern:
28 spec:
29 containers:
30 - =(securityContext):
31 =(capabilities):
32 X(add): "null"
33 =(initContainers):
34 - =(securityContext):
35 =(capabilities):
36 X(add): "null"
37