All Policies

Disallow Add Capabilities

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add any additional capabilities to a Pod.

Policy Definition

/pod-security/baseline/disallow-adding-capabilities/disallow-adding-capabilities.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-add-capabilities
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Baseline)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      Capabilities permit privileged actions without giving full root access.
11      Adding capabilities beyond the default set must not be allowed. This policy
12      ensures users cannot add any additional capabilities to a Pod.      
13spec:
14  validationFailureAction: audit
15  background: true
16  rules:
17    - name: capabilities
18      match:
19        resources:
20          kinds:
21            - Pod
22      validate:
23        message: >-
24          Adding of additional capabilities beyond the default set is not allowed.
25          The fields spec.containers[*].securityContext.capabilities.add and 
26          spec.initContainers[*].securityContext.capabilities.add must be empty.          
27        pattern:
28          spec:
29            containers:
30              - =(securityContext):
31                  =(capabilities):
32                    X(add): "null"
33            =(initContainers):
34              - =(securityContext):
35                  =(capabilities):
36                    X(add): "null"
37
Create policy issue