All Policies
Disallow Privileged Containers
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.
Policy Definition
/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-privileged-containers
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Baseline)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 Privileged mode disables most security mechanisms and must not be allowed. This policy
11 ensures Pods do not call for privileged mode.
12spec:
13 validationFailureAction: audit
14 background: true
15 rules:
16 - name: priviledged-containers
17 match:
18 resources:
19 kinds:
20 - Pod
21 validate:
22 message: >-
23 Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
24 and spec.initContainers[*].securityContext.privileged must not be set to true.
25 pattern:
26 spec:
27 =(initContainers):
28 - =(securityContext):
29 =(privileged): "false"
30 containers:
31 - =(securityContext):
32 =(privileged): "false"
33