Disallow Privileged Containers

Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode.

Policy Definition

/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-privileged-containers
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Baseline)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      Privileged mode disables most security mechanisms and must not be allowed. This policy
11      ensures Pods do not call for privileged mode.      
12spec:
13  validationFailureAction: audit
14  background: true
15  rules:
16    - name: priviledged-containers
17      match:
18        resources:
19          kinds:
20            - Pod
21      validate:
22        message: >-
23          Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
24          and spec.initContainers[*].securityContext.privileged must not be set to true.          
25        pattern:
26          spec:
27            =(initContainers):
28              - =(securityContext):
29                  =(privileged): "false"
30            containers:
31              - =(securityContext):
32                  =(privileged): "false"
33

Create policy issue