Disallow SELinux

SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.

Policy Definition

/pod-security/baseline/disallow-selinux/disallow-selinux.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-selinux
 5  annotations:
 6    policies.kyverno.io/title: Disallow SELinux
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      SELinux options can be used to escalate privileges and should not be allowed. This policy
12      ensures that the `seLinuxOptions` field is undefined.      
13spec:
14  validationFailureAction: audit
15  background: true
16  rules:
17    - name: seLinux
18      match:
19        resources:
20          kinds:
21            - Pod
22      validate:
23        message: >-
24          Setting custom SELinux options is disallowed. The fields
25          spec.securityContext.seLinuxOptions, spec.containers[*].securityContext.seLinuxOptions,
26          and spec.initContainers[*].securityContext.seLinuxOptions must be empty.          
27        pattern:
28          spec:
29            =(securityContext):
30              X(seLinuxOptions): "null"
31            =(initContainers):
32              - =(securityContext):
33                  X(seLinuxOptions): "null"
34            containers:
35              - =(securityContext):
36                  X(seLinuxOptions): "null"
37

Create policy issue