All Policies
Disallow SELinux
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.
Policy Definition
/pod-security/baseline/disallow-selinux/disallow-selinux.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-selinux
5 annotations:
6 policies.kyverno.io/title: Disallow SELinux
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/description: >-
11 SELinux options can be used to escalate privileges and should not be allowed. This policy
12 ensures that the `seLinuxOptions` field is undefined.
13spec:
14 validationFailureAction: audit
15 background: true
16 rules:
17 - name: seLinux
18 match:
19 resources:
20 kinds:
21 - Pod
22 validate:
23 message: >-
24 Setting custom SELinux options is disallowed. The fields
25 spec.securityContext.seLinuxOptions, spec.containers[*].securityContext.seLinuxOptions,
26 and spec.initContainers[*].securityContext.seLinuxOptions must be empty.
27 pattern:
28 spec:
29 =(securityContext):
30 X(seLinuxOptions): "null"
31 =(initContainers):
32 - =(securityContext):
33 X(seLinuxOptions): "null"
34 containers:
35 - =(securityContext):
36 X(seLinuxOptions): "null"
37