All Policies

Deny Privilege Escalation

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` fields are either undefined or set to `false`.

Policy Definition

/pod-security/restricted/deny-privilege-escalation/deny-privilege-escalation.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-privilege-escalation
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Restricted)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
11      This policy ensures the `allowPrivilegeEscalation` fields are either undefined
12      or set to `false`.      
13spec:
14  background: true
15  validationFailureAction: audit
16  rules:
17  - name: deny-privilege-escalation
18    match:
19      resources:
20        kinds:
21        - Pod
22    validate:
23      message: >-
24        Privilege escalation is disallowed. The fields
25        spec.containers[*].securityContext.allowPrivilegeEscalation, and
26        spec.initContainers[*].securityContext.allowPrivilegeEscalation must
27        be undefined or set to `false`.        
28      pattern:
29        spec:
30          =(initContainers):
31          - =(securityContext):
32              =(allowPrivilegeEscalation): "false"
33          containers:
34          - =(securityContext):
35              =(allowPrivilegeEscalation): "false"
36