All Policies
Deny Privilege Escalation
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` fields are either undefined or set to `false`.
Policy Definition
/pod-security/restricted/deny-privilege-escalation/deny-privilege-escalation.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: deny-privilege-escalation
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Restricted)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
11 This policy ensures the `allowPrivilegeEscalation` fields are either undefined
12 or set to `false`.
13spec:
14 background: true
15 validationFailureAction: audit
16 rules:
17 - name: deny-privilege-escalation
18 match:
19 resources:
20 kinds:
21 - Pod
22 validate:
23 message: >-
24 Privilege escalation is disallowed. The fields
25 spec.containers[*].securityContext.allowPrivilegeEscalation, and
26 spec.initContainers[*].securityContext.allowPrivilegeEscalation must
27 be undefined or set to `false`.
28 pattern:
29 spec:
30 =(initContainers):
31 - =(securityContext):
32 =(allowPrivilegeEscalation): "false"
33 containers:
34 - =(securityContext):
35 =(allowPrivilegeEscalation): "false"
36