All Policies
Disallow SELinux in CEL expressions
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.
Policy Definition
/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-selinux
5 annotations:
6 policies.kyverno.io/title: Disallow SELinux in CEL expressions
7 policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kyverno-version: 1.11.0
12 kyverno.io/kubernetes-version: "1.26-1.27"
13 policies.kyverno.io/description: >-
14 SELinux options can be used to escalate privileges and should not be allowed. This policy
15 ensures that the `seLinuxOptions` field is undefined.
16spec:
17 validationFailureAction: Audit
18 background: true
19 rules:
20 - name: selinux-type
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 operations:
27 - CREATE
28 - UPDATE
29 validate:
30 cel:
31 expressions:
32 - expression: >-
33 !has(object.spec.securityContext) ||
34 !has(object.spec.securityContext.seLinuxOptions) ||
35 !has(object.spec.securityContext.seLinuxOptions.type) ||
36 object.spec.securityContext.seLinuxOptions.type == 'container_t' ||
37 object.spec.securityContext.seLinuxOptions.type == 'container_init_t' ||
38 object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t'
39 message: >-
40 Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type
41 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
42
43 - expression: >-
44 object.spec.containers.all(container, !has(container.securityContext) ||
45 !has(container.securityContext.seLinuxOptions) ||
46 !has(container.securityContext.seLinuxOptions.type) ||
47 container.securityContext.seLinuxOptions.type == 'container_t' ||
48 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
49 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
50 message: >-
51 Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type
52 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
53
54 - expression: >-
55 !has(object.spec.initContainers) ||
56 object.spec.initContainers.all(container, !has(container.securityContext) ||
57 !has(container.securityContext.seLinuxOptions) ||
58 !has(container.securityContext.seLinuxOptions.type) ||
59 container.securityContext.seLinuxOptions.type == 'container_t' ||
60 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
61 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
62 message: >-
63 Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type
64 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
65
66 - expression: >-
67 !has(object.spec.ephemeralContainers) ||
68 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
69 !has(container.securityContext.seLinuxOptions) ||
70 !has(container.securityContext.seLinuxOptions.type) ||
71 container.securityContext.seLinuxOptions.type == 'container_t' ||
72 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
73 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
74 message: >-
75 Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
76 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
77 - name: selinux-user-role
78 match:
79 any:
80 - resources:
81 kinds:
82 - Pod
83 operations:
84 - CREATE
85 - UPDATE
86 validate:
87 cel:
88 expressions:
89 - expression: >-
90 !has(object.spec.securityContext) ||
91 !has(object.spec.securityContext.seLinuxOptions) ||
92 (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))
93 message: >-
94 Setting the SELinux user or role is forbidden. The fields
95 spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset.
96
97 - expression: >-
98 object.spec.containers.all(container, !has(container.securityContext) ||
99 !has(container.securityContext.seLinuxOptions) ||
100 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
101 message: >-
102 Setting the SELinux user or role is forbidden. The fields
103 spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset.
104
105 - expression: >-
106 !has(object.spec.initContainers) ||
107 object.spec.initContainers.all(container, !has(container.securityContext) ||
108 !has(container.securityContext.seLinuxOptions) ||
109 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
110 message: >-
111 Setting the SELinux user or role is forbidden. The fields
112 spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset.
113
114 - expression: >-
115 !has(object.spec.ephemeralContainers) ||
116 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
117 !has(container.securityContext.seLinuxOptions) ||
118 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
119 message: >-
120 Setting the SELinux user or role is forbidden. The fields
121 spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset.