All Policies
Disallow SELinux in CEL expressions
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.
Policy Definition
/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-selinux
5 annotations:
6 policies.kyverno.io/title: Disallow SELinux in CEL expressions
7 policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kyverno-version: 1.11.0
12 kyverno.io/kubernetes-version: "1.26-1.27"
13 policies.kyverno.io/description: >-
14 SELinux options can be used to escalate privileges and should not be allowed. This policy
15 ensures that the `seLinuxOptions` field is undefined.
16spec:
17 validationFailureAction: Audit
18 background: true
19 rules:
20 - name: selinux-type
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 validate:
27 cel:
28 expressions:
29 - expression: >-
30 !has(object.spec.securityContext) ||
31 !has(object.spec.securityContext.seLinuxOptions) ||
32 !has(object.spec.securityContext.seLinuxOptions.type) ||
33 object.spec.securityContext.seLinuxOptions.type == 'container_t' ||
34 object.spec.securityContext.seLinuxOptions.type == 'container_init_t' ||
35 object.spec.securityContext.seLinuxOptions.type == 'container_kvm_t'
36 message: >-
37 Setting the SELinux type is restricted. The field spec.securityContext.seLinuxOptions.type
38 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
39
40 - expression: >-
41 object.spec.containers.all(container, !has(container.securityContext) ||
42 !has(container.securityContext.seLinuxOptions) ||
43 !has(container.securityContext.seLinuxOptions.type) ||
44 container.securityContext.seLinuxOptions.type == 'container_t' ||
45 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
46 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
47 message: >-
48 Setting the SELinux type is restricted. The field spec.containers[*].securityContext.seLinuxOptions.type
49 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
50
51 - expression: >-
52 !has(object.spec.initContainers) ||
53 object.spec.initContainers.all(container, !has(container.securityContext) ||
54 !has(container.securityContext.seLinuxOptions) ||
55 !has(container.securityContext.seLinuxOptions.type) ||
56 container.securityContext.seLinuxOptions.type == 'container_t' ||
57 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
58 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
59 message: >-
60 Setting the SELinux type is restricted. The field spec.initContainers[*].securityContext.seLinuxOptions.type
61 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
62
63 - expression: >-
64 !has(object.spec.ephemeralContainers) ||
65 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
66 !has(container.securityContext.seLinuxOptions) ||
67 !has(container.securityContext.seLinuxOptions.type) ||
68 container.securityContext.seLinuxOptions.type == 'container_t' ||
69 container.securityContext.seLinuxOptions.type == 'container_init_t' ||
70 container.securityContext.seLinuxOptions.type == 'container_kvm_t')
71 message: >-
72 Setting the SELinux type is restricted. The field spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
73 must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
74 - name: selinux-user-role
75 match:
76 any:
77 - resources:
78 kinds:
79 - Pod
80 validate:
81 cel:
82 expressions:
83 - expression: >-
84 !has(object.spec.securityContext) ||
85 !has(object.spec.securityContext.seLinuxOptions) ||
86 (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))
87 message: >-
88 Setting the SELinux user or role is forbidden. The fields
89 spec.securityContext.seLinuxOptions.user and spec.securityContext.seLinuxOptions.role must be unset.
90
91 - expression: >-
92 object.spec.containers.all(container, !has(container.securityContext) ||
93 !has(container.securityContext.seLinuxOptions) ||
94 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
95 message: >-
96 Setting the SELinux user or role is forbidden. The fields
97 spec.containers[*].securityContext.seLinuxOptions.user and spec.containers[*].securityContext.seLinuxOptions.role must be unset.
98
99 - expression: >-
100 !has(object.spec.initContainers) ||
101 object.spec.initContainers.all(container, !has(container.securityContext) ||
102 !has(container.securityContext.seLinuxOptions) ||
103 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
104 message: >-
105 Setting the SELinux user or role is forbidden. The fields
106 spec.initContainers[*].securityContext.seLinuxOptions.user and spec.initContainers[*].securityContext.seLinuxOptions.role must be unset.
107
108 - expression: >-
109 !has(object.spec.ephemeralContainers) ||
110 object.spec.ephemeralContainers.all(container, !has(container.securityContext) ||
111 !has(container.securityContext.seLinuxOptions) ||
112 (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
113 message: >-
114 Setting the SELinux user or role is forbidden. The fields
115 spec.ephemeralContainers[*].securityContext.seLinuxOptions.user and spec.ephemeralContainers[*].securityContext.seLinuxOptions.role must be unset.