policyDefinitions/Kubernetes/do-not-allow-container-privilege-escalation-in-kubernetes-cluster/template.yaml (33 lines of code) (raw):
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sazurecontainernoprivilegeescalation
spec:
crd:
spec:
names:
kind: K8sAzureContainerNoPrivilegeEscalation
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sazurecontainernoprivilegeescalation
violation[{"msg": msg, "details": {}}] {
c := input_containers[_]
input_allow_privilege_escalation(c)
msg := sprintf("Privilege escalation container is not allowed: %v", [c.name])
}
input_allow_privilege_escalation(c) {
not has_field(c, "securityContext")
}
input_allow_privilege_escalation(c) {
not c.securityContext.allowPrivilegeEscalation == false
}
input_containers[c] {
c := input.review.object.spec.containers[_]
}
input_containers[c] {
c := input.review.object.spec.initContainers[_]
}
# has_field returns whether an object has a field
has_field(object, field) = true {
object[field]
}