apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sazurecontainernoprivilegeescalation spec: crd: spec: names: kind: K8sAzureContainerNoPrivilegeEscalation targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sazurecontainernoprivilegeescalation violation[{"msg": msg, "details": {}}] { c := input_containers[_] input_allow_privilege_escalation(c) msg := sprintf("Privilege escalation container is not allowed: %v", [c.name]) } input_allow_privilege_escalation(c) { not has_field(c, "securityContext") } input_allow_privilege_escalation(c) { not c.securityContext.allowPrivilegeEscalation == false } input_containers[c] { c := input.review.object.spec.containers[_] } input_containers[c] { c := input.review.object.spec.initContainers[_] } # has_field returns whether an object has a field has_field(object, field) = true { object[field] }