All Policies

Disallow SELinux in CEL expressions

SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined.

Policy Definition

/pod-security-cel/baseline/disallow-selinux/disallow-selinux.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-selinux
 5  annotations:
 6    policies.kyverno.io/title: Disallow SELinux in CEL expressions
 7    policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kyverno-version: 1.11.0
12    kyverno.io/kubernetes-version: "1.26-1.27"
13    policies.kyverno.io/description: >-
14      SELinux options can be used to escalate privileges and should not be allowed. This policy
15      ensures that the `seLinuxOptions` field is undefined.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20    - name: selinux-type
21      match:
22        any:
23        - resources:
24            kinds:
25              - Pod
26            operations:
27            - CREATE
28            - UPDATE
29      validate:
30        cel:
31          variables:
32            - name: allContainerTypes
33              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
34            - name: seLinuxTypes
35              expression: "['container_t', 'container_init_t', 'container_kvm_t']"
36          expressions:
37            - expression: >-
38                (!has(object.spec.securityContext) ||
39                !has(object.spec.securityContext.seLinuxOptions) ||
40                !has(object.spec.securityContext.seLinuxOptions.type) ||
41                variables.seLinuxTypes.exists(type, type == object.spec.securityContext.seLinuxOptions.type)) &&
42                variables.allContainerTypes.all(container, 
43                !has(container.securityContext) ||
44                !has(container.securityContext.seLinuxOptions) ||
45                !has(container.securityContext.seLinuxOptions.type) ||
46                variables.seLinuxTypes.exists(type, type == container.securityContext.seLinuxOptions.type))
47              message: >-
48                Setting the SELinux type is restricted. The field securityContext.seLinuxOptions.type must either be unset or set to one of the allowed values (container_t, container_init_t, or container_kvm_t).
49    - name: selinux-user-role
50      match:
51        any:
52        - resources:
53            kinds:
54              - Pod
55            operations:
56            - CREATE
57            - UPDATE
58      validate:
59        cel:
60          variables:
61            - name: allContainerTypes
62              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
63          expressions:
64            - expression: >-
65                (!has(object.spec.securityContext) ||
66                !has(object.spec.securityContext.seLinuxOptions) ||
67                (!has(object.spec.securityContext.seLinuxOptions.user) && !has(object.spec.securityContext.seLinuxOptions.role))) &&
68                variables.allContainerTypes.all(container,
69                !has(container.securityContext) ||
70                !has(container.securityContext.seLinuxOptions) ||
71                (!has(container.securityContext.seLinuxOptions.user) && !has(container.securityContext.seLinuxOptions.role)))
72              message: >-
73                Setting the SELinux user or role is forbidden. The fields seLinuxOptions.user and seLinuxOptions.role must be unset.
74
Create policy issue