fix disallow-privilege-escalation policy (#1179)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
kyverno · Oct 7, 2024 · 7a219c1 · 7a219c1
1 parent 4a99f35
commit 7a219c1
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 10 deletions.
diff --git a/...curity-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml b/...curity-cel/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
@@ -15,9 +15,6 @@ spec:
       containers:
       - name: container01
         image: ghcr.io/kyverno/test-busybox:1.35
-        securityContext:
-          runAsNonRoot: true
-          allowPrivilegeEscalation: true
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -56,8 +53,6 @@ spec:
       containers:
       - name: container01
         image: ghcr.io/kyverno/test-busybox:1.35
-        securityContext:
-          allowPrivilegeEscalation: true
       - name: container02
         image: ghcr.io/kyverno/test-busybox:1.35
         securityContext:
@@ -151,9 +146,6 @@ spec:
           containers:
           - name: container01
             image: ghcr.io/kyverno/test-busybox:1.35
-            securityContext:
-              runAsNonRoot: true
-              allowPrivilegeEscalation: true
 ---
 apiVersion: batch/v1
 kind: CronJob

diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml b/pod-security-cel/restricted/disallow-privilege-escalation/artifacthub-pkg.yml
@@ -19,5 +19,5 @@ annotations:
   kyverno/category: "Pod Security Standards (Restricted)"
   kyverno/kubernetesVersion: "1.26-1.27"
   kyverno/subject: "Pod"
-digest: 3d361694af595b4070d5ad6ef8e65f893069209a29b7b23d026ea685393e96b5
+digest: 7dcc7fc94c8c26c855804a9872be536cf327a3d4f2305ecea176eb04d2964491
 createdAt: "2024-08-30T09:04:49Z"
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/disallow-privilege-escalation.yaml
@@ -37,7 +37,7 @@ spec:
           expressions:
             - expression: >- 
                 variables.allContainers.all(container, 
-                container.?securityContext.?allowPrivilegeEscalation.orValue(false) == false)
+                container.?securityContext.allowPrivilegeEscalation.orValue(true) == false)
               message: >-
                 Privilege escalation is disallowed. 
                 All containers must set the securityContext.allowPrivilegeEscalation field to `false`.