apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-drop-all-capabilities
  annotations:
    policies.kyverno.io/title: "Обязательный drop ALL capabilities"
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Каждый контейнер должен явно сбросить все capabilities через
      securityContext.capabilities.drop: [ALL].
      Это часть профиля Restricted согласно Pod Security Standards.
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: require-drop-all
    match:
      resources:
        kinds:
        - Pod
    exclude:
      resources:
        namespaces:
        - kube-system
    validate:
      message: >-
        Контейнер '{{ element.name }}' не сбрасывает все capabilities.
        Добавьте в securityContext:
          capabilities:
            drop:
            - ALL
      foreach:
      - list: "request.object.spec.containers"
        deny:
          conditions:
            all:
            - key: "ALL"
              operator: NotIn
              value: "{{ element.securityContext.capabilities.drop[] || `[]` }}"