apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-drop-all-capabilities
  annotations:
    policies.kyverno.io/title: "Обязательный drop ALL capabilities"
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Каждый контейнер должен явно сбросить все capabilities через
      securityContext.capabilities.drop: [ALL].
      Это часть профиля Restricted согласно Pod Security Standards.
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: require-drop-all
    match:
      resources:
        kinds:
        - Pod
    exclude:
      resources:
        namespaces:
        - kube-system
    validate:
      foreach:
      - list: >-
          request.object.spec.containers[] |
          merge(request.object.spec.initContainers[] || `[]`, @) |
          merge(request.object.spec.ephemeralContainers[] || `[]`, @)
        message: >-
          Контейнер '{{ element.name }}' не сбрасывает все capabilities.
          Добавьте securityContext.capabilities.drop: [ALL].
        deny:
          conditions:
            all:
            - key: "ALL"
              operator: NotIn
              value: "{{ element.securityContext.capabilities.drop[] || `[]` }}"