feat(policies): added `add-default-capability-drop` policy
General MR
Summary
This MR adds a custom ClusterPolicy that replaces all (initC|ephemeralC|c)ontainers[].securityContext.capabilities.drop arrays with a new array containing only ALL if the ALL element is not already present in the array.
The only default package incompatible with this configuration out of the box is Neuvector: specifically it's scanner deployment, which relies on CAP_CHOWN even though it does not explicitly add the capability.
As part of this MR's incorporation with Big Bang umbrella, I plan to except the neuvector scanner from this ClusterPolicy as a path forward, but am open to other resolutions if the Security & Compliance team suggests them.
I added several test manifests to show how this policy performs in practice.
Test Evidence
A test evidence MR exists in BB umbrella. The only failing test is a gitlab runner cypress test. This test is also failing in the overnight pipeline and is not related to this MR.
Manual Testing
Use big bang umbrella's test-values.yaml with this overlay:
kyvernoPolicies:
git:
branch: 150-add-default-capability-drop
tag: null
values:
policies:
add-default-capability-drop:
exclude:
any:
- resources:
namespaces:
- neuvector
names:
- neuvector-scanner-pod*Linked Issue
Upgrade Notices
N/A