apiVersion: kyverno.io/v1 kind: Policy metadata: name: allow-privileged-containers annotations: policies.kyverno.io/category: Pod Security Standards policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Privileged policies only allow the hce containers to use privileged mode. spec: validationFailureAction: audit background: true rules: - name: priviledged-containers match: resources: kinds: - Pod selector: matchLabels: # applicable for experiments which usage container runtime apis app.kubernetes.io/runtime-api-usage: "true" validate: message: >- It should be run in privileged mode. It can be defined at spec.containers[*].securityContext.privileged. pattern: spec: containers: - =(securityContext): =(privileged): true