Disallow procMount

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-proc-mount
 5  annotations:
 6    policies.kyverno.io/title: Disallow procMount
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      The default /proc masks are set up to reduce attack surface and should be required. This policy
14      ensures nothing but the default procMount can be specified. Note that in order for users
15      to deviate from the `Default` procMount requires setting a feature gate at the API
16      server.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21    - name: check-proc-mount
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      validate:
28        message: >-
29          Changing the proc mount from the default is not allowed. The fields
30          spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
31          and spec.ephemeralContainers[*].securityContext.procMount must be unset or
32          set to `Default`.          
33        pattern:
34          spec:
35            =(ephemeralContainers):
36              - =(securityContext):
37                  =(procMount): "Default"
38            =(initContainers):
39              - =(securityContext):
40                  =(procMount): "Default"
41            containers:
42              - =(securityContext):
43                  =(procMount): "Default"
44