diff --git a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml index 45be727bd..3133e2a27 100644 --- a/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml +++ b/best-practices/require-drop-cap-net-raw/.chainsaw-test/good-pod.yaml @@ -22,4 +22,20 @@ spec: securityContext: capabilities: drop: - - CAP_NET_RAW \ No newline at end of file + - CAP_NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: drop-netraw-good +spec: + containers: + - args: + - sleep + - infinity + image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + securityContext: + capabilities: + drop: + - NET_RAW diff --git a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml index 3057417f0..f3ee429f1 100644 --- a/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml +++ b/best-practices/require-drop-cap-net-raw/artifacthub-pkg.yml @@ -18,4 +18,4 @@ readme: | annotations: kyverno/category: "Best Practices" kyverno/subject: "Pod" -digest: 97e963f073e6324fa514015bc8fd8564b93fb7da6f8564fcf8a8fefc4c9da784 +digest: 357011bf6ef0268a0ca1b248e0c7a59fc42e7f2017d02838c85711c329130676 diff --git a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml index 68e92d525..c6615b546 100644 --- a/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml +++ b/best-practices/require-drop-cap-net-raw/require-drop-cap-net-raw.yaml @@ -40,4 +40,7 @@ spec: all: - key: CAP_NET_RAW operator: AnyNotIn - value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" \ No newline at end of file + value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}" + - key: NET_RAW + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"