kyverno/samples/DisallowHostPIDIPC.md

# Disallow `hostPID` and `hostIPC`

Sharing the host's PID namespace allows an application pod to gain visibility of processes on the host, potentially exposing sensitive information. Sharing the host's IPC namespace also allows the container process to communicate with processes on the host. 

To avoid pod container from having visibility to host process space, validate that `hostPID` and `hostIPC` are set to `false`.

## Policy YAML 

[disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml)

````yaml
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-host-pid-ipc
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
      on the host, potentially exposing process information. Sharing the host's IPC namespace allows 
      the container process to communicate with processes on the host. To avoid pod container from 
      having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
spec:
  validationFailureAction: enforce
  rules:
  - name: validate-host-pid-ipc
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of host PID and IPC namespaces is not allowed"
      pattern:
        spec:
          =(hostPID): "false"
          =(hostIPC): "false"
````
reorganize samples 2019-10-23 21:06:03 +00:00			# Disallow `hostPID` and `hostIPC`

update descriptions... 2019-10-23 22:36:37 +00:00			`Sharing the host's PID namespace allows an application pod to gain visibility of processes on the host, potentially exposing sensitive information. Sharing the host's IPC namespace also allows the container process to communicate with processes on the host.`
reorganize samples 2019-10-23 21:06:03 +00:00
update descriptions... 2019-10-23 22:36:37 +00:00			To avoid pod container from having visibility to host process space, validate that `hostPID` and `hostIPC` are set to `false`.
reorganize samples 2019-10-23 21:06:03 +00:00
			`## Policy YAML`

			`[disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml)`

			````yaml
			`apiVersion: kyverno.io/v1alpha1`
			`kind: ClusterPolicy`
			`metadata:`
update policy YAML 2019-11-08 03:20:51 +00:00			`name: validate-host-pid-ipc`
			`annotations:`
			`policies.kyverno.io/category: Security`
			`policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process`
			`on the host, potentially exposing process information. Sharing the host's IPC namespace allows`
			`the container process to communicate with processes on the host. To avoid pod container from`
			`having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.`
reorganize samples 2019-10-23 21:06:03 +00:00			`spec:`
update policy YAML 2019-11-08 03:20:51 +00:00			`validationFailureAction: enforce`
reorganize samples 2019-10-23 21:06:03 +00:00			`rules:`
update policy YAML 2019-11-08 03:20:51 +00:00			`- name: validate-host-pid-ipc`
reorganize samples 2019-10-23 21:06:03 +00:00			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
update policy YAML 2019-11-08 03:20:51 +00:00			`message: "Use of host PID and IPC namespaces is not allowed"`
reorganize samples 2019-10-23 21:06:03 +00:00			`pattern:`
			`spec:`
update policy YAML 2019-11-08 03:20:51 +00:00			`=(hostPID): "false"`
			`=(hostIPC): "false"`
reorganize samples 2019-10-23 21:06:03 +00:00			````