kyverno/samples/DisallowDockerSockMount.md

# Disallow Docker socket bind mount

The Docker socket bind mount allows access to the 
Docker daemon on the node. This access can be used for privilege escalation and 
to manage containers outside of Kubernetes, and hence should not be allowed.  

## Policy YAML 

[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml) 

````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-docker-sock-mount
spec:
  rules:
  - name: validate-docker-sock-mount
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of the Docker Unix socket is not allowed"
      pattern:
        spec:
          =(volumes):
            =(hostPath):
              path: "!/var/run/docker.sock"
````
add policy and test case 2019-11-01 13:31:08 -07:00			`# Disallow Docker socket bind mount`

			`The Docker socket bind mount allows access to the`
			`Docker daemon on the node. This access can be used for privilege escalation and`
			`to manage containers outside of Kubernetes, and hence should not be allowed.`

			`## Policy YAML`

			`[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml)`

			````yaml
update api in samples/ 2019-11-13 13:56:20 -08:00			`apiVersion: kyverno.io/v1`
add policy and test case 2019-11-01 13:31:08 -07:00			`kind: ClusterPolicy`
			`metadata:`
			`name: disallow-docker-sock-mount`
			`spec:`
			`rules:`
			`- name: validate-docker-sock-mount`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Use of the Docker Unix socket is not allowed"`
			`pattern:`
			`spec:`
update README.md and markdown 2019-11-01 15:23:42 -07:00			`=(volumes):`
			`=(hostPath):`
add policy and test case 2019-11-01 13:31:08 -07:00			`path: "!/var/run/docker.sock"`
			````