mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 09:56:55 +00:00
24 lines
613 B
YAML
24 lines
613 B
YAML
|
apiVersion: kyverno.io/v2beta1
|
||
|
|
kind: ClusterPolicy
|
||
|
|
metadata:
|
||
|
|
name: disallow-host-namespaces
|
||
|
|
spec:
|
||
|
|
validationFailureAction: Enforce
|
||
|
|
background: false
|
||
|
|
rules:
|
||
|
|
- name: host-namespaces
|
||
|
|
match:
|
||
|
|
any:
|
||
|
|
- resources:
|
||
|
|
kinds:
|
||
|
|
- Pod
|
||
|
|
validate:
|
||
|
|
message: >-
|
||
|
|
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
|
||
|
|
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
|
||
|
|
pattern:
|
||
|
|
spec:
|
||
|
|
=(hostPID): "false"
|
||
|
|
=(hostIPC): "false"
|
||
|
|
=(hostNetwork): "false"
|