kyverno/samples/DisallowHostFS.md

# Disallow use of host filesystem

The volume of type `hostpath` allows pods to use host directories and volume mounted to a host path. This binds pods to a specific host, and data persisted in the volume is coupled to the life of the node. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).

## Policy YAML 

[disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) 

````yaml
apiVersion: "kyverno.io/v1alpha1"
kind: "ClusterPolicy"
metadata: 
  name: "deny-use-of-host-fs"
spec: 
  rules: 
  - name: "deny-use-of-host-fs"
    match: 
      resources: 
        kinds: 
        - "Pod"
    validate: 
      message: "Host path is not allowed"
      pattern: 
        spec: 
          volumes: 
          - X(hostPath): null
````
reorganize samples 2019-10-23 14:06:03 -07:00			`# Disallow use of host filesystem`

update descriptions... 2019-10-23 15:36:37 -07:00			The volume of type `hostpath` allows pods to use host directories and volume mounted to a host path. This binds pods to a specific host, and data persisted in the volume is coupled to the life of the node. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).
reorganize samples 2019-10-23 14:06:03 -07:00
			`## Policy YAML`

			`[disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml)`

			````yaml
			`apiVersion: "kyverno.io/v1alpha1"`
			`kind: "ClusterPolicy"`
			`metadata:`
			`name: "deny-use-of-host-fs"`
			`spec:`
			`rules:`
			`- name: "deny-use-of-host-fs"`
			`match:`
			`resources:`
			`kinds:`
			`- "Pod"`
			`validate:`
			`message: "Host path is not allowed"`
			`pattern:`
			`spec:`
			`volumes:`
			`- X(hostPath): null`
			````