2019-11-01 13:31:08 -07:00
# Disallow Docker socket bind mount
2020-11-11 15:55:02 -05:00
The Docker socket bind mount allows access to the Docker daemon on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed.
2019-11-01 13:31:08 -07:00
2020-11-11 15:55:02 -05:00
## Policy YAML
2019-11-01 13:31:08 -07:00
2020-11-11 15:55:02 -05:00
[disallow_docker_sock_mount.yaml ](best_practices/disallow_docker_sock_mount.yaml )
2019-11-01 13:31:08 -07:00
````yaml
2019-11-13 13:56:20 -08:00
apiVersion: kyverno.io/v1
2019-11-01 13:31:08 -07:00
kind: ClusterPolicy
metadata:
name: disallow-docker-sock-mount
spec:
2020-08-19 14:04:58 -07:00
validationFailureAction: audit
2019-11-01 13:31:08 -07:00
rules:
- name: validate-docker-sock-mount
match:
resources:
kinds:
- Pod
validate:
message: "Use of the Docker Unix socket is not allowed"
pattern:
spec:
2019-11-01 15:23:42 -07:00
=(volumes):
2019-12-10 09:51:15 -08:00
- =(hostPath):
path: "!/var/run/docker.sock"
2019-11-01 13:31:08 -07:00
````
