2023-09-18 00:24:26 +02:00
|
|
|
---
|
2019-11-13 13:56:20 -08:00
|
|
|
apiVersion: kyverno.io/v1
|
2019-10-08 21:58:05 -07:00
|
|
|
kind: ClusterPolicy
|
|
|
|
|
metadata:
|
2019-10-11 18:57:16 -07:00
|
|
|
annotations:
|
2019-11-11 18:21:16 -08:00
|
|
|
policies.kyverno.io/category: Workload Isolation
|
2023-09-18 00:24:26 +02:00
|
|
|
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility
|
|
|
|
|
of process on the host, potentially exposing process information. Sharing the
|
|
|
|
|
host's IPC namespace allows the container process to communicate with processes
|
|
|
|
|
on the host. To avoid pod container from having visibility to host process space,
|
|
|
|
|
validate that 'hostPID' and 'hostIPC' are set to 'false'.
|
|
|
|
|
name: disallow-host-pid-ipc
|
2019-10-08 21:58:05 -07:00
|
|
|
spec:
|
2023-09-18 00:24:26 +02:00
|
|
|
admission: true
|
|
|
|
|
background: true
|
2019-10-08 21:58:05 -07:00
|
|
|
rules:
|
2023-09-18 00:24:26 +02:00
|
|
|
- match:
|
|
|
|
|
any:
|
|
|
|
|
- resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Pod
|
|
|
|
|
name: validate-hostPID-hostIPC
|
2019-10-08 21:58:05 -07:00
|
|
|
validate:
|
2023-09-18 00:24:26 +02:00
|
|
|
message: Use of host PID and IPC namespaces is not allowed
|
2019-10-08 21:58:05 -07:00
|
|
|
pattern:
|
|
|
|
|
spec:
|
2019-11-07 19:03:09 -08:00
|
|
|
=(hostIPC): "false"
|
2023-09-18 00:24:26 +02:00
|
|
|
=(hostPID): "false"
|
|
|
|
|
validationFailureAction: Audit
|
