kyverno/test/best_practices/disallow_host_pid_ipc.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-host-pid-ipc
  annotations:
    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
      on the host, potentially exposing process information. Sharing the host's IPC namespace allows 
      the container process to communicate with processes on the host. To avoid pod container from 
      having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
spec:
  validationFailureAction: audit
  rules:
  - name: validate-hostPID-hostIPC
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of host PID and IPC namespaces is not allowed"
      pattern:
        spec:
          =(hostPID): "false"
          =(hostIPC): "false"
update api in samples/ 2019-11-13 13:56:20 -08:00			`apiVersion: kyverno.io/v1`
add scenario_validate_disallow_hostpid_hostipc.yaml 2019-10-08 21:58:05 -07:00			`kind: ClusterPolicy`
			`metadata:`
update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00			`name: disallow-host-pid-ipc`
Provide descriptions for policies 2019-10-11 18:57:16 -07:00			`annotations:`
update categories and links 2019-11-11 18:21:16 -08:00			`policies.kyverno.io/category: Workload Isolation`
update description format 2019-10-14 16:33:19 -07:00			`policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process`
			`on the host, potentially exposing process information. Sharing the host's IPC namespace allows`
			`the container process to communicate with processes on the host. To avoid pod container from`
			`having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.`
add scenario_validate_disallow_hostpid_hostipc.yaml 2019-10-08 21:58:05 -07:00			`spec:`
update test scenario and change rule to audit mode 2019-11-07 19:28:48 -08:00			`validationFailureAction: audit`
add scenario_validate_disallow_hostpid_hostipc.yaml 2019-10-08 21:58:05 -07:00			`rules:`
update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00			`- name: validate-hostPID-hostIPC`
add scenario_validate_disallow_hostpid_hostipc.yaml 2019-10-08 21:58:05 -07:00			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
fix policy 2019-11-07 19:03:09 -08:00			`message: "Use of host PID and IPC namespaces is not allowed"`
add scenario_validate_disallow_hostpid_hostipc.yaml 2019-10-08 21:58:05 -07:00			`pattern:`
			`spec:`
fix policy 2019-11-07 19:03:09 -08:00			`=(hostPID): "false"`
			`=(hostIPC): "false"`