kyverno/test/policy/deny/policy.yaml

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: path-canonicalize
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: disallow-mount-containerd-sock
    match:
      resources:
        kinds:
        - Pod
    validate:
      foreach:
      - list: "request.object.spec.volumes[]"
        deny:
          conditions:
            any:
            - key: "{{ path_canonicalize(element.hostPath.path) }}"
              operator: Equals
              value: "/var/run/containerd/containerd.sock"
            - key: "{{ path_canonicalize(element.hostPath.path) }}"
              operator: Equals
              value: "/run/containerd/containerd.sock"
            - key: "{{ path_canonicalize(element.hostPath.path) }}"
              operator: Equals
              value: "\\var\\run\\containerd\\containerd.sock"
Support mutation of variables in validate.deny (#2947) * Support mutation of variables in validate.deny * remove comment * fix e2e test 2022-01-18 16:23:30 +05:30			`---`
			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: path-canonicalize`
			`spec:`
			`validationFailureAction: enforce`
			`background: false`
			`rules:`
			`- name: disallow-mount-containerd-sock`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`foreach:`
			`- list: "request.object.spec.volumes[]"`
			`deny:`
			`conditions:`
			`any:`
			`- key: "{{ path_canonicalize(element.hostPath.path) }}"`
			`operator: Equals`
			`value: "/var/run/containerd/containerd.sock"`
			`- key: "{{ path_canonicalize(element.hostPath.path) }}"`
			`operator: Equals`
			`value: "/run/containerd/containerd.sock"`
			`- key: "{{ path_canonicalize(element.hostPath.path) }}"`
			`operator: Equals`
			`value: "\\var\\run\\containerd\\containerd.sock"`