add policy and test case

pkg/testrunner/testrunner_test.go

@@ -115,7 +115,10 @@ func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
 func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
 }
-
 func Test_validate_disallow_new_capabilities(t *testing.T) {
 	testScenario(t, "/test/scenarios/samples/best_practices/scenario_validate_disallow_new_capabilities.yaml")
 }
+
+func Test_validate_disallow_docker_sock_mount(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml")
+}

samples/DisallowDockerSockMount.md

@@ -0,0 +1,35 @@
+# Disallow Docker socket bind mount
+
+The Docker socket bind mount allows access to the 
+Docker daemon on the node. This access can be used for privilege escalation and 
+to manage containers outside of Kubernetes, and hence should not be allowed.  
+
+## Policy YAML 
+
+[disallow_docker_sock_mount.yaml](best_practices/disallow_docker_sock_mount.yaml) 
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-docker-sock-mount
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: The Docker socket bind mount allows access to the 
+      Docker daemon on the node. This access can be used for privilege escalation and 
+      to manage containers outside of Kubernetes, and hence should not be allowed.  
+spec:
+  rules:
+  - name: validate-docker-sock-mount
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of the Docker Unix socket is not allowed"
+      pattern:
+        spec:
+          (volume):
+            (hostPath):
+              path: "!/var/run/docker.sock"
+````

samples/best_practices/disallow_docker_sock_mount.yaml

@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: disallow-docker-sock-mount
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: The Docker socket bind mount allows access to the 
+      Docker daemon on the node. This access can be used for privilege escalation and 
+      to manage containers outside of Kubernetes, and hence should not be allowed.  
+spec:
+  rules:
+  - name: validate-docker-sock-mount
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Use of the Docker Unix socket is not allowed"
+      pattern:
+        spec:
+          =(volumes):
+            =(hostPath):
+              path: "!/var/run/docker.sock"

test/resources/disallow_docker_sock_mount.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: pod-with-docker-sock-mount
+spec:
+  containers:
+   - name: myshell
+     image: "ubuntu:18.04"
+     command:
+       - /bin/sleep
+       - "300"
+  volumes:
+  - name: dockersock
+    hostPath:
+      path: /var/run/docker.sock

test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_docker_sock_mount.yaml
+  resource: test/resources/disallow_docker_sock_mount.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: disallow-docker-sock-mount
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: pod-with-docker-sock-mount
+      rules:
+        - name: validate-docker-sock-mount
+          type: Validation
+          message: Validation rule 'validate-docker-sock-mount' failed at '/spec/volumes/' for resource Pod//pod-with-docker-sock-mount. Use of the Docker Unix socket is not allowed
+          success: false