update policy

2025-03-31 03:45:17 +00:00 · 2019-10-30 12:59:51 -07:00 · 2019-10-30 12:59:51 -07:00 · 3783ae0495
commit 3783ae0495
parent 1dfccf99d4
1 changed files with 7 additions and 3 deletions
--- a/samples/best_practices/disallow_host_filesystem.yaml
+++ b/samples/best_practices/disallow_host_filesystem.yaml
@ -4,9 +4,13 @@ metadata:
  name: "deny-use-of-host-fs"
  annotations:
    policies.kyverno.io/category: Data Protection
-    policies.kyverno.io/description: The volume of type 'hostpath' binds pods to a specific host, 
-      and data persisted in the volume is dependent on the life of the node. In a shared cluster, 
-      it is recommeded that applications are independent of hosts.
+    policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind 
+    mounts (i.e. directories and volumes mounted to a host path) in containers. Using host 
+    resources can be used to access shared data or escalate priviliges. Also, this couples pods 
+    to a specific host and data persisted in the `hostPath` volume is coupled to the life of the 
+    node leading to potential pod scheduling failures. It is highly recommeded that applications 
+    are designed to be decoupled from the underlying infrstructure (in this case, nodes).
+
 spec: 
  rules: 
  - name: "deny-use-of-host-fs"