add 'deny-use-of-host-fs'

pkg/testrunner/testrunner_test.go

@@ -139,3 +139,11 @@ func Test_require_pod_requests_limits(t *testing.T) {
 func Test_require_probes(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_probes.yaml")
 }
+
+func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml")
+}
+
+func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml")
+}

samples/README.md

@@ -33,6 +33,13 @@ Namespaces are a way to divide cluster resources between multiple users. When mu
 ***Policy YAML***: [disallow_default_namespace.yaml](best_practices/disallow_default_namespace.yaml) 
 
 
+## Disallow use of host filesystem
+
+Using the volume of type hostpath can easily lose data when a node crashes. Disable use of hostpath prevent data loss. 
+
+***Policy YAML***: [disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) 
+
+
 ## Disallow `hostNetwork` and `hostPort`
 
 Using `hostPort` and `hostNetwork` limits the number of nodes the pod can be scheduled on, as the pod is bound to the host thats its mapped to.

samples/best_practices/disallow_host_filesystem.yaml

@@ -0,0 +1,17 @@
+apiVersion: "kyverno.io/v1alpha1"
+kind: "ClusterPolicy"
+metadata: 
+  name: "deny-use-of-host-fs"
+spec: 
+  rules: 
+  - name: "deny-use-of-host-fs"
+    match: 
+      resources: 
+        kinds: 
+        - "Pod"
+    validate: 
+      message: "Host path is not allowed"
+      pattern: 
+        spec: 
+          volumes: 
+          - X(hostPath): null

test/manifest/disallow_host_filesystem.yaml

@@ -0,0 +1,18 @@
+apiVersion: "v1"
+kind: "Pod"
+metadata: 
+  name: "image-with-hostpath"
+  labels: 
+    app.type: "prod"
+    namespace: "my-namespace"
+spec: 
+  containers: 
+  - name: "image-with-hostpath"
+    image: "docker.io/nautiker/curl"
+    volumeMounts: 
+    - name: "var-lib-etcd"
+      mountPath: "/var/lib"
+  volumes: 
+  - name: "var-lib-etcd"
+    hostPath: 
+      path: "/var/lib"

test/manifest/disallow_host_filesystem_pass.yaml

@@ -0,0 +1,17 @@
+apiVersion: "v1"
+kind: "Pod"
+metadata: 
+  name: "image-with-hostpath"
+  labels: 
+    app.type: "prod"
+    namespace: "my-namespace"
+spec: 
+  containers: 
+  - name: "image-with-hostpath"
+    image: "docker.io/nautiker/curl"
+    volumeMounts: 
+    - name: "var-lib-etcd"
+      mountPath: "/var/lib"
+  volumes: 
+  - name: "var-lib-etcd"
+    emptyDir: {}

test/scenarios/test/scenario_validate_disallow_host_filesystem.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_host_filesystem.yaml
+  resource: test/manifest/disallow_host_filesystem.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: deny-use-of-host-fs
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: image-with-hostpath
+      rules:
+        - name: deny-use-of-host-fs
+          type: Validation
+          message: Validation rule 'deny-use-of-host-fs' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed
+          success: false

test/scenarios/test/scenario_validate_disallow_host_filesystem_pass.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/disallow_host_filesystem.yaml
+  resource: test/manifest/disallow_host_filesystem_pass.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: deny-use-of-host-fs
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: image-with-hostpath
+      rules:
+        - name: deny-use-of-host-fs
+          type: Validation
+          message: Validation rule 'deny-use-of-host-fs' succesfully validated
+          success: true