fix policy

2025-03-28 18:38:40 +00:00 · 2019-11-07 19:03:09 -08:00 · 2019-11-07 19:03:09 -08:00 · 43e76e1237
commit 43e76e1237
parent fa7d4a8868
1 changed files with 6 additions and 5 deletions
--- a/samples/best_practices/disallow_hostpid_hostipc.yaml
+++ b/samples/best_practices/disallow_hostpid_hostipc.yaml
@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-hostpid-hostipc
+  name: validate-host-pid-ipc
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
@ -9,15 +9,16 @@ metadata:
      the container process to communicate with processes on the host. To avoid pod container from 
      having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
 spec:
+  validationFailureAction: enforce
  rules:
-  - name: validate-hostpid-hostipc
+  - name: validate-host-pid-ipc
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Disallow use of host's pid namespace and host's ipc namespace"
+      message: "Use of host PID and IPC namespaces is not allowed"
      pattern:
        spec:
-          (hostPID): "!true"
-          hostIPC: false
+          =(hostPID): "false"
+          =(hostIPC): "false"