Merge pull request #459 from nirmata/450_fix_host_pid_ipc_policy

fix policy
2025-03-06 07:57:07 +00:00 · 2019-11-08 10:25:26 -08:00 · 2019-11-08 10:25:26 -08:00 · 913803a285
commit 913803a285
parent fa7d4a8868 ab2e671df5
3 changed files with 20 additions and 13 deletions
--- a/samples/DisallowHostPIDIPC.md
+++ b/samples/DisallowHostPIDIPC.md
@ -12,18 +12,25 @@ To avoid pod container from having visibility to host process space, validate th
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-hostpid-hostipc
+  name: validate-host-pid-ipc
+  annotations:
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
+      on the host, potentially exposing process information. Sharing the host's IPC namespace allows 
+      the container process to communicate with processes on the host. To avoid pod container from 
+      having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
 spec:
+  validationFailureAction: enforce
  rules:
-  - name: validate-hostpid-hostipc
+  - name: validate-host-pid-ipc
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Disallow use of host's pid namespace and host's ipc namespace"
+      message: "Use of host PID and IPC namespaces is not allowed"
      pattern:
        spec:
-          (hostPID): "!true"
-          hostIPC: false
+          =(hostPID): "false"
+          =(hostIPC): "false"
 ````
--- a/samples/best_practices/disallow_hostpid_hostipc.yaml
+++ b/samples/best_practices/disallow_hostpid_hostipc.yaml
@ -1,7 +1,7 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: validate-hostpid-hostipc
+  name: validate-host-pid-ipc
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process 
@ -9,15 +9,16 @@ metadata:
      the container process to communicate with processes on the host. To avoid pod container from 
      having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
 spec:
+  validationFailureAction: audit
  rules:
-  - name: validate-hostpid-hostipc
+  - name: validate-host-pid-ipc
    match:
      resources:
        kinds:
        - Pod
    validate:
-      message: "Disallow use of host's pid namespace and host's ipc namespace"
+      message: "Use of host PID and IPC namespaces is not allowed"
      pattern:
        spec:
-          (hostPID): "!true"
-          hostIPC: false
+          =(hostPID): "false"
+          =(hostIPC): "false"
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_hostpid_hostipc.yaml
@ -5,14 +5,13 @@ input:
 expected:
  validation:
    policyresponse:
-      policy: validate-hostpid-hostipc
+      policy: validate-host-pid-ipc
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
        name: "nginx-with-hostpid"
      rules:
-        - name: validate-hostpid-hostipc
+        - name: validate-host-pid-ipc
          type: Validation
-          message: "Validation error: Disallow use of host's pid namespace and host's ipc namespace\nValidation rule 'validate-hostpid-hostipc' failed at path '/spec/hostIPC/'."
          success: false