update DisallowBindMounts

2025-03-31 03:45:17 +00:00 · 2019-11-09 16:33:19 -08:00 · 2019-11-09 16:33:19 -08:00 · fd1a26db29
commit fd1a26db29
parent fae8ac0325
5 changed files with 21 additions and 19 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -104,12 +104,12 @@ func Test_require_probes(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_probes.yaml")
 }

-func Test_validate_disallow_host_filesystem_fail(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml")
+func Test_validate_disallow_bind_mounts_fail(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml")
 }

-func Test_validate_disallow_host_filesystem_pass(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml")
+func Test_validate_disallow_bind_mounts_pass(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml")
 }

 func Test_validate_disallow_new_capabilities(t *testing.T) {
--- a/samples/DisallowBindMounts.md
+++ b/samples/DisallowBindMounts.md
@ -4,22 +4,26 @@ The volume of type `hostPath` allows pods to use host bind mounts (i.e. director

 ## Policy YAML 

-[disallow_host_filesystem.yaml](best_practices/disallow_host_filesystem.yaml) 
+[disallow_bind_mounts.yaml](best_practices/disallow_bind_mounts.yaml) 

 ````yaml
 apiVersion: "kyverno.io/v1alpha1"
 kind: "ClusterPolicy"
 metadata: 
-  name: "deny-use-of-host-fs"
+  name: "disallow-bind-mounts"
+  annotations:
+    policies.kyverno.io/category: Data Protection
+    policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods to a specific host and data persisted in the `hostPath` volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).
+
 spec: 
  rules: 
-  - name: "deny-use-of-host-fs"
+  - name: "validate-hostPath"
    match: 
      resources: 
        kinds: 
        - "Pod"
    validate: 
-      message: "Host path is not allowed"
+      message: "Host path volumes are not allowed"
      pattern: 
        spec: 
          volumes: 
--- a/samples/best_practices/disallow_host_filesystem.yaml
+++ b/samples/best_practices/disallow_host_filesystem.yaml
@ -1,7 +1,7 @@
 apiVersion: "kyverno.io/v1alpha1"
 kind: "ClusterPolicy"
 metadata: 
-  name: "deny-use-of-host-fs"
+  name: "disallow-bind-mounts"
  annotations:
    policies.kyverno.io/category: Data Protection
    policies.kyverno.io/description: The volume of type `hostPath` allows pods to use host bind 
@ -13,13 +13,13 @@ metadata:

 spec: 
  rules: 
-  - name: "deny-use-of-host-fs"
+  - name: "validate-hostPath"
    match: 
      resources: 
        kinds: 
        - "Pod"
    validate: 
-      message: "Host path is not allowed"
+      message: "Host path volumes are not allowed"
      pattern: 
        spec: 
          volumes: 
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem.yaml
@ -1,18 +1,17 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/disallow_host_filesystem.yaml
+  policy: samples/best_practices/disallow_bind_mounts.yaml
  resource: test/resources/disallow_host_filesystem.yaml
 expected:
  validation:
    policyresponse:
-      policy: deny-use-of-host-fs
+      policy: disallow-bind-mounts
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
        name: image-with-hostpath
      rules:
-        - name: deny-use-of-host-fs
+        - name: validate-hostPath
          type: Validation
-          message: "Validation error: Host path is not allowed\nValidation rule 'deny-use-of-host-fs' failed at path '/spec/volumes/0/hostPath/'."
          success: false
--- a/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_disallow_host_filesystem_pass.yaml
@ -1,18 +1,17 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/disallow_host_filesystem.yaml
+  policy: samples/best_practices/disallow_bind_mounts.yaml
  resource: test/resources/disallow_host_filesystem_pass.yaml
 expected:
  validation:
    policyresponse:
-      policy: deny-use-of-host-fs
+      policy: disallow-bind-mounts
      resource:
        kind: Pod
        apiVersion: v1
        namespace: ''
        name: image-with-hostpath
      rules:
-        - name: deny-use-of-host-fs
+        - name: validate-hostPath
          type: Validation
-          message: Validation rule 'deny-use-of-host-fs' succeeded.
          success: true