---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: path-canonicalize
spec:
  admission: true
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: disallow-mount-containerd-sock
    validate:
      foreach:
      - deny:
          conditions:
            any:
            - key: '{{ path_canonicalize(element.hostPath.path) }}'
              operator: Equals
              value: /var/run/containerd/containerd.sock
            - key: '{{ path_canonicalize(element.hostPath.path) }}'
              operator: Equals
              value: /run/containerd/containerd.sock
            - key: '{{ path_canonicalize(element.hostPath.path) }}'
              operator: Equals
              value: \var\run\containerd\containerd.sock
        list: request.object.spec.volumes[]
  validationFailureAction: Enforce