---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: Sharing the host's PID namespace allows visibility
      of process on the host, potentially exposing process information. Sharing the
      host's IPC namespace allows the container process to communicate with processes
      on the host. To avoid pod container from having visibility to host process space,
      validate that 'hostPID' and 'hostIPC' are set to 'false'.
  name: disallow-host-pid-ipc
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-hostPID-hostIPC
    validate:
      message: Use of host PID and IPC namespaces is not allowed
      pattern:
        spec:
          =(hostIPC): "false"
          =(hostPID): "false"
  validationFailureAction: Audit