1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
kyverno/samples/DisallowHostPIDIPC.md
2019-10-23 15:36:37 -07:00

912 B

Disallow hostPID and hostIPC

Sharing the host's PID namespace allows an application pod to gain visibility of processes on the host, potentially exposing sensitive information. Sharing the host's IPC namespace also allows the container process to communicate with processes on the host.

To avoid pod container from having visibility to host process space, validate that hostPID and hostIPC are set to false.

Policy YAML

disallow_hostpid_hostipc.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-hostpid-hostipc
spec:
  rules:
  - name: validate-hostpid-hostipc
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Disallow use of host's pid namespace and host's ipc namespace"
      pattern:
        spec:
          (hostPID): "!true"
          hostIPC: false