mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/RestrictNodePort.md
Jim Bugwadia 31d33c5de1 update categories and links
2019-11-11 18:21:16 -08:00

782 B
Raw Blame History

Restrict use of NodePort services

A Kubernetes service of type NodePort uses a host port (on every node in the cluster) to receive traffic from any source.

Kubernetes Network Policies cannot be used to control traffic to host ports.

Although NodePort services can be useful, their use should be limited to services with additional upstream security checks.

Policy YAML

restrict_node_port.yaml


apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: restrict-node-port
spec:
  rules:
  - name: validate-node-port
    match:
      resources:
        kinds:
        - Service
    validate:
      message: "Service of type NodePort is not allowed"
      pattern: 
        spec:
          type: "!NodePort"