mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/samples/DisallowDockerSockMount.md
Jim Bugwadia 53aceab929 update README.md and markdown
2019-11-01 15:23:42 -07:00

1.1 KiB
Raw Blame History

Disallow Docker socket bind mount

The Docker socket bind mount allows access to the Docker daemon on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed.

Policy YAML

disallow_docker_sock_mount.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: disallow-docker-sock-mount
  annotations:
    policies.kyverno.io/category: Security
    policies.kyverno.io/description: The Docker socket bind mount allows access to the 
      Docker daemon on the node. This access can be used for privilege escalation and 
      to manage containers outside of Kubernetes, and hence should not be allowed.  
spec:
  rules:
  - name: validate-docker-sock-mount
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of the Docker Unix socket is not allowed"
      pattern:
        spec:
          =(volumes):
            =(hostPath):
              path: "!/var/run/docker.sock"