mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity
kyverno/samples/DisallowHostPIDIPC.md
Jim Bugwadia 9bbcbb29af reorganize samples
2019-10-23 14:45:27 -07:00

876 B
Raw Blame History

Disallow hostPID and hostIPC

Sharing the host's PID namespace allows visibility of process on the host, potentially exposing process information.

Sharing the host's IPC namespace allows the container process to communicate with processes on the host. To avoid pod container from having visibility to host process space, validate that hostPID and hostIPC are set to false.

Policy YAML

disallow_hostpid_hostipc.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: validate-hostpid-hostipc
spec:
  rules:
  - name: validate-hostpid-hostipc
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Disallow use of host's pid namespace and host's ipc namespace"
      pattern:
        spec:
          (hostPID): "!true"
          hostIPC: false