mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity
kyverno/samples/RestrictNodePort.md
Jim Bugwadia 9bbcbb29af reorganize samples
2019-10-23 14:45:27 -07:00

745 B
Raw Blame History

Restrict service type NodePort

A Kubernetes service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy resource cannot be used to control traffic to host ports. Although NodePort services can be useful, their use must be limited to services with additional upstream security checks.

Policy YAML

disallow_node_port.yaml

apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: disallow-node-port
spec:
  rules:
  - name: disallow-node-port
    match:
      resources:
        kinds:
        - Service
    validate:
      message: "Disallow service of type NodePort"
      pattern: 
        spec:
          type: "!NodePort"