mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00
Code Activity
kyverno/samples/DisallowHostFS.md
Jim Bugwadia 733633637e update descriptions...
2019-10-23 15:36:37 -07:00

827 B
Raw Blame History

Disallow use of host filesystem

The volume of type hostpath allows pods to use host directories and volume mounted to a host path. This binds pods to a specific host, and data persisted in the volume is coupled to the life of the node. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).

Policy YAML

disallow_host_filesystem.yaml

apiVersion: "kyverno.io/v1alpha1"
kind: "ClusterPolicy"
metadata: 
  name: "deny-use-of-host-fs"
spec: 
  rules: 
  - name: "deny-use-of-host-fs"
    match: 
      resources: 
        kinds: 
        - "Pod"
    validate: 
      message: "Host path is not allowed"
      pattern: 
        spec: 
          volumes: 
          - X(hostPath): null