1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
kyverno/test/best_practices/disallow_bind_mounts.yaml
Charles-Edouard Brétéché 7562bea6db
chore: apply policy fixes (#8427)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-09-17 22:24:26 +00:00

31 lines
1 KiB
YAML

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: The volume of type `hostPath` allows pods to
use host bind mounts (i.e. directories and volumes mounted to a host path) in
containers. Using host resources can be used to access shared data or escalate
privileges. Also, this couples pods to a specific host and data persisted in
the `hostPath` volume is coupled to the life of the node leading to potential
pod scheduling failures. It is highly recommended that applications are designed
to be decoupled from the underlying infrastructure (in this case, nodes).
name: disallow-bind-mounts
spec:
admission: true
background: true
rules:
- match:
any:
- resources:
kinds:
- Pod
name: validate-hostPath
validate:
message: Host path volumes are not allowed
pattern:
spec:
=(volumes):
- X(hostPath): "null"
validationFailureAction: Audit