mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
29 lines
930 B
YAML
29 lines
930 B
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
policies.kyverno.io/category: Workload Isolation
|
|
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility
|
|
of process on the host, potentially exposing process information. Sharing the
|
|
host's IPC namespace allows the container process to communicate with processes
|
|
on the host. To avoid pod container from having visibility to host process space,
|
|
validate that 'hostPID' and 'hostIPC' are set to 'false'.
|
|
name: disallow-host-pid-ipc
|
|
spec:
|
|
admission: true
|
|
background: true
|
|
rules:
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
name: validate-hostPID-hostIPC
|
|
validate:
|
|
message: Use of host PID and IPC namespaces is not allowed
|
|
pattern:
|
|
spec:
|
|
=(hostIPC): "false"
|
|
=(hostPID): "false"
|
|
validationFailureAction: Audit
|