mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
1,020 B
1,020 B
Disallow use of bind mounts (hostPath
volumes)
The volume of type hostPath
allows pods to use host bind mounts (i.e. directories and volumes mounted to a host path) in containers. Using host resources can be used to access shared data or escalate priviliges. Also, this couples pods to a specific host and data persisted in the hostPath
volume is coupled to the life of the node leading to potential pod scheduling failures. It is highly recommeded that applications are designed to be decoupled from the underlying infrstructure (in this case, nodes).
Policy YAML
apiVersion: "kyverno.io/v1alpha1"
kind: "ClusterPolicy"
metadata:
name: "disallow-bind-mounts"
spec:
rules:
- name: "validate-hostPath"
match:
resources:
kinds:
- "Pod"
validate:
message: "Host path volumes are not allowed"
pattern:
spec:
volumes:
- X(hostPath): null