mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-07 00:17:13 +00:00
36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
# Disallow `hostPID` and `hostIPC`
|
|
|
|
Sharing the host's PID namespace allows an application pod to gain visibility of processes on the host, potentially exposing sensitive information. Sharing the host's IPC namespace also allows the container process to communicate with processes on the host.
|
|
|
|
To avoid pod container from having visibility to host process space, validate that `hostPID` and `hostIPC` are set to `false`.
|
|
|
|
## Policy YAML
|
|
|
|
[disallow_hostpid_hostipc.yaml](best_practices/disallow_hostpid_hostipc.yaml)
|
|
|
|
````yaml
|
|
apiVersion: kyverno.io/v1alpha1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: validate-host-pid-ipc
|
|
annotations:
|
|
policies.kyverno.io/category: Security
|
|
policies.kyverno.io/description: Sharing the host's PID namespace allows visibility of process
|
|
on the host, potentially exposing process information. Sharing the host's IPC namespace allows
|
|
the container process to communicate with processes on the host. To avoid pod container from
|
|
having visibility to host process space, validate that 'hostPID' and 'hostIPC' are set to 'false'.
|
|
spec:
|
|
validationFailureAction: enforce
|
|
rules:
|
|
- name: validate-host-pid-ipc
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: "Use of host PID and IPC namespaces is not allowed"
|
|
pattern:
|
|
spec:
|
|
=(hostPID): "false"
|
|
=(hostIPC): "false"
|
|
````
|