mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/samples/DisallowHostPIDIPC.md
Chip Zoller 16dc96b898 manifest fixes; typos; linting
2020-11-11 13:07:01 -05:00

930 B
Raw Blame History

Disallow hostPID and hostIPC

Sharing the host's PID namespace allows an application pod to gain visibility of processes on the host, potentially exposing sensitive information. Sharing the host's IPC namespace also allows the container process to communicate with processes on the host.

To avoid the pod container from having visibility to the host process space, validate that hostPID and hostIPC are set to false.

Policy YAML

disallow_host_pid_ipc.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-host-pid-ipc
spec:
  validationFailureAction: audit
  rules:
  - name: validate-hostPID-hostIPC
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of host PID and IPC namespaces is not allowed"
      pattern:
        spec:
          =(hostPID): "false"
          =(hostIPC): "false"