Update disallow-host-path (!103) · Merge requests · Interessengemeinschaft Betrieb von Containern (IG BvC) / Policy Entwicklung / Richtlinien-Umsetzung Kyverno

Mario Lenz requested to merge lenz/richtlinien-umsetzung-kyverno:update_disallow-host-path into dev Oct 09, 2024

Da scheint sich nicht allzu viel getan zu haben. policies.kyverno.io/subject ist jetzt Pod,Volume statt nur Pod, failurePolicy ist gesetzt und die message wurde ein wenig angepasst. helm template hat bei mir das ergeben:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-host-path
  annotations:
    policies.kyverno.io/title: Disallow hostPath
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod,Volume
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/description: >-
      HostPath volumes let Pods use host directories and volumes in containers.
      Using host resources can be used to access shared data or escalate privileges
      and should not be allowed. This policy ensures no hostPath volumes are in use.
  labels:
    app.kubernetes.io/component: kyverno
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: kyverno-policies
    app.kubernetes.io/part-of: kyverno-policies
    app.kubernetes.io/version: "3.2.6"
    helm.sh/chart: kyverno-policies-3.2.6
spec:
  validationFailureAction: Audit
  background: true
  failurePolicy: Fail
  rules:
    - name: host-path
      match:
        any:
        - resources:
            kinds:
              - Pod
      validate:
        message: >-
          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
        pattern:
          spec:
            =(volumes):
              - X(hostPath): "null"

Update disallow-host-path

Merge request reports