Update disallow-host-ports
Based on disallow-host-ports.
Hier gibt es wieder ein paar mehr Änderungen. Abgesehen davon dass failurePolicy: Fail gesetzt wurde (wie bei !103 und !104 (merged)) hat sich der Name auf host-ports-none geändert. Außerdem sind ephemeralContainers dazu gekommen und in der Spec wird =(hostPort) statt X(hostPort) benutzt.
helm template hat bei mir das ergeben:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-ports
annotations:
policies.kyverno.io/title: Disallow hostPorts
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is unset or set to `0`.
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: release-name
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-policies
app.kubernetes.io/part-of: kyverno-policies
app.kubernetes.io/version: "3.2.6"
helm.sh/chart: kyverno-policies-3.2.6
spec:
validationFailureAction: Audit
background: true
failurePolicy: Fail
rules:
- name: host-ports-none
match:
any:
- resources:
kinds:
- Pod
validate:
message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
, spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
must either be unset or set to `0`.
pattern:
spec:
=(ephemeralContainers):
- =(ports):
- =(hostPort): 0
=(initContainers):
- =(ports):
- =(hostPort): 0
containers:
- =(ports):
- =(hostPort): 0