All Policies
Disallow NodePort
A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type.
Policy Definition
/best-practices/restrict-node-port/restrict-node-port.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-nodeport
5 annotations:
6 policies.kyverno.io/title: Disallow NodePort
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/minversion: 1.6.0
9 policies.kyverno.io/severity: medium
10 policies.kyverno.io/subject: Service
11 policies.kyverno.io/description: >-
12 A Kubernetes Service of type NodePort uses a host port to receive traffic from
13 any source. A NetworkPolicy cannot be used to control traffic to host ports.
14 Although NodePort Services can be useful, their use must be limited to Services
15 with additional upstream security checks. This policy validates that any new Services
16 do not use the `NodePort` type.
17spec:
18 validationFailureAction: audit
19 background: true
20 rules:
21 - name: validate-nodeport
22 match:
23 any:
24 - resources:
25 kinds:
26 - Service
27 validate:
28 message: "Services of type NodePort are not allowed."
29 pattern:
30 spec:
31 =(type): "!NodePort"