Block Ephemeral Containers

Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the `kubectl debug` functionality and attach a temporary container to an existing Pod. This may potentially be used to gain access to unauthorized information executing inside one or more containers in that Pod. This policy blocks the use of ephemeral containers.

Policy Definition

/other/block-ephemeral-containers/block-ephemeral-containers.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-ephemeral-containers
 5  annotations:
 6    policies.kyverno.io/title: Block Ephemeral Containers
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Ephemeral containers, enabled by default in Kubernetes 1.23, allow users to use the
15      `kubectl debug` functionality and attach a temporary container to an existing Pod.
16      This may potentially be used to gain access to unauthorized information executing inside
17      one or more containers in that Pod. This policy blocks the use of ephemeral containers.      
18spec:
19  validationFailureAction: audit
20  background: true
21  rules:
22  - name: block-ephemeral-containers
23    match:
24      any:
25      - resources:
26          kinds:
27            - Pod
28    validate:
29      message: "Ephemeral (debug) containers are not permitted."
30      pattern:
31        spec:
32          X(ephemeralContainers): "null"

Create policy issue