All Policies
Disallow Host Namespaces
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`.
Policy Definition
/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-host-namespaces
5 annotations:
6 policies.kyverno.io/title: Disallow Host Namespaces
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.6.0
10 kyverno.io/kubernetes-version: "1.22-1.23"
11 policies.kyverno.io/subject: Pod
12 policies.kyverno.io/description: >-
13 Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
14 network namespace) allow access to shared information and can be used to elevate
15 privileges. Pods should not be allowed access to host namespaces. This policy ensures
16 fields which make use of these host namespaces are unset or set to `false`.
17spec:
18 validationFailureAction: audit
19 background: true
20 rules:
21 - name: host-namespaces
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 validate:
28 message: >-
29 Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
30 spec.hostIPC, and spec.hostPID must be unset or set to `false`.
31 pattern:
32 spec:
33 =(hostPID): "false"
34 =(hostIPC): "false"
35 =(hostNetwork): "false"