All Policies

Disallow Host Namespaces

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`.

Policy Definition

/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-host-namespaces
 5  annotations:
 6    policies.kyverno.io/title: Disallow Host Namespaces
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    kyverno.io/kubernetes-version: "1.22-1.23"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
14      network namespace) allow access to shared information and can be used to elevate
15      privileges. Pods should not be allowed access to host namespaces. This policy ensures
16      fields which make use of these host namespaces are unset or set to `false`.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21    - name: host-namespaces
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      validate:
28        message: >-
29          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
30          spec.hostIPC, and spec.hostPID must be unset or set to `false`.          
31        pattern:
32          spec:
33            =(hostPID): "false"
34            =(hostIPC): "false"
35            =(hostNetwork): "false"