All Policies

Disallow Host Namespaces

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`.

Policy Definition

/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-host-namespaces
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Baseline)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
11      network namespace) allow access to shared information and can be used to elevate
12      privileges. Pods should not be allowed access to host namespaces. This policy ensures
13      fields which make use of these host namespaces are set to `false`.      
14spec:
15  validationFailureAction: audit
16  background: true
17  rules:
18    - name: host-namespaces
19      match:
20        resources:
21          kinds:
22            - Pod
23      validate:
24        message: >-
25          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
26          spec.hostIPC, and spec.hostPID must not be set to true.          
27        pattern:
28          spec:
29            =(hostPID): "false"
30            =(hostIPC): "false"
31            =(hostNetwork): "false"
32
Create policy issue