All Policies
Disallow Host Namespaces
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`.
Policy Definition
/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-host-namespaces
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Baseline)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
11 network namespace) allow access to shared information and can be used to elevate
12 privileges. Pods should not be allowed access to host namespaces. This policy ensures
13 fields which make use of these host namespaces are set to `false`.
14spec:
15 validationFailureAction: audit
16 background: true
17 rules:
18 - name: host-namespaces
19 match:
20 resources:
21 kinds:
22 - Pod
23 validate:
24 message: >-
25 Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
26 spec.hostIPC, and spec.hostPID must not be set to true.
27 pattern:
28 spec:
29 =(hostPID): "false"
30 =(hostIPC): "false"
31 =(hostNetwork): "false"
32