All Policies

Disallow Host Path

HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use.

Policy Definition

/pod-security/baseline/disallow-host-path/disallow-host-path.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-host-path
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Baseline)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      HostPath volumes let Pods use host directories and volumes in containers.
11      Using host resources can be used to access shared data or escalate privileges
12      and should not be allowed. This policy ensures no hostPath volumes are in use.      
13spec:
14  validationFailureAction: audit
15  background: true
16  rules:
17    - name: host-path
18      match:
19        resources:
20          kinds:
21            - Pod
22      validate:
23        message: >-
24                    HostPath volumes are forbidden. The fields spec.volumes[*].hostPath must not be set.
25        pattern:
26          spec:
27            =(volumes):
28              - X(hostPath): "null"
29
Create policy issue