All Policies
Disallow Host Path
HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use.
Policy Definition
/pod-security/baseline/disallow-host-path/disallow-host-path.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-host-path
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Baseline)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 HostPath volumes let Pods use host directories and volumes in containers.
11 Using host resources can be used to access shared data or escalate privileges
12 and should not be allowed. This policy ensures no hostPath volumes are in use.
13spec:
14 validationFailureAction: audit
15 background: true
16 rules:
17 - name: host-path
18 match:
19 resources:
20 kinds:
21 - Pod
22 validate:
23 message: >-
24 HostPath volumes are forbidden. The fields spec.volumes[*].hostPath must not be set.
25 pattern:
26 spec:
27 =(volumes):
28 - X(hostPath): "null"
29