Disallow Host Ports

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` fields are empty.

Policy Definition

/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-host-ports
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Baseline)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      Access to host ports allows potential snooping of network traffic and should not be
11      allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
12      fields are empty.      
13spec:
14  validationFailureAction: audit
15  background: true
16  rules:
17    - name: host-ports
18      match:
19        resources:
20          kinds:
21            - Pod
22      validate:
23        message: >-
24          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
25          and spec.initContainers[*].ports[*].hostPort must be empty.          
26        pattern:
27          spec:
28            =(initContainers):
29              - =(ports):
30                  - X(hostPort): 0
31            containers:
32              - =(ports):
33                  - X(hostPort): 0
34

Create policy issue