All Policies
Disallow Host Ports
Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` fields are empty.
Policy Definition
/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-host-ports
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Baseline)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 Access to host ports allows potential snooping of network traffic and should not be
11 allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
12 fields are empty.
13spec:
14 validationFailureAction: audit
15 background: true
16 rules:
17 - name: host-ports
18 match:
19 resources:
20 kinds:
21 - Pod
22 validate:
23 message: >-
24 Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
25 and spec.initContainers[*].ports[*].hostPort must be empty.
26 pattern:
27 spec:
28 =(initContainers):
29 - =(ports):
30 - X(hostPort): 0
31 containers:
32 - =(ports):
33 - X(hostPort): 0
34