All Policies
Require Default Proc Mount
The default /proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procMount can be specified.
Policy Definition
/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: require-default-proc-mount
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Baseline)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 The default /proc masks are set up to reduce attack surface and should be required. This policy
11 ensures nothing but the default procMount can be specified.
12spec:
13 validationFailureAction: audit
14 background: true
15 rules:
16 - name: check-proc-mount
17 match:
18 resources:
19 kinds:
20 - Pod
21 validate:
22 message: >-
23 Changing the proc mount from the default is not allowed. The fields
24 spec.containers[*].securityContext.procMount and
25 spec.initContainers[*].securityContext.procMount must not be changed
26 from `Default`.
27 pattern:
28 spec:
29 =(initContainers):
30 - =(securityContext):
31 =(procMount): "Default"
32 containers:
33 - =(securityContext):
34 =(procMount): "Default"
35