Require Default Proc Mount

The default /proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procMount can be specified.

Policy Definition

/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-default-proc-mount
 5  annotations:
 6    policies.kyverno.io/category: Pod Security Standards (Baseline)
 7    policies.kyverno.io/severity: medium
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      The default /proc masks are set up to reduce attack surface and should be required. This policy
11      ensures nothing but the default procMount can be specified.      
12spec:
13  validationFailureAction: audit
14  background: true
15  rules:
16    - name: check-proc-mount
17      match:
18        resources:
19          kinds:
20            - Pod
21      validate:
22        message: >-
23          Changing the proc mount from the default is not allowed. The fields
24          spec.containers[*].securityContext.procMount and
25          spec.initContainers[*].securityContext.procMount must not be changed 
26          from `Default`.          
27        pattern:
28          spec:
29            =(initContainers):
30              - =(securityContext):
31                  =(procMount): "Default"
32            containers:
33              - =(securityContext):
34                  =(procMount): "Default"
35

Create policy issue