From 5c6a77c47cac6deaec4190d9bf12f6e86315a591 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 13 Oct 2025 11:29:39 -0500 Subject: [PATCH] policy: Add policy to prevent host network usage The `policy` Kustomize project defines various cluster-wide security policies. Initially, this includes a Validating Admission Policy that prevents pods from using the host's network namespace. --- policy/README.md | 30 ++++++++++++++++++++++ policy/disallow-hostnetwork.yaml | 43 ++++++++++++++++++++++++++++++++ policy/kustomization.yaml | 5 ++++ 3 files changed, 78 insertions(+) create mode 100644 policy/README.md create mode 100644 policy/disallow-hostnetwork.yaml create mode 100644 policy/kustomization.yaml diff --git a/policy/README.md b/policy/README.md new file mode 100644 index 0000000..ea02f41 --- /dev/null +++ b/policy/README.md @@ -0,0 +1,30 @@ +# Cluster Policies + +## Validating Admission Policy + +To enable (prior to Kubernetes v1.30): + +1. Add the following to `apiServer.extraArgs` in the `ClusterConfiguration` key + of the `kubeadm-config` ConfigMap: + + ```yaml + feature-gates: ValidatingAdmissionPolicy=true + runtime-config: admissionregistration.k8s.io/v1beta1=true + ``` +2. Redeploy the API servers using `kubeadm`: + + ```sh + doas kubeadm upgrade apply v1.29.15 --yes + ``` + + +### disallow-hostnetwork + +This policy prevents pods from running in the host's network namespace. This is +especially important because most nodes are connected to the storage network +VLAN, so allowing pods to use the host network namespace would give them access +to the iSCSI LUNs and NFS shares on the NAS. + +If a trusted pod needs to run in the host's network namespace, its Kubernetes +namespace can be listed in the exclusion list of the +`disallow-hostnetwork-binding` policy binding resource. diff --git a/policy/disallow-hostnetwork.yaml b/policy/disallow-hostnetwork.yaml new file mode 100644 index 0000000..370ce35 --- /dev/null +++ b/policy/disallow-hostnetwork.yaml @@ -0,0 +1,43 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingAdmissionPolicy +metadata: + name: disallow-hostnetwork +spec: + matchConstraints: + resourceRules: + - apiGroups: + - '' + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + validations: + - expression: >- + !has(object.spec.hostNetwork) || !object.spec.hostNetwork + message: >- + Pods must not use hostNetwork: true + +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: disallow-hostnetwork-binding +spec: + policyName: disallow-hostnetwork + validationActions: + - Deny + matchResources: + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - calico-system + - democratic-csi + - keepalived + - kube-system + - music-assistant + - tigera-operator diff --git a/policy/kustomization.yaml b/policy/kustomization.yaml new file mode 100644 index 0000000..5972cf7 --- /dev/null +++ b/policy/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- disallow-hostnetwork.yaml