apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: disallow-hostnetwork
spec:
  matchConstraints:
    resourceRules:
    - apiGroups:
      - ''
      apiVersions:
      - v1
      operations:
      - CREATE
      - UPDATE
      resources:
      - pods
  validations:
  - expression: >-
      !has(object.spec.hostNetwork) || !object.spec.hostNetwork
    message: >-
      Pods must not use hostNetwork: true

---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: disallow-hostnetwork-binding
spec:
  policyName: disallow-hostnetwork
  validationActions:
  - Deny
  matchResources:
    namespaceSelector:
      matchExpressions:
      - key: kubernetes.io/metadata.name
        operator: NotIn
        values:
        - calico-system
        - democratic-csi
        - keepalived
        - kube-system
        - music-assistant
        - tigera-operator