Files

Dustin C. Hatch 5c6a77c47c policy: Add policy to prevent host network usage

The `policy` Kustomize project defines various cluster-wide security
policies.  Initially, this includes a Validating Admission Policy that
prevents pods from using the host's network namespace.

2025-10-13 13:36:38 -05:00

disallow-hostnetwork.yaml

policy: Add policy to prevent host network usage

2025-10-13 13:36:38 -05:00

kustomization.yaml

policy: Add policy to prevent host network usage

2025-10-13 13:36:38 -05:00

README.md

policy: Add policy to prevent host network usage

2025-10-13 13:36:38 -05:00

README.md

Cluster Policies

Validating Admission Policy

To enable (prior to Kubernetes v1.30):

Add the following to apiServer.extraArgs in the ClusterConfiguration key of the kubeadm-config ConfigMap:

feature-gates: ValidatingAdmissionPolicy=true
runtime-config: admissionregistration.k8s.io/v1beta1=true

Redeploy the API servers using kubeadm:

doas kubeadm upgrade apply v1.29.15 --yes

disallow-hostnetwork

This policy prevents pods from running in the host's network namespace. This is especially important because most nodes are connected to the storage network VLAN, so allowing pods to use the host network namespace would give them access to the iSCSI LUNs and NFS shares on the NAS.

If a trusted pod needs to run in the host's network namespace, its Kubernetes namespace can be listed in the exclusion list of the disallow-hostnetwork-binding policy binding resource.