Dustin C. Hatch
5c6a77c47c
The `policy` Kustomize project defines various cluster-wide security policies. Initially, this includes a Validating Admission Policy that prevents pods from using the host's network namespace.
44 lines
958 B
YAML
44 lines
958 B
YAML
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: ValidatingAdmissionPolicy
|
|
metadata:
|
|
name: disallow-hostnetwork
|
|
spec:
|
|
matchConstraints:
|
|
resourceRules:
|
|
- apiGroups:
|
|
- ''
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- pods
|
|
validations:
|
|
- expression: >-
|
|
!has(object.spec.hostNetwork) || !object.spec.hostNetwork
|
|
message: >-
|
|
Pods must not use hostNetwork: true
|
|
|
|
---
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: ValidatingAdmissionPolicyBinding
|
|
metadata:
|
|
name: disallow-hostnetwork-binding
|
|
spec:
|
|
policyName: disallow-hostnetwork
|
|
validationActions:
|
|
- Deny
|
|
matchResources:
|
|
namespaceSelector:
|
|
matchExpressions:
|
|
- key: kubernetes.io/metadata.name
|
|
operator: NotIn
|
|
values:
|
|
- calico-system
|
|
- democratic-csi
|
|
- keepalived
|
|
- kube-system
|
|
- music-assistant
|
|
- tigera-operator
|