Disallow Host Namespaces
Description
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces.
Restricted Fields
- spec.hostNetwork
- spec.hostPID
- spec.hostIPC
Allowed Values
- Undefined/nil
- false
Kyverno Policy
Refer to the Nirmata curated policies - disallow-host-namespaces.yaml
References
Configuration Settings
The below configuration indicates that if the deployed resource contains one of hostPID or hostIPC or hostNetwork in their spec field, then the only acceptable value is false to be conformant with this security control. If those fields are not present to begin with, then the resource is conformant by default.
=(hostPID): "false"
=(hostIPC): "false"
=(hostNetwork): "false"
Resource Example
Below is a Deployment resource example where all the three fields (hostPID, hostIPC, and hostNetwork) are set to false. Even if one or two of them are present, they should be set to false.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
hostPID: false
hostIPC: false
hostNetwork: false
containers:
- name: container01
image: dummyimagename