Disallow Host Path

Description

HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed.

Restricted Fields

• spec.volumes[*].hostPath

Allowed Values

• Undefined/nil

Kyverno Policy

Refer to the Nirmata curated policies - disallow-host-path.yaml

References

Configuration Settings

The below configuration indicates that HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset in order to be conformant with this security control. If it is not present, then the resource is conformant by default.

=(volumes):
  - X(hostPath): "null"

Resource Example

Below is a Deployment resource example where even though volumes field is present, it does not have a hostPath field. If present, it should be set to null.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment02
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        volumeMounts:
          - name: temp
            mountPath: /scratch
      volumes:
      - name: temp
        emptyDir: {}