Disallow Host Process
Description
Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are stable as of Kubernetes 1.26.
Restricted Fields
- spec.securityContext.windowsOptions.hostProcess
- spec.containers[*].securityContext.windowsOptions.hostProcess
- spec.initContainers[*].securityContext.windowsOptions.hostProcess
- spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess
Allowed Values
- Undefined/nil
- false
Kyverno Policy
Refer to the Nirmata curated policies - disallow-host-process.yaml
References
Configuration Settings
The below configuration indicates that if the deployed resource contains one of ephemeralContainers or initContainers or containers in their spec field, AND if securityContext.windowsOptions.hostProcess, field is present, then the only acceptable value is false to be conformant with this security control. If the securityContext.windowsOptions.hostProcess field is not present, then the resource is conformant by default.
=(ephemeralContainers):
- =(securityContext):
=(windowsOptions):
=(hostProcess): "false"
=(initContainers):
- =(securityContext):
=(windowsOptions):
=(hostProcess): "false"
containers:
- =(securityContext):
=(windowsOptions):
=(hostProcess): "false"
Resource Example
Below is a Deployment resource example where securityContext.windowsOptions.hostProcess is set to false for both initContainers and containers.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
hostNetwork: true
initContainers:
- name: initcontainer01
image: dummyimagename
securityContext:
windowsOptions:
hostProcess: false
- name: initcontainer02
image: dummyimagename
containers:
- name: container01
image: dummyimagename
securityContext:
windowsOptions:
hostProcess: false