Disallow hostPorts

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.

Policy Definition

/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-host-ports
 5  annotations:
 6    policies.kyverno.io/title: Disallow hostPorts
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      Access to host ports allows potential snooping of network traffic and should not be
14      allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
15      field is unset or set to `0`.       
16spec:
17  validationFailureAction: audit
18  background: true
19  rules:
20    - name: host-ports-none
21      match:
22        any:
23        - resources:
24            kinds:
25              - Pod
26      validate:
27        message: >-
28          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
29          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
30          must either be unset or set to `0`.          
31        pattern:
32          spec:
33            =(ephemeralContainers):
34              - =(ports):
35                  - =(hostPort): 0
36            =(initContainers):
37              - =(ports):
38                  - =(hostPort): 0
39            containers:
40              - =(ports):
41                  - =(hostPort): 0

Create policy issue