All Policies
Disallow hostProcess
Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures the `hostProcess` field, if present, is set to `false`.
Policy Definition
/pod-security/baseline/disallow-host-process/disallow-host-process.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-host-process
5 annotations:
6 policies.kyverno.io/title: Disallow hostProcess
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 Windows pods offer the ability to run HostProcess containers which enables privileged
14 access to the Windows node. Privileged access to the host is disallowed in the baseline
15 policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
16 the `hostProcess` field, if present, is set to `false`.
17spec:
18 validationFailureAction: audit
19 background: true
20 rules:
21 - name: host-process-containers
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 validate:
28 message: >-
29 HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
30 spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,
31 and spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined
32 or set to `false`.
33 pattern:
34 spec:
35 =(ephemeralContainers):
36 - =(securityContext):
37 =(windowsOptions):
38 =(hostProcess): "false"
39 =(initContainers):
40 - =(securityContext):
41 =(windowsOptions):
42 =(hostProcess): "false"
43 containers:
44 - =(securityContext):
45 =(windowsOptions):
46 =(hostProcess): "false"