All Policies

Disallow CRI socket mounts in CEL expressions

Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts.

Policy Definition

/best-practices-cel/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-container-sock-mounts
 5  annotations:
 6    policies.kyverno.io/title: Disallow CRI socket mounts in CEL expressions
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      Container daemon socket bind mounts allows access to the container engine on the
14      node. This access can be used for privilege escalation and to manage containers
15      outside of Kubernetes, and hence should not be allowed. This policy validates that
16      the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition
17      to or replacement of this policy, preventing users from mounting the parent directories
18      (/var/run and /var) may be necessary to completely prevent socket bind mounts.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23  - name: validate-socket-mounts
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29          operations:
30          - CREATE
31          - UPDATE
32    validate:
33      cel:
34        variables:
35          - name: hasVolumes
36            expression: "!has(object.spec.volumes)"
37          - name: volumes
38            expression: "object.spec.volumes"
39          - name: volumesWithHostPath
40            expression: "variables.volumes.filter(volume, has(volume.hostPath))"
41        expressions:
42          - expression: >-
43              variables.hasVolumes || 
44              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/docker.sock'))
45            message: "Use of the Docker Unix socket is not allowed."
46
47          - expression: >-
48              variables.hasVolumes || 
49              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/containerd/containerd.sock'))
50            message: "Use of the Containerd Unix socket is not allowed."
51          
52          - expression: >-
53              variables.hasVolumes || 
54              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/crio/crio.sock'))
55            message: "Use of the CRI-O Unix socket is not allowed."
56          
57          - expression: >-
58              variables.hasVolumes || 
59              variables.volumesWithHostPath.all(volume, !volume.hostPath.path.matches('/var/run/cri-dockerd.sock'))
60            message: "Use of the Docker CRI socket is not allowed."
Create policy issue