All Policies

Disallow CRI socket mounts

Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts.

Policy Definition

/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-container-sock-mounts
 5  annotations:
 6    policies.kyverno.io/title: Disallow CRI socket mounts
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      Container daemon socket bind mounts allows access to the container engine on the
13      node. This access can be used for privilege escalation and to manage containers
14      outside of Kubernetes, and hence should not be allowed. This policy validates that
15      the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition
16      to or replacement of this policy, preventing users from mounting the parent directories
17      (/var/run and /var) may be necessary to completely prevent socket bind mounts.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: validate-docker-sock-mount
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    validate:
29      message: "Use of the Docker Unix socket is not allowed."
30      pattern:
31        spec:
32          =(volumes):
33            - =(hostPath):
34                path: "!/var/run/docker.sock"
35  - name: validate-containerd-sock-mount
36    match:
37      any:
38      - resources:
39          kinds:
40          - Pod
41    validate:
42      message: "Use of the Containerd Unix socket is not allowed."
43      pattern:
44        spec:
45          =(volumes):
46            - =(hostPath):
47                path: "!/var/run/containerd/containerd.sock"
48  - name: validate-crio-sock-mount
49    match:
50      any:
51      - resources:
52          kinds:
53          - Pod
54    validate:
55      message: "Use of the CRI-O Unix socket is not allowed."
56      pattern:
57        spec:
58          =(volumes):
59            - =(hostPath):
60                path: "!/var/run/crio/crio.sock"
61  - name: validate-dockerd-sock-mount
62    match:
63      any:
64      - resources:
65          kinds:
66          - Pod
67    validate:
68      message: "Use of the Docker CRI socket is not allowed."
69      pattern:
70        spec:
71          =(volumes):
72            - =(hostPath):
73                path: "!/var/run/cri-dockerd.sock"
Create policy issue