Back to Policies

Disallow CRI socket mounts

Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-container-sock-mounts
  annotations:
    policies.kyverno.io/title: Disallow CRI socket mounts
    policies.kyverno.io/category: Best Practices, EKS Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/description: Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed. This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used. In addition to or replacement of this policy, preventing users from mounting the parent directories (/var/run and /var) may be necessary to completely prevent socket bind mounts.
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: validate-docker-sock-mount
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: Use of the Docker Unix socket is not allowed.
        pattern:
          spec:
            "=(volumes)":
              - "=(hostPath)":
                  path: "!/var/run/docker.sock"
    - name: validate-containerd-sock-mount
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: Use of the Containerd Unix socket is not allowed.
        pattern:
          spec:
            "=(volumes)":
              - "=(hostPath)":
                  path: "!/var/run/containerd/containerd.sock"
    - name: validate-crio-sock-mount
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: Use of the CRI-O Unix socket is not allowed.
        pattern:
          spec:
            "=(volumes)":
              - "=(hostPath)":
                  path: "!/var/run/crio/crio.sock"
    - name: validate-dockerd-sock-mount
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: Use of the Docker CRI socket is not allowed.
        pattern:
          spec:
            "=(volumes)":
              - "=(hostPath)":
                  path: "!/var/run/cri-dockerd.sock"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application