Disallow CRI socket mounts

Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed.

Policy Definition

/best-practices/disallow_cri_sock_mount.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-container-sock-mounts
  annotations:
    policies.kyverno.io/title: Disallow CRI socket mounts
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/description: >-
      Container daemon socket bind mounts allows access to the container engine on the 
      node. This access can be used for privilege escalation and to manage containers 
      outside of Kubernetes, and hence should not be allowed.  
spec:
  validationFailureAction: audit
  rules:
  - name: validate-docker-sock-mount
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of the Docker Unix socket is not allowed."
      pattern:
        spec:
          =(volumes):
            - =(hostPath):
                path: "!/var/run/docker.sock"
  - name: validate-containerd-sock-mount
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of the Containerd Unix socket is not allowed."
      pattern:
        spec:
          =(volumes):
            - =(hostPath):
                path: "!/var/run/containerd.sock"
  - name: validate-crio-sock-mount
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Use of the CRI-O Unix socket is not allowed."
      pattern:
        spec:
          =(volumes):
            - =(hostPath):
                path: "!/var/run/crio.sock"                
Last modified January 2, 2021: add policies (ea1a485)