All Policies
Docker Socket Requires Label in CEL expressions
Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`.
Policy Definition
/other-cel/docker-socket-requires-label/docker-socket-requires-label.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: docker-socket-check
5 annotations:
6 policies.kyverno.io/title: Docker Socket Requires Label in CEL expressions
7 policies.kyverno.io/category: Other in CEL
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.11.0
10 kyverno.io/kubernetes-version: "1.26-1.27"
11 policies.kyverno.io/subject: Pod
12 policies.kyverno.io/description: >-
13 Accessing a container engine's socket is for highly specialized use cases and should generally
14 be disabled. If access must be granted, it should be done on an explicit basis. This policy
15 requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set
16 to `true`.
17spec:
18 validationFailureAction: Audit
19 background: true
20 rules:
21 - name: docker-socket-check
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 operations:
28 - CREATE
29 - UPDATE
30 validate:
31 cel:
32 variables:
33 - name: hasDockerSocket
34 expression: "object.spec.?volumes.orValue([]).exists(volume, volume.?hostPath.?path.orValue('') == '/var/run/docker.sock')"
35 - name: isAllowDockerLabelTrue
36 expression: "object.metadata.?labels[?'allow-docker'].orValue('false') == 'true'"
37 expressions:
38 - expression: "!variables.hasDockerSocket || variables.isAllowDockerLabelTrue"
39 message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`."