Limit hostPath Volumes to Specific Directories in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: limit-hostpath-vols
 5  annotations:
 6    policies.kyverno.io/title: Limit hostPath Volumes to Specific Directories in CEL expressions
 7    policies.kyverno.io/category: Other in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.11.0
10    kyverno.io/kyverno-version: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      hostPath volumes consume the underlying node's file system. If hostPath volumes
15      are not to be universally disabled, they should be restricted to only certain
16      host paths so as not to allow access to sensitive information. This policy ensures
17      the only directory that can be mounted as a hostPath volume is /data. It is strongly
18      recommended to pair this policy with a second to ensure readOnly
19      access is enforced preventing directory escape.
20spec:
21  background: false
22  validationFailureAction: Audit
23  rules:
24  - name: limit-hostpath-to-slash-data
25    match:
26      any:
27      - resources:
28          kinds:
29          - Pod
30          operations:
31          - CREATE
32          - UPDATE
33    celPreconditions:
34      - name: "has-host-path-volume"
35        expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.hostPath))"
36    validate:
37      cel:
38        expressions:
39          - expression: "object.spec.volumes.all(volume, !has(volume.hostPath) || volume.hostPath.path.split('/')[1] == 'data')"
40            message: hostPath volumes are confined to /data.