Back to Policies

Block kubectl cp command by Pod Label

The kubectl cp command is used to copy files between a local machine and a Pod's container. While this functionality is useful for transferring data, it may introduce security risks, such as unauthorized data exfiltration or modification. This policy blocks the use of the kubectl cp command on all Pods with label `block-kubectl-cp=true`, ensuring that sensitive workloads are protected from unintended file transfers. Other kubectl operations are unaffected, allowing for normal Pod management while preventing potential misuse of file copy capabilities.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-kubectl-cp-by-pod-label
  annotations:
    policies.kyverno.io/title: Block kubectl cp command by Pod Label
    policies.kyverno.io/category: Sample
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: The kubectl cp command is used to copy files between a local machine and a Pod's container.  While this functionality is useful for transferring data, it may introduce security risks,  such as unauthorized data exfiltration or modification. This policy blocks the use of the  kubectl cp command on all Pods with label `block-kubectl-cp=true`, ensuring that sensitive  workloads are protected from unintended file transfers. Other kubectl operations are unaffected,  allowing for normal Pod management while preventing potential misuse of file copy capabilities.
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: block-kubectl-cp
      match:
        any:
          - resources:
              kinds:
                - Pod/exec
      preconditions:
        all:
          - key: "{{ request.operation || 'BACKGROUND' }}"
            operator: Equals
            value: CONNECT
      validate:
        message: Cannot use `kubectl cp` on pods
        deny:
          conditions:
            all:
              - key: "{{ request.object.command[0] }}"
                operator: Equals
                value: tar
              - key: "{{ request.object.command[1] }}"
                operator: Equals
                value: cf

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application