Block Pod Exec by Namespace Label

The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands based upon a Namespace label `exec=false`.

Policy Definition

/other/block-pod-exec-by-namespace-label/block-pod-exec-by-namespace-label.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-exec-by-namespace-label
 5  annotations:
 6    policies.kyverno.io/title: Block Pod Exec by Namespace Label
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can
12      be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
13      This policy blocks Pod exec commands based upon a Namespace label `exec=false`.      
14spec:
15  validationFailureAction: Enforce
16  background: false
17  rules:
18  - name: deny-exec-by-ns-label
19    match:
20      any:
21      - resources:
22          kinds:
23          - Pod/exec
24    context:
25    - name: nslabelexec
26      apiCall:
27        urlPath: "/api/v1/namespaces/{{request.namespace}}"
28        jmesPath: "metadata.labels.exec || ''"
29    preconditions:
30      all:
31      - key: "{{ request.operation || 'BACKGROUND' }}"
32        operator: Equals
33        value: CONNECT
34    validate:
35      message: Executing a command in a container is forbidden for Pods running in Namespaces protected with the label "exec=false".
36      deny:
37        conditions:
38          any:
39          - key: "{{ nslabelexec }}"
40            operator: Equals
41            value: "false"

Create policy issue