Block Pod Exec by Pod and Container

The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to containers named `nginx` in Pods starting with name `myapp-maintenance`.

Policy Definition

/other/block-pod-exec-by-pod-and-container/block-pod-exec-by-pod-and-container.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-exec-by-pod-and-container
 5  annotations:
 6    policies.kyverno.io/title: Block Pod Exec by Pod and Container
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can
12      be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
13      This policy blocks Pod exec commands to containers named `nginx` in Pods starting
14      with name `myapp-maintenance`.      
15spec:
16  validationFailureAction: Enforce
17  background: false
18  rules:
19  - name: deny-nginx-exec-in-myapp-maintenance
20    match:
21      any:
22      - resources:
23          kinds:
24          - Pod/exec
25    preconditions:
26      all:
27      - key: "{{ request.operation || 'BACKGROUND' }}"
28        operator: Equals
29        value: CONNECT
30      - key: "{{ request.name }}"
31        operator: Equals
32        value: myapp-maintenance*
33    validate:
34      message: Nginx containers inside myapp-maintanence Pods may not be exec'd into.
35      deny:
36        conditions:
37          all:
38          - key: "{{ request.object.container }}"
39            operator: Equals
40            value: nginx

Create policy issue