All Policies

Block Pod Exec by Pod Name

The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods beginning with the name `myapp-maintenance-`.

Policy Definition

/other/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-exec-by-pod-name
 5  annotations:
 6    policies.kyverno.io/title: Block Pod Exec by Pod Name
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can
12      be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
13      This policy blocks Pod exec commands to Pods beginning with the name
14      `myapp-maintenance-`.
15spec:
16  validationFailureAction: Enforce
17  background: false
18  rules:
19  - name: deny-exec-myapp-maintenance
20    match:
21      any:
22      - resources:
23          kinds:
24          - Pod/exec
25    preconditions:
26      all:
27      - key: "{{ request.operation || 'BACKGROUND' }}"
28        operator: Equals
29        value: CONNECT
30    validate:
31      message: Exec'ing into Pods called "myapp-maintenance" is not allowed.
32      deny:
33        conditions:
34          all:
35          - key: "{{ request.name }}"
36            operator: Equals
37            value: myapp-maintenance-*
Create policy issue