All Policies
Docker Socket Requires Label
Accessing a container engine's socket is for highly specialized use cases and should generally be disabled. If access must be granted, it should be done on an explicit basis. This policy requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set to `true`.
Policy Definition
/other/docker-socket-requires-label/docker-socket-requires-label.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: docker-socket-check
5 annotations:
6 policies.kyverno.io/title: Docker Socket Requires Label
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.8.0
10 kyverno.io/kubernetes-version: "1.23"
11 policies.kyverno.io/subject: Pod
12 policies.kyverno.io/description: >-
13 Accessing a container engine's socket is for highly specialized use cases and should generally
14 be disabled. If access must be granted, it should be done on an explicit basis. This policy
15 requires that, for any Pod mounting the Docker socket, it must have the label `allow-docker` set
16 to `true`.
17spec:
18 validationFailureAction: Audit
19 background: true
20 rules:
21 - name: conditional-anchor-dockersock
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 validate:
28 message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`."
29 pattern:
30 metadata:
31 labels:
32 allow-docker: "true"
33 (spec):
34 (volumes):
35 - (hostPath):
36 path: "/var/run/docker.sock"