All Policies

Limit hostPath PersistentVolumes to Specific Directories

hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data.

Policy Definition

/other/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: limit-hostpath-type-pv
 5  annotations:
 6    policies.kyverno.io/title: Limit hostPath PersistentVolumes to Specific Directories
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: PersistentVolume
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes
13      are not to be universally disabled, they should be restricted to only certain
14      host paths so as not to allow access to sensitive information. This policy ensures
15      the only directory that can be mounted as a hostPath volume is /data.
16spec:
17  background: false
18  validationFailureAction: Audit
19  rules:
20  - name: limit-hostpath-type-pv-to-slash-data
21    match:
22      any:
23      - resources:
24          kinds:
25          - PersistentVolume
26    preconditions:
27      all:
28      - key: "{{request.operation || 'BACKGROUND'}}"
29        operator: AnyIn
30        value:
31        - CREATE
32        - UPDATE
33    validate:
34      message: hostPath type persistent volumes are confined to /data.
35      pattern:
36        spec:
37          =(hostPath):
38            path: /data*
Create policy issue