Limit hostPath Volumes to Specific Directories

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: limit-hostpath-vols
 5  annotations:
 6    policies.kyverno.io/title: Limit hostPath Volumes to Specific Directories
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.6.0
10    kyverno.io/kyverno-version: 1.6.2
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      hostPath volumes consume the underlying node's file system. If hostPath volumes
15      are not to be universally disabled, they should be restricted to only certain
16      host paths so as not to allow access to sensitive information. This policy ensures
17      the only directory that can be mounted as a hostPath volume is /data. It is strongly
18      recommended to pair this policy with a second to ensure readOnly
19      access is enforced preventing directory escape.
20spec:
21  background: false
22  validationFailureAction: Audit
23  rules:
24  - name: limit-hostpath-to-slash-data
25    match:
26      any:
27      - resources:
28          kinds:
29          - Pod
30    preconditions:
31      all:
32      - key: "{{ request.object.spec.volumes[?hostPath] | length(@) }}"
33        operator: GreaterThanOrEquals
34        value: 1
35      - key: "{{request.operation || 'BACKGROUND'}}"
36        operator: AnyIn
37        value:
38        - CREATE
39        - UPDATE
40    validate:
41      message: hostPath volumes are confined to /data.
42      foreach:
43      - list: "request.object.spec.volumes[?hostPath].hostPath"
44        deny:
45          conditions:
46            any:
47            - key: "{{ element.path  | to_string(@) | split(@, '/') | [1] }}"
48              operator: NotEquals
49              value: data