All Policies

Disallow hostProcess in CEL expressions

Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures the `hostProcess` field, if present, is set to `false`.

Policy Definition

/pod-security-cel/baseline/disallow-host-process/disallow-host-process.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-host-process
 5  annotations:
 6    policies.kyverno.io/title: Disallow hostProcess in CEL expressions
 7    policies.kyverno.io/category: Pod Security Standards (Baseline) in CEL
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      Windows pods offer the ability to run HostProcess containers which enables privileged
14      access to the Windows node. Privileged access to the host is disallowed in the baseline
15      policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
16      the `hostProcess` field, if present, is set to `false`.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21    - name: host-process-containers
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27            operations:
28            - CREATE
29            - UPDATE
30      validate:
31        cel:
32          variables:
33            - name: allContainers
34              expression: "(object.spec.containers + (has(object.spec.initContainers) ? object.spec.initContainers : []) + (has(object.spec.ephemeralContainers) ? object.spec.ephemeralContainers : []))"
35          expressions:
36            - expression: >-
37                variables.allContainers.all(container,
38                container.?securityContext.?windowsOptions.?hostProcess.orValue(false) == false)
39              message: >-
40                HostProcess containers are disallowed. The field spec.containers[*].securityContext.windowsOptions.hostProcess,
41                spec.initContainers[*].securityContext.windowsOptions.hostProcess, and
42                spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess
43                must either be undefined or set to `false`.
Create policy issue