Disallow hostPath

HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use.

Policy Definition

/pod-security/baseline/disallow-host-path/disallow-host-path.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-host-path
 5  annotations:
 6    policies.kyverno.io/title: Disallow hostPath
 7    policies.kyverno.io/category: Pod Security Standards (Baseline)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod,Volume
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    policies.kyverno.io/description: >-
13      HostPath volumes let Pods use host directories and volumes in containers.
14      Using host resources can be used to access shared data or escalate privileges
15      and should not be allowed. This policy ensures no hostPath volumes are in use.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20    - name: host-path
21      match:
22        any:
23        - resources:
24            kinds:
25              - Pod
26      validate:
27        message: >-
28          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
29        pattern:
30          spec:
31            =(volumes):
32              - X(hostPath): "null"

Create policy issue