Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: disallow-host-portsannotations:policies.kyverno.io/title: Disallow hostPortspolicies.kyverno.io/category: Pod Security Standards (Baseline)policies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.6.0kyverno.io/kubernetes-version: 1.22-1.23policies.kyverno.io/description: "Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`. "spec:validationFailureAction: Auditbackground: truerules:- name: host-ports-nonematch:any:- resources:kinds:- Podvalidate:message: Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort must either be unset or set to `0`.pattern:spec:"=(ephemeralContainers)":- "=(ports)":- "=(hostPort)": 0"=(initContainers)":- "=(ports)":- "=(hostPort)": 0containers:- "=(ports)":- "=(hostPort)": 0
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.