All Policies
Disallow hostPorts
Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.
Policy Definition
/pod-security/baseline/disallow-host-ports/disallow-host-ports.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-host-ports
5 annotations:
6 policies.kyverno.io/title: Disallow hostPorts
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 Access to host ports allows potential snooping of network traffic and should not be
14 allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
15 field is unset or set to `0`.
16spec:
17 validationFailureAction: Audit
18 background: true
19 rules:
20 - name: host-ports-none
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 validate:
27 message: >-
28 Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
29 , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
30 must either be unset or set to `0`.
31 pattern:
32 spec:
33 =(ephemeralContainers):
34 - =(ports):
35 - =(hostPort): 0
36 =(initContainers):
37 - =(ports):
38 - =(hostPort): 0
39 containers:
40 - =(ports):
41 - =(hostPort): 0