All Policies
Disallow procMount
The default /proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procMount can be specified. Note that in order for users to deviate from the `Default` procMount requires setting a feature gate at the API server.
Policy Definition
/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: disallow-proc-mount
5 annotations:
6 policies.kyverno.io/title: Disallow procMount
7 policies.kyverno.io/category: Pod Security Standards (Baseline)
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Pod
10 kyverno.io/kyverno-version: 1.6.0
11 kyverno.io/kubernetes-version: "1.22-1.23"
12 policies.kyverno.io/description: >-
13 The default /proc masks are set up to reduce attack surface and should be required. This policy
14 ensures nothing but the default procMount can be specified. Note that in order for users
15 to deviate from the `Default` procMount requires setting a feature gate at the API
16 server.
17spec:
18 validationFailureAction: Audit
19 background: true
20 rules:
21 - name: check-proc-mount
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 validate:
28 message: >-
29 Changing the proc mount from the default is not allowed. The fields
30 spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
31 and spec.ephemeralContainers[*].securityContext.procMount must be unset or
32 set to `Default`.
33 pattern:
34 spec:
35 =(ephemeralContainers):
36 - =(securityContext):
37 =(procMount): "Default"
38 =(initContainers):
39 - =(securityContext):
40 =(procMount): "Default"
41 containers:
42 - =(securityContext):
43 =(procMount): "Default"