Disallow Host Path

HostPath volumes let pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed.

Policy Definition

/pod-security/default/disallow-host-path.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-host-path
  annotations:
    policies.kyverno.io/category: Pod Security Standards (Default)
    policies.kyverno.io/description: >-
      HostPath volumes let pods use host directories and volumes in containers.
      Using host resources can be used to access shared data or escalate privileges
      and should not be allowed.
spec:
  validationFailureAction: audit
  background: true
  rules:
  - name: host-path
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: >-
        HostPath volumes are forbidden. The fields spec.volumes[*].hostPath must not be set.
      pattern:
        spec:
          =(volumes):
          - X(hostPath): "null"

Last modified January 2, 2021: fix titles (9a0d72f)