All Policies

Limit hostPath PersistentVolumes to Specific Directories

hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes are not to be universally disabled, they should be restricted to only certain host paths so as not to allow access to sensitive information. This policy ensures the only directory that can be mounted as a hostPath volume is /data.

Policy Definition

/other/limit-hostpath-type-pv/limit_hostpath_type_pv.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: limit-hostpath-type-pv
 5  annotations:
 6    policies.kyverno.io/title: Limit hostPath PersistentVolumes to Specific Directories
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: PersistentVolume
10    policies.kyverno.io/description: >-
11      hostPath persistentvolumes consume the underlying node's file system. If hostPath volumes
12      are not to be universally disabled, they should be restricted to only certain
13      host paths so as not to allow access to sensitive information. This policy ensures
14      the only directory that can be mounted as a hostPath volume is /data.      
15spec:
16  background: false
17  validationFailureAction: audit
18  rules:
19  - name: limit-hostpath-type-pv-to-slash-data
20    match:
21      resources:
22        kinds:
23        - PersistentVolume
24    preconditions:
25      all:
26      - key: "{{request.operation || 'BACKGROUND'}}"
27        operator: AnyIn
28        value:
29        - CREATE
30        - UPDATE
31    validate:
32      message: hostPath type persistent volumes are confined to /data.
33      pattern:
34        spec:
35          =(hostPath):
36            path: /data*
Create policy issue