Disallow hostPort

charts/kyverno-policies/templates/pod-host-port.yaml

@@ -0,0 +1,39 @@
+# REF: https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: pod-host-port
+spec:
+  background: true
+  validationFailureAction: Enforce
+  rules:
+  - name: no-host-port
+    match:
+      any:
+        - resources:
+            kinds:
+            - Pod
+            namespaces:
+            - "user-?*"
+        - resources:
+            kinds:
+            - Pod
+            namespaceSelector:
+              matchExpressions:
+              - key: osc.edu/role
+                operator: In
+                values:
+                - paas
+    validate:
+      message: "Pod hostPort is not allowed"
+      pattern:
+        spec:
+          =(ephemeralContainers):
+            - =(ports):
+                - =(hostPort): 0
+          =(initContainers):
+            - =(ports):
+                - =(hostPort): 0
+          containers:
+            - =(ports):
+                - =(hostPort): 0

tests/kyverno-policies/pod-host-port/kyverno-test.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: pod-host-port
+policies:
+  - policy.yaml
+resources:
+  - resources.yaml
+variables: variables.yaml
+results:
+  - policy: pod-host-port
+    rule: no-host-port
+    resources:
+      - webservice-skip
+    kind: Pod
+    result: skip
+  - policy: pod-host-port
+    rule: no-host-port
+    resources:
+      - paas-pass
+      - user-pass
+    kind: Pod
+    result: pass
+  - policy: pod-host-port
+    rule: no-host-port
+    resources:
+      - paas-fail
+      - paas-init-fail
+      - paas-ephemeral-fail
+      - user-fail
+      - user-init-fail
+      - user-ephemeral-fail
+    kind: Pod
+    result: fail

tests/kyverno-policies/pod-host-port/resources.yaml

@@ -0,0 +1,115 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: webservice-skip
+  namespace: webservice
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+    ports:
+      hostPort: 123
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: paas-pass
+  namespace: paas
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: user-pass
+  namespace: user-test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: paas-fail
+  namespace: paas
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+    ports:
+      hostPort: 123
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: paas-init-fail
+  namespace: paas
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+  initContainers:
+  - name: init
+    image: foo:123
+    ports:
+      hostPort: 123
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: paas-ephemeral-fail
+  namespace: paas
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+  ephemeralContainers:
+  - name: init
+    image: foo:123
+    ports:
+      hostPort: 123
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: user-fail
+  namespace: user-test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+    ports:
+      hostPort: 123
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: user-init-fail
+  namespace: user-test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+  initContainers:
+  - name: init
+    image: foo:123
+    ports:
+      hostPort: 123
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: user-ephemeral-fail
+  namespace: user-test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+  ephemeralContainers:
+  - name: init
+    image: foo:123
+    ports:
+      hostPort: 123

tests/kyverno-policies/pod-host-port/variables.yaml

@@ -0,0 +1,12 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
+namespaceSelector:
+  - name: user-test
+  - name: webservice
+    labels:
+      osc.edu/role: webservice
+  - name: paas
+    labels:
+      osc.edu/role: paas