Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Policy Center/ Policy Definition Library/ k8spsphostfilesystem
Updated on 2024-02-01 GMT+08:00
View PDF
Share

k8spsphostfilesystem

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter 
    allowedHostPaths:
  readOnly: Boolean
  pathPrefix: String

Function

The parameters of the hostPath field in PodSecurityPolicy are restricted.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect. allowedHostPaths in parameters specifies the value of the field.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    allowedHostPaths:
    - readOnly: true
      pathPrefix: "/foo"

Resource Definition That Complies with the Policy

In the example, pathPrefix in hostPath starts with /foo, which complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-host-filesystem
  labels:
    app: nginx-host-filesystem-disallowed
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - mountPath: /cache
          name: cache-volume
          readOnly: true
  volumes:
    - name: cache-volume
      hostPath:
        path: /foo/bar

Resource Definition That Does Not Comply with the Policy

In the example, pathPrefix in hostPath starts with /tmp, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-host-filesystem
  labels:
    app: nginx-host-filesystem-disallowed
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - name: cache-volume
    hostPath:
      path: /tmp # directory location on host