feat: add cri-dockerd flavor to disallow-cri-sock-mount policy (#753)

* feat: add cri-dockerd flavor to disallow-cri-sock-mount Signed-off-by: Spencer Koch <[email protected]> * add tests Signed-off-by: Spencer Koch <[email protected]> * update artifacthub-pkg.yml with changes Signed-off-by: Spencer Koch <[email protected]> * just the policy file digest Signed-off-by: Spencer Koch <[email protected]> --------- Signed-off-by: Spencer Koch <[email protected]> Co-authored-by: Charles-Edouard Brétéché <[email protected]>
kyverno · Sep 19, 2023 · 67a73df · 67a73df
1 parent d9d7b7d
commit 67a73df
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 3 deletions.
diff --git a/best-practices/disallow-cri-sock-mount/02-manifests.yaml b/best-practices/disallow-cri-sock-mount/02-manifests.yaml
@@ -9,7 +9,9 @@ apply:
   shouldFail: true
 - file: pod-crio-sock.yaml
   shouldFail: true
+- file: pod-cri-dockerd-sock.yaml
+  shouldFail: true
 - file: pod-emptydir-vol.yaml
   shouldFail: false
 - file: pod-no-volumes.yaml
-  shouldFail: false
+  shouldFail: false
diff --git a/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml b/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml
@@ -19,4 +19,4 @@ readme: |
 annotations:
   kyverno/category: "Best Practices, EKS Best Practices"
   kyverno/subject: "Pod"
-digest: 2eaa240566025fa1195b0ceb9698b356a4e675a28c8bd4ad469f5b4aa441fee5
+digest: d1d1668af87e2bc2fd5449e13a5db36301a73ed28f71a2d1a5b28a455188d2df
diff --git a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml
@@ -55,4 +55,17 @@ spec:
         spec:
           =(volumes):
             - =(hostPath):
-                path: "!/var/run/crio.sock"
+                path: "!/var/run/crio.sock"
+  - name: validate-dockerd-sock-mount
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Use of the Docker CRI socket is not allowed."
+      pattern:
+        spec:
+          =(volumes):
+            - =(hostPath):
+                path: "!/var/run/cri-dockerd.sock"
diff --git a/best-practices/disallow-cri-sock-mount/pod-cri-dockerd-sock.yaml b/best-practices/disallow-cri-sock-mount/pod-cri-dockerd-sock.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-cri-dockerd-sock-mount
+spec:
+  containers:
+  - name: myshell
+    image: "ubuntu:18.04"
+    command:
+    - /bin/sleep
+    - "300"
+  volumes:
+  - name: dockersock
+    hostPath:
+      path: /var/run/cri-dockerd.sock