From 67a73df93bdf5a2feac54527f2efecb1f325244b Mon Sep 17 00:00:00 2001 From: sp3nx0r Date: Tue, 19 Sep 2023 09:47:56 -0500 Subject: [PATCH] feat: add cri-dockerd flavor to disallow-cri-sock-mount policy (#753) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: add cri-dockerd flavor to disallow-cri-sock-mount Signed-off-by: Spencer Koch * add tests Signed-off-by: Spencer Koch * update artifacthub-pkg.yml with changes Signed-off-by: Spencer Koch * just the policy file digest Signed-off-by: Spencer Koch --------- Signed-off-by: Spencer Koch Co-authored-by: Charles-Edouard Brétéché --- .../disallow-cri-sock-mount/02-manifests.yaml | 4 +++- .../disallow-cri-sock-mount/artifacthub-pkg.yml | 2 +- .../disallow-cri-sock-mount.yaml | 15 ++++++++++++++- .../pod-cri-dockerd-sock.yaml | 15 +++++++++++++++ 4 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 best-practices/disallow-cri-sock-mount/pod-cri-dockerd-sock.yaml diff --git a/best-practices/disallow-cri-sock-mount/02-manifests.yaml b/best-practices/disallow-cri-sock-mount/02-manifests.yaml index 90482a2d8..f2e3748cc 100644 --- a/best-practices/disallow-cri-sock-mount/02-manifests.yaml +++ b/best-practices/disallow-cri-sock-mount/02-manifests.yaml @@ -9,7 +9,9 @@ apply: shouldFail: true - file: pod-crio-sock.yaml shouldFail: true +- file: pod-cri-dockerd-sock.yaml + shouldFail: true - file: pod-emptydir-vol.yaml shouldFail: false - file: pod-no-volumes.yaml - shouldFail: false \ No newline at end of file + shouldFail: false diff --git a/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml b/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml index 36eb46b0a..f82b48f8a 100644 --- a/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml +++ b/best-practices/disallow-cri-sock-mount/artifacthub-pkg.yml @@ -19,4 +19,4 @@ readme: | annotations: kyverno/category: "Best Practices, EKS Best Practices" kyverno/subject: "Pod" -digest: 2eaa240566025fa1195b0ceb9698b356a4e675a28c8bd4ad469f5b4aa441fee5 +digest: d1d1668af87e2bc2fd5449e13a5db36301a73ed28f71a2d1a5b28a455188d2df diff --git a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml index 59da4d037..2aad52b0c 100644 --- a/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml +++ b/best-practices/disallow-cri-sock-mount/disallow-cri-sock-mount.yaml @@ -55,4 +55,17 @@ spec: spec: =(volumes): - =(hostPath): - path: "!/var/run/crio.sock" \ No newline at end of file + path: "!/var/run/crio.sock" + - name: validate-dockerd-sock-mount + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Use of the Docker CRI socket is not allowed." + pattern: + spec: + =(volumes): + - =(hostPath): + path: "!/var/run/cri-dockerd.sock" diff --git a/best-practices/disallow-cri-sock-mount/pod-cri-dockerd-sock.yaml b/best-practices/disallow-cri-sock-mount/pod-cri-dockerd-sock.yaml new file mode 100644 index 000000000..3e57e2323 --- /dev/null +++ b/best-practices/disallow-cri-sock-mount/pod-cri-dockerd-sock.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-cri-dockerd-sock-mount +spec: + containers: + - name: myshell + image: "ubuntu:18.04" + command: + - /bin/sleep + - "300" + volumes: + - name: dockersock + hostPath: + path: /var/run/cri-dockerd.sock