https://github.com/kubewarden/hostpaths-psp-policy

Replacement for the Kubernetes Pod Security Policy that controls the usage of hostpaths
https://github.com/kubewarden/hostpaths-psp-policy

hacktoberfest kubernetes kubernetes-security kubewarden-policy pod-security-policy policy-as-code webassembly

Last synced: 6 months ago
JSON representation

Replacement for the Kubernetes Pod Security Policy that controls the usage of hostpaths

• Host: GitHub
• URL: https://github.com/kubewarden/hostpaths-psp-policy
• Owner: kubewarden
• License: apache-2.0
• Created: 2021-08-04T15:02:34.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-12-09T10:37:25.000Z (6 months ago)
• Last Synced: 2024-12-09T11:36:19.417Z (6 months ago)
• Topics: hacktoberfest, kubernetes, kubernetes-security, kubewarden-policy, pod-security-policy, policy-as-code, webassembly
• Language: Go
• Homepage: https://kubewarden.io
• Size: 1.1 MB
• Stars: 3
• Watchers: 5
• Forks: 3
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        
[![Kubewarden Policy Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)

[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)

# psp-hostpaths-policy

Replacement for the Kubernetes Pod Security Policy that controls the usage of

`hostPath` volumes. The policy inspects both the containers and the init

containers that are using `hostPath` volumes.

## Settings

```yaml

allowedHostPaths:

- pathPrefix: "/foo"

  readOnly: true

- pathPrefix: "/bar"

  readOnly: false

```

`allowedHostPaths` is a list of host paths that are allowed to be used by

`hostPath` volumes.

An empty `allowedHostPaths` list means there is no restriction on host paths

used.

Each entry of `allowedHostPaths` must have:

- A `pathPrefix` field, which allows `hostPath` volumes to mount a path that

  begins with an allowed prefix.

- a `readOnly` field indicating it must be mounted read-only.

### Special behaviour

It's possible to have host paths sharing part of the prefix. In that case, the

`readOnly` attribute of the most specific path takes precedence.

For example, given the following configuration:

```yaml

allowedHostPaths:

- pathPrefix: "/foo"

  readOnly: false

- pathPrefix: "/foo/bar"

  readOnly: true

```

Paths such as `/foo/bar/dir1`, `/foo/bar` must be read only.