policyDefinitions/Kubernetes/do-not-allow-sharing-of-host-process-id-and-ipc-namespaces-in-a-kubernetes-cluster/template.yaml (23 lines of code) (raw):
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sazureblockhostnamespace
spec:
crd:
spec:
names:
kind: K8sAzureBlockHostNamespace
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sazureblockhostnamespace
violation[{"msg": msg, "details": {}}] {
input_share_hostnamespace(input.review.object)
msg := sprintf("Sharing the host namespace is not allowed: %v", [input.review.object.metadata.name])
}
input_share_hostnamespace(o) {
o.spec.hostPID
}
input_share_hostnamespace(o) {
o.spec.hostIPC
}