in policy/check_windowsHostProcess.go [59:102]
func windowsHostProcess_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var badContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil &&
container.SecurityContext.WindowsOptions != nil &&
container.SecurityContext.WindowsOptions.HostProcess != nil &&
*container.SecurityContext.WindowsOptions.HostProcess {
badContainers = append(badContainers, container.Name)
}
})
podSpecForbidden := false
if podSpec.SecurityContext != nil &&
podSpec.SecurityContext.WindowsOptions != nil &&
podSpec.SecurityContext.WindowsOptions.HostProcess != nil &&
*podSpec.SecurityContext.WindowsOptions.HostProcess {
podSpecForbidden = true
}
// pod or containers explicitly set hostProcess=true
var forbiddenSetters []string
if podSpecForbidden {
forbiddenSetters = append(forbiddenSetters, "pod")
}
if len(badContainers) > 0 {
forbiddenSetters = append(
forbiddenSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
),
)
}
if len(forbiddenSetters) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "hostProcess",
ForbiddenDetail: fmt.Sprintf("%s must not set securityContext.windowsOptions.hostProcess=true", strings.Join(forbiddenSetters, " and ")),
}
}
return CheckResult{Allowed: true}
}