psp-hostpaths-policy

Replacement for the Kubernetes Pod Security Policy that controls the usage of hostPath volumes. The policy inspects both the containers and the init containers that are using hostPath volumes.

Settings

allowedHostPaths:
- pathPrefix: "/foo"
  readOnly: true
- pathPrefix: "/bar"
  readOnly: false

allowedHostPaths is a list of host paths that are allowed to be used by hostPath volumes.

An empty allowedHostPaths list means there is no restriction on host paths used.

Each entry of allowedHostPaths must have:

A pathPrefix field, which allows hostPath volumes to mount a path that begins with an allowed prefix.
a readOnly field indicating it must be mounted read-only.

Special behaviour

It's possible to have host paths sharing part of the prefix. In that case, the readOnly attribute of the most specific path takes precedence.

For example, given the following configuration:

allowedHostPaths:
- pathPrefix: "/foo"
  readOnly: false
- pathPrefix: "/foo/bar"
  readOnly: true

Paths such as /foo/bar/dir1, /foo/bar must be read only.

Name		Name	Last commit message	Last commit date
Latest commit History 108 Commits
.github/workflows		.github/workflows
test_data		test_data
vendor		vendor
.gitignore		.gitignore
CODEOWNERS		CODEOWNERS
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
artifacthub-pkg.yml		artifacthub-pkg.yml
artifacthub-repo.yml		artifacthub-repo.yml
e2e.bats		e2e.bats
go.mod		go.mod
go.sum		go.sum
hub.yml		hub.yml
main.go		main.go
metadata.yml		metadata.yml
questions-ui.yml		questions-ui.yml
renovate.json		renovate.json
settings.go		settings.go
settings.sample.json		settings.sample.json
settings_test.go		settings_test.go
validate.go		validate.go
validate_test.go		validate_test.go

License

kubewarden/hostpaths-psp-policy

Folders and files

Latest commit

History

Repository files navigation

psp-hostpaths-policy

Settings

Special behaviour

About

Topics

Resources

License

Stars

Watchers

Forks

Languages