8000 [Bug] Disallow Host Namespaces policy not enforced properly · Issue #1303 · kyverno/policies · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
[Bug] Disallow Host Namespaces policy not enforced properly #1303
New issue
New issue
Open
Open
[Bug] Disallow Host Namespaces policy not enforced properly#1303
Labels
bugSomething isn't working
@jcambronero

Description

@jcambronero
jcambronero
opened on Jun 19, 2025

Kyverno Version

1.12

Kubernetes Version

1.27

Kubernetes Platform

Bare metal

Description

The Disallow Host Namespaces policy documented at https://kyverno.io/policies/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces/ is not enforced properly under certain conditions.

Steps to reproduce

  1. Create the following sample deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      hostNetwork: true
      hostPID: true
      hostIPC: true
      containers:
      - name: nginx
        image: nginx
  1. Create the following ClusterPolicy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-host-namespaces
  annotations:
    policies.kyverno.io/title: Disallow Host Namespaces
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    policies.kyverno.io/severity: medium
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
      network namespace) allow access to shared information and can be used to elevate
      privileges. Pods should not be allowed access to host namespaces. This policy ensures
      fields which make use of these host namespaces are unset or set to `false`.
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: host-namespaces
      match:
        any:
        - resources:
            kinds:
              - Pod
      preconditions:
        all:
        - key: "{{ request.operation || 'BACKGROUND' }}"
          operator: NotEquals
          value: DELETE
      validate:
        message: >-
          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
        pattern:
          spec:
            =(hostPID): "false"
            =(hostIPC): "false"
            =(hostNetwork): "false"
  1. Edit the deployment kubectl edit deployment nginx-deployment and set hostNetwork: false
  2. Edit the deployment one more time kubectl edit deployment nginx-deployment and set hostNetwork: true

Expected behavior

Kyverno should prevent setting hostNetwork: true as per the policy but it's allowing the change by following the steps above.

Screenshots

No response

Kyverno logs



Slack discussion


No response


Troubleshooting


    

  •  I have read and followed the documentation AND the troubleshooting guide.
    • 

  •  I have searched other issues in this repository and mine is not recorded.
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions
      
      



  



  
      

      

    
      
  
      

  
      

          



    



  

    

    

    





    
      
    
      
    
      
  



0