All Policies

Block Pod Exec by Pod Name

The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods beginning with the name `myapp-maintenance-`.

Policy Definition

/other/block-pod-exec-by-pod-name.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-exec-by-pod-name
 5  annotations:
 6    policies.kyverno.io/title: Block Pod Exec by Pod Name
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.4.2
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can
12      be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
13      This policy blocks Pod exec commands to Pods beginning with the name
14      `myapp-maintenance-`.      
15spec:
16  validationFailureAction: audit
17  background: false
18  rules:
19  - name: deny-exec-myapp-maintenance
20    match:
21      resources:
22        kinds:
23        - PodExecOptions
24    preconditions:
25    - key: "{{ request.operation }}"
26      operator: Equals
27      value: CONNECT
28    validate:
29      message: Exec'ing into Pods called "myapp-maintenance" is not allowed.
30      deny:
31        conditions:
32          - key: "{{ request.name }}"
33            operator: Equals
34            value: myapp-maintenance-*
35
Create policy issue