All Policies

Block Pod Exec by Namespace Name

The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods in a Namespace called `pci`.

Policy Definition

/other/block-pod-exec-by-namespace.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-exec-by-namespace-name
 5  annotations:
 6    policies.kyverno.io/title: Block Pod Exec by Namespace Name
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.4.2
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can
12      be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
13      This policy blocks Pod exec commands to Pods in a Namespace called `pci`.      
14spec:
15  validationFailureAction: enforce
16  background: false
17  rules:
18  - name: deny-exec-ns-pci
19    match:
20      resources:
21        kinds:
22        - PodExecOptions
23    preconditions:
24      all:
25      - key: "{{ request.operation }}"
26        operator: Equals
27        value: CONNECT
28    validate:
29      message: Pods in this namespace may not be exec'd into.
30      deny:
31        conditions:
32          any:
33          - key: "{{ request.namespace }}"
34            operator: Equals
35            value: pci
36
Create policy issue