Block Pod Exec by Pod and Container

The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to containers named `nginx` in Pods starting with name `myapp-maintenance`.

Policy Definition

/other/block-pod-exec-by-pod-and-container.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deny-exec-by-pod-and-container
 5  annotations:
 6    policies.kyverno.io/title: Block Pod Exec by Pod and Container
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.4.2
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can
12      be useful for troubleshooting purposes, it could represent an attack vector and is discouraged.
13      This policy blocks Pod exec commands to containers named `nginx` in Pods starting
14      with name `myapp-maintenance`.      
15spec:
16  validationFailureAction: audit
17  background: false
18  rules:
19  - name: deny-nginx-exec-in-myapp-maintenance
20    match:
21      resources:
22        kinds:
23        - PodExecOptions
24    preconditions:
25      all:
26      - key: "{{ request.operation }}"
27        operator: Equals
28        value: CONNECT
29      - key: "{{ request.name }}"
30        operator: Equals
31        value: myapp-maintenance*
32    validate:
33      message: Nginx containers inside myapp-maintanence Pods may not be exec'd into.
34      deny:
35        conditions:
36          - key: "{{ request.object.container }}"
37            operator: Equals
38            value: nginx
39

Create policy issue