Disallow CRI socket mounts

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-container-sock-mounts
 5  annotations:
 6    policies.kyverno.io/title: Disallow CRI socket mounts
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      Container daemon socket bind mounts allows access to the container engine on the
13      node. This access can be used for privilege escalation and to manage containers
14      outside of Kubernetes, and hence should not be allowed. This policy validates that
15      the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.      
16spec:
17  validationFailureAction: audit
18  background: true
19  rules:
20  - name: validate-docker-sock-mount
21    match:
22      any:
23      - resources:
24          kinds:
25          - Pod
26    validate:
27      message: "Use of the Docker Unix socket is not allowed."
28      pattern:
29        spec:
30          =(volumes):
31            - =(hostPath):
32                path: "!/var/run/docker.sock"
33  - name: validate-containerd-sock-mount
34    match:
35      any:
36      - resources:
37          kinds:
38          - Pod
39    validate:
40      message: "Use of the Containerd Unix socket is not allowed."
41      pattern:
42        spec:
43          =(volumes):
44            - =(hostPath):
45                path: "!/var/run/containerd.sock"
46  - name: validate-crio-sock-mount
47    match:
48      any:
49      - resources:
50          kinds:
51          - Pod
52    validate:
53      message: "Use of the CRI-O Unix socket is not allowed."
54      pattern:
55        spec:
56          =(volumes):
57            - =(hostPath):
58                path: "!/var/run/crio.sock"