Replacement for the Kubernetes Pod Security Policy that controls the usage of
hostPath volumes. The policy inspects both the containers and the init
containers that are using hostPath volumes.
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: true
- pathPrefix: "/bar"
readOnly: falseallowedHostPaths is a list of host paths that are allowed to be used by
hostPath volumes.
An empty allowedHostPaths list means there is no restriction on host paths
used.
Each entry of allowedHostPaths must have:
- A
pathPrefixfield, which allowshostPathvolumes to mount a path that begins with an allowed prefix. - a
readOnlyfield indicating it must be mounted read-only.
It's possible to have host paths sharing part of the prefix. In that case, the
readOnly attribute of the most specific path takes precedence.
For example, given the following configuration:
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: false
- pathPrefix: "/foo/bar"
readOnly: truePaths such as /foo/bar/dir1, /foo/bar must be read only.