Policy as Code for Kubernetes

This repository demonstrates different approaches to implement Policy as Code in Kubernetes to prevent pods from using host networking. The policies block kubectl apply operations for pods that have hostNetwork: true configured.

Overview

Host networking in Kubernetes allows pods to use the host's network namespace, which can pose security risks. This repository provides three different implementations to enforce policies that prevent pods from using host networking:

1. Gatekeeper - Using OPA Gatekeeper with both Rego and CEL validation engines
2. Kyverno - Using Kyverno with both native YAML patterns and CEL expressions
3. Vanilla Kubernetes - Using native Kubernetes ValidatingAdmissionPolicy with CEL

Directory Structure

/gatekeeper/

Contains OPA Gatekeeper implementation with two validation approaches:

• Rego-based validation: Uses Rego policy language for validation logic
• CEL-based validation: Uses Common Expression Language (CEL) for validation

Files:

• install.yaml - Gatekeeper installation manifest
• rego-constraint-template.yaml - Rego-based constraint template
• rego-constraint.yaml - Rego-based constraint instance
• cel-constraint-template.yaml - CEL-based constraint template
• cel-constraint.yaml - CEL-based constraint instance

/kyverno/

Contains Kyverno implementation with two validation approaches:

• Native policy: Uses Kyverno's native YAML pattern matching
• CEL policy: Uses CEL expressions for validation

Files:

• install.yaml - Kyverno installation manifest
• native-policy.yaml - Native Kyverno policy using YAML patterns
• cel-policy.yaml - Kyverno policy using CEL expressions

/vanilla/

Contains native Kubernetes implementation:

• ValidatingAdmissionPolicy: Uses Kubernetes' built-in admission controller with CEL

Files:

• hostnetwork-not-allow.yaml - ValidatingAdmissionPolicy and binding

/workloads/

Contains test workloads:

• failed.yaml - Pod with hostNetwork: true (should be blocked)
• success.yaml - Pod without host networking (should be allowed)

Quick Start

Gatekeeper

1. Deploy Gatekeeper:

   kubectl apply -f gatekeeper/install.yaml

2. Deploy validation rules:

   kubectl apply -f gatekeeper/rego-constraint-template.yaml
   kubectl apply -f gatekeeper/cel-constraint-template.yaml

3. Apply policy rule sets:

   kubectl apply -f gatekeeper/rego-constraint.yaml
   kubectl apply -f gatekeeper/cel-constraint.yaml

4. Test admission webhook:

   kubectl apply -f workloads/failed.yaml  # Should see error message
   kubectl apply -f workloads/success.yaml # Should deploy successfully

Kyverno

1. Deploy Kyverno:

   kubectl apply -f kyverno/install.yaml

2. Deploy validation rules:

   kubectl apply -f kyverno/native-policy.yaml
   kubectl apply -f kyverno/cel-policy.yaml

3. Test admission webhook:

   kubectl apply -f workloads/failed.yaml  # Should see error message
   kubectl apply -f workloads/success.yaml # Should deploy successfully

Vanilla Kubernetes

1. Deploy ValidatingAdmissionPolicy:

   kubectl apply -f vanilla/hostnetwork-not-allow.yaml

2. Test admission webhook:

   kubectl apply -f workloads/failed.yaml  # Should see error message
   kubectl apply -f workloads/success.yaml # Should deploy successfully

Policy Logic

All implementations enforce the same policy logic:

• Allow: Pods that don't specify hostNetwork or have hostNetwork: false
• Deny: Pods that have hostNetwork: true

The validation expression used in CEL-based policies:

!has(object.spec.hostNetwork) || object.spec.hostNetwork != true

Error Messages

When a pod with hostNetwork: true is applied, you should see an error message similar to:

• Gatekeeper: "HostNetwork usage is not allowed for pods"
• Kyverno: "HostNetwork usage is not allowed in Pods."
• Vanilla: "HostNetwork usage is not allowed in Pods."