Clusterpolicy Kyverno no Nodenetwork access

apiVersion: kyverno.io/v1

kind: ClusterPolicy

metadata:

  name: deny-hostnetwork

spec:

  validationFailureAction: Enforce

  background: true

  rules:

    - name: disallow-host-network

      match:

        any:

          - resources:

              kinds:

                - Pod

      exclude:

        any:

          - resources:

              namespaces:

                - kube-system

                - kube-public

                - kube-node-lease

                - metallb-system

                - hostpath-provisioner

                - instana-agent

      validate:

        message: "Die Verwendung von hostNetwork (hostNetwork: true) ist außerhalb definierter System-Namespaces nicht erlaubt."

        pattern:

          spec:

            =(hostNetwork): "false"