Skip to content

kubewarden/hostpaths-psp-policy

BranchesTags

Repository files navigation

Kubewarden Policy Repository Stable

psp-hostpaths-policy

Replacement for the Kubernetes Pod Security Policy that controls the usage of hostPath volumes. The policy inspects both the containers and the init containers that are using hostPath volumes.

Settings

allowedHostPaths:
- pathPrefix: "/foo"
  readOnly: true
- pathPrefix: "/bar"
  readOnly: false

allowedHostPaths is a list of host paths that are allowed to be used by hostPath volumes.

An empty allowedHostPaths list means there is no restriction on host paths used.

Each entry of allowedHostPaths must have:

  • A pathPrefix field, which allows hostPath volumes to mount a path that begins with an allowed prefix.
  • a readOnly field indicating it must be mounted read-only.

Special behaviour

It's possible to have host paths sharing part of the prefix. In that case, the readOnly attribute of the most specific path takes precedence.

For example, given the following configuration:

allowedHostPaths:
- pathPrefix: "/foo"
  readOnly: false
- pathPrefix: "/foo/bar"
  readOnly: true

Paths such as /foo/bar/dir1, /foo/bar must be read only.

About

Replacement for the Kubernetes Pod Security Policy that controls the usage of hostpaths

kubewarden.io

Topics

kubernetes webassembly hacktoberfest policy-as-code pod-security-policy kubernetes-security kubewarden-policy

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity
Custom properties

Stars

3 stars

Watchers

5 watching

Forks

4 forks
Report repository

Releases 21

v1.1.2 Latest
Nov 13, 2025
+ 20 releases

Packages

 
 
 

Contributors 11

Languages