All Policies
Disable Service Discovery
Not all Pods require communicating with other Pods or resolving in-cluster Services. For those, disabling service discovery can increase security as the Pods are limited to what they can see. This policy mutates Pods to set dnsPolicy to `Default` and enableServiceLinks to `false`.
Policy Definition
/other-mpol/disable-service-discovery/disable-service-discovery.yaml
1apiVersion: policies.kyverno.io/v1alpha1
2kind: MutatingPolicy
3metadata:
4 name: disable-service-discovery
5 annotations:
6 policies.kyverno.io/title: Disable Service Discovery
7 policies.kyverno.io/category: Other, EKS Best Practices
8 policies.kyverno.io/subject: Pod
9 kyverno.io/kyverno-version: 1.15.0
10 kyverno.io/kubernetes-version: "1.24"
11 policies.kyverno.io/minversion: 1.15.0
12 policies.kyverno.io/description: >-
13 Not all Pods require communicating with other Pods or resolving in-cluster Services.
14 For those, disabling service discovery can increase security as the Pods are limited
15 to what they can see. This policy mutates Pods to set dnsPolicy to `Default` and
16 enableServiceLinks to `false`.
17spec:
18 matchConstraints:
19 resourceRules:
20 - apiGroups: [""]
21 apiVersions: ["v1"]
22 operations: ["CREATE", "UPDATE"]
23 resources: ["pods"]
24 mutations:
25 - patchType: ApplyConfiguration
26 applyConfiguration:
27 expression: |
28 Object{
29 spec: Object.spec{
30 dnsPolicy: "Default",
31 enableServiceLinks: false
32 }
33 }
34 reinvocationPolicy: Never