Back to Policies

Disable Service Discovery

Not all Pods require communicating with other Pods or resolving in-cluster Services. For those, disabling service discovery can increase security as the Pods are limited to what they can see. This policy mutates Pods to set dnsPolicy to `Default` and enableServiceLinks to `false`.

View on GitHub

Policy Definition

apiVersion: policies.kyverno.io/v1alpha1
kind: MutatingPolicy
metadata:
name: disable-service-discovery
annotations:
policies.kyverno.io/title: Disable Service Discovery
policies.kyverno.io/category: Other, EKS Best Practices
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.15.0
kyverno.io/kubernetes-version: "1.24"
policies.kyverno.io/minversion: 1.15.0
policies.kyverno.io/description: Not all Pods require communicating with other Pods or resolving in-cluster Services. For those, disabling service discovery can increase security as the Pods are limited to what they can see. This policy mutates Pods to set dnsPolicy to `Default` and enableServiceLinks to `false`.
spec:
matchConstraints:
resourceRules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
mutations:
- patchType: ApplyConfiguration
applyConfiguration:
expression: |
Object{
spec: Object.spec{
dnsPolicy: "Default",
enableServiceLinks: false
}
}
reinvocationPolicy: Never

Related Policies