Disallow NodePort

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type.

Policy Definition

/best-practices/restrict-node-port/restrict-node-port.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-nodeport
 5  annotations:
 6    policies.kyverno.io/title: Disallow NodePort
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/subject: Service
11    policies.kyverno.io/description: >-
12      A Kubernetes Service of type NodePort uses a host port to receive traffic from
13      any source. A NetworkPolicy cannot be used to control traffic to host ports.
14      Although NodePort Services can be useful, their use must be limited to Services
15      with additional upstream security checks. This policy validates that any new Services
16      do not use the `NodePort` type.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21  - name: validate-nodeport
22    match:
23      any:
24      - resources:
25          kinds:
26          - Service
27    validate:
28      message: "Services of type NodePort are not allowed."
29      pattern:
30        spec:
31          =(type): "!NodePort"

Create policy issue