All Products
Search
Document Center

Container Service for Kubernetes:Predefined security policies of ACK

Last Updated:Aug 30, 2024

You can configure security policies for pods to verify the security of requests for deploying or updating pods. The cluster policy management feature provides four built-in rule libraries: Compliance, Infra, K8s-general, and PSP.

Background information

ACK provides the following types of predefined security policies:

  • Compliance: Security policies of this type are customized based on compliance standards such as Alibaba Cloud Kubernetes Security Hardening.

  • Infra: Security policies of this type are used to ensure and enhance the security of cloud infrastructure resources.

  • K8s-general: Security policies of this type are used to limit and normalize the configurations of sensitive resources in Container Service for Kubernetes (ACK) clusters and enhance the security of applications in ACK clusters.

  • PSP: Security policies of this type can be used as an alternative to pod security policies (PSPs) of open source Kubernetes and provide the same access control capabilities.

Predefined security policies

The following table describes the predefined security policies of ACK.

Category

Policy

Description

Severity

Compliance

ACKNoEnvVarSecrets

The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.

medium

ACKPodsRequireSecurityContext

Pods in the specified namespaces must be configured with the securityContext parameter.

low

ACKRestrictNamespaces

Resources of the specified types cannot be deployed in the specified namespaces.

low

ACKRestrictRoleBindings

RoleBindings in the specified namespaces can be used to bind only the specified roles or cluster roles.

high

ACKNamespacesDeleteProtection

Specified namespaces cannot be deleted.

medium

ACKServicesDeleteProtection

Service instances in the specified namespaces cannot be deleted.

medium

Infra

ACKBlockProcessNamespaceSharing

Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter.

high

ACKEmptyDirHasSizeLimit

The sizelimit parameter must be configured when you mount emptyDir volumes.

low

ACKLocalStorageRequireSafeToEvict

Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. By default, autoscaler does not evict pods that are mounted with hostPath volumes or emptyDir volumes during automatic scaling activities. To enable autoscaler to evict these pods, you must add this annotation to the configurations of the pods.

low

ACKOSSStorageLocationConstraint

Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces.

low

ACKPVSizeConstraint

Specifies the maximum disk capacity that can be requested for persistent volumes (PVs) that are created in an ACK cluster.

medium

ACKPVCConstraint

Specifies the namespaces in which persistent volume claims (PVCs) can be deployed and the maximum disk capacity that can be requested for PVs.

medium

ACKBlockVolumeTypes

Pods in the specified namespaces cannot use the specified volumes.

medium

K8s-general

ACKAllowedRepos

Pods in the specified namespaces can pull images only from the specified image repositories.

high

ACKBlockAutoinjectServiceEnv

Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables.

low

ACKBlockAutomountToken

Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted.

high

ACKBlockEphemeralContainer

Pods in the specified namespaces cannot launch ephemeral containers.

medium

ACKBlockLoadBalancer

LoadBalancer Services cannot be deployed in the specified namespaces.

high

ACKBlockNodePort

NodePort Services cannot be deployed in the specified namespaces.

high

ACKContainerLimits

Pods in the specified namespaces must be configured with resource limits.

low

ACKExternalIPs

Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content.

high

ACKImageDigests

Pods in the specified namespaces must be deployed from images whose digests comply with the specified format.

low

ACKRequiredLabels

Pods in the specified namespaces must have labels that comply with the policy content.

low

ACKRequiredProbes

Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes.

medium

ACKCheckNginxPath

The spec.rules[].http.paths[].path parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for Ingress-nginx versions earlier than 1.2.1.

high

ACKCheckNginxAnnotation

The metadata.annotations parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for Ingress-nginx versions earlier than 1.2.1.

high

ACKBlockInternetLoadBalancer

Internet-facing LoadBalancer Services cannot be created.

high

RatifyVerification

After you install the ratify component on the Marketplace page in your cluster, you can use the component to verify the signatures or security metadata such as a software bill of materials (SBOM) in the images of pods that are deployed in specific namespaces.

high

PSP

ACKPSPAllowPrivilegeEscalationContainer

Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.

medium

ACKPSPAllowedUsers

Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings.

medium

ACKPSPAppArmor

Pods in the specified namespaces must be configured with AppArmor settings.

low

ACKPSPCapabilities

Pods in the specified namespaces must be configured with Linux Capabilities settings.

high

ACKPSPFSGroup

Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content.

medium

ACKPSPFlexVolumes

Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.

medium

ACKPSPForbiddenSysctls

Pods in the specified namespaces cannot use the specified sysctls.

high

ACKPSPHostFilesystem

hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.

high

ACKPSPHostNamespace

Pods in the specified namespaces cannot share the host namespaces.

high

ACKPSPHostNetworkingPorts

Specifies whether pods in the specified namespaces can use the host network and specified ports.

high

ACKPSPPrivilegedContainer

Pods in the specified namespaces cannot run privileged containers.

high

ACKPSPProcMount

Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.

low

ACKPSPReadOnlyRootFilesystem

Pods in the specified namespaces must run with read-only root file systems.

medium

ACKPSPSELinuxV2

Pods in the specified namespaces cannot be configured with SELinux options that are not specified in the policy content.

low

ACKPSPSeccomp

Pods in the specified namespaces must be configured with the specified seccomp profiles.

low

ACKPSPVolumeTypes

Only volumes of the specified types can be mounted to pods in the specified namespace.

medium

Compliance

  • ACKNoEnvVarSecrets

    Policy description: The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.

    Severity: Medium

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKNoEnvVarSecrets
    metadata:
      name: no-env-var-secrets
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: mypod
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mypod
        image: redis
        volumeMounts:
        - name: foo
          mountPath: "/etc/foo"
      volumes:
      - name: foo
        secret:
          secretName: mysecret
          items:
          - key: username
            path: my-group/my-username

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
        env:
          - name: SECRET_USERNAME
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: username
          - name: SECRET_PASSWORD
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: password
      restartPolicy: Never
  • ACKPodsRequireSecurityContext

    Policy description: Pods in the specified namespaces must be configured with the securityContext parameter.

    Severity: Low

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPodsRequireSecurityContext
    metadata:
      name: pods-require-security-context
      annotations:
        description: "Requires that Pods must have a `securityContext` defined."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: test-gatekeeper
    spec:
      securityContext:
        runAsNonRoot: false
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test2
      - image: test
        name: test
        resources: {}
        securityContext:
          runAsNonRoot: false
  • ACKRestrictNamespaces

    Policy description: Resources of the specified types cannot be deployed in the specified namespaces.

    Severity: Low

    The following table describes the parameters.

    Parameter

    Type

    Description

    restrictedNamespaces

    array

    Specifies the names of the namespaces in which resources cannot be deployed.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictNamespaces
    metadata:
      name: restrict-default-namespace
      annotations:
        description: "Restricts resources from using the restricted namespace."
    spec:
      match:
        kinds:
          - apiGroups: ['']
            kinds: ['Pod']
      parameters:
        restrictedNamespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      restartPolicy: Never
  • ACKRestrictRoleBindings

    Policy description: RoleBindings in the specified namespaces can be used to assign only the specified roles or cluster roles.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    restrictedRole

    object

    Specifies the cluster roles or roles that are not allowed to assign.

    allowedSubjects

    array

    Specifies the subjects that can be mounted.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictRoleBindings
    metadata:
      name: restrict-clusteradmin-rolebindings
      annotations:
        description: "Restricts use of sensitive role in specific rolebinding."
    spec:
      match:
        kinds:
          - apiGroups: ["rbac.authorization.k8s.io"]
            kinds: ["RoleBinding"]
      parameters:
        restrictedRole:
          apiGroup: "rbac.authorization.k8s.io"
          kind: "ClusterRole"
          name: "cluster-admin"
        allowedSubjects:
          - apiGroup: "rbac.authorization.k8s.io"
            kind: "Group"
            name: "system:masters"

    Allowed:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: good-2
      namespace: test-gatekeeper
    subjects:
      - kind: Group
        name: 'system:masters'
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io

    Disallowed:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    subjects:
      - kind: ServiceAccount
        name: policy-template-controller
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
  • ACKNamespacesDeleteProtection

    Policy description: The specified namespaces cannot be deleted. You can set the protectionNamespaces parameter to the names of the namespaces that cannot be deleted.

    To enable this policy, you must use gatekeeper 3.10.0.130-g0e79597d-aliyun or later. For more information about gatekeeper versions, see gatekeeper.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    protectionNamespaces

    array

    The names of namespaces that cannot be deleted.

    Example:

    Constraint:

       apiVersion: constraints.gatekeeper.sh/v1beta1
      kind: ACKNamespacesDeleteProtection
      metadata:
        name: namespace-delete-protection
      spec:
        match:
          kinds:
            - apiGroups: ['']
              kinds: ['Namespace']
        parameters:
          protectionNamespaces:
            - test-gatekeeper

    Allowed:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: will-delete

    Disallowed:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: test-gatekeeper
  • ACKServicesDeleteProtection

    Policy description: The Service instances in the specified namespaces cannot be deleted. You can set the protectionServices parameter to the names of the Service instances that cannot be deleted.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    protectionServices

    array

    The names of Service instances in the specified namespaces that cannot be deleted.

    Example:

    Constraint:

      apiVersion: constraints.gatekeeper.sh/v1beta1
      kind: ACKServicesDeleteProtection
      metadata:
        name: service-delete-protection
        annotations:
          description: "Protect to delete specific service."
      spec:
        enforcementAction: deny
        match:
          kinds:
            - apiGroups: ['']
              kinds: ['Service']
          namespaces: ["test-gatekeeper"]
        parameters:
          protectionServices:
            - test-svc

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: good
      namespace: test-gatekeeper

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: test-svc

Infra

  • ACKBlockProcessNamespaceSharing

    Policy description: Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockProcessNamespaceSharing
    ACKCheckNginxPathmetadata:
      name: block-share-process-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test-3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKEmptyDirHasSizeLimit

    Policy description: The sizelimit parameter must be configured when you mount emptyDir volumes.

    Severity: Low

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKEmptyDirHasSizeLimit
    metadata:
      name: empty-dir-has-sizelimit
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir:
          sizeLimit: "10Mi"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKLocalStorageRequireSafeToEvict

    Policy description: Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. Pods that are not configured with this annotation are not deleted during scaling activities.

    Severity: Low

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKLocalStorageRequireSafeToEvict
    metadata:
      name: local-storage-require-safe-to-evict
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
      annotations:
        'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /data
          # this field is optional
          type: Directory

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKOSSStorageLocationConstraint

    Policy description: Specifies whether OSS buckets in the specified regions can be mounted to pods in the specified namespaces.

    Severity: Low

    The following table describes the parameters.

    Parameter

    Type

    Description

    mode

    string

    Specifies whether to enable whitelist mode. Default value: allowlist, which indicates that the whitelist mode is enabled. Other values indicate that the blacklist mode is enabled.

    regions

    array

    The specified region IDs.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKOSSStorageLocationConstraint
    metadata:
      name: restrict-oss-location
      annotations:
        description: "Restricts location of oss storage in cluster."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["PersistentVolume", "Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        mode: "allowlist"
        regions:
          - "cn-beijing"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi-good
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-beijing.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeHandle: pv-oss
            nodePublishSecretRef:
              name: oss-secret
              namespace: default
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-hangzhou.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"
  • ACKPVSizeConstraint

    Policy description: Specifies the maximum disk capacity that can be requested for PVs that are created in an ACK cluster.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    maxSize

    string

    The maximum disk capacity that can be requested for PVs in an ACK cluster. Default value: 50 GiB.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPVSizeConstraint
    metadata:
      name: limit-pv-size
      annotations:
        description: "Limit the pv storage capacity size within a specified maximum amount."
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [ "" ]
            kinds: [ "PersistentVolume" ]
      parameters:
        maxSize: "50Gi"

    Allowed:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-oss-csi
      labels:
        alicloud-pvname: pv-oss
    spec:
      capacity:
        storage: 25Gi
      accessModes:
        - ReadWriteMany
      persistentVolumeReclaimPolicy: Retain
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: pv-oss
        nodePublishSecretRef:
          name: oss-secret
          namespace: default
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-beijing.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

    Disallowed:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-oss-csi-bad
      labels:
        alicloud-pvname: pv-oss
    spec:
      capacity:
        storage: 500Gi
      accessModes:
        - ReadWriteMany
      persistentVolumeReclaimPolicy: Retain
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: pv-oss
        nodePublishSecretRef:
          name: oss-secret
          namespace: default
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-beijing.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"
  • ACKPVCConstraint

    Policy description: Specifies the namespaces in which PVCs can be deployed and the maximum disk capacity that can be requested for PVs.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    maxSize

    string

    The maximum disk capacity that can be requested for PVs. Default value: 50 GiB.

    allowNamespaces

    array

    The names of the namespaces in which PVCs can be deployed.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPVCConstraint
    metadata:
      name: limit-pvc-size-and-ns
      annotations:
        description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [ "" ]
            kinds: [ "PersistentVolumeClaim" ]
      parameters:
        maxSize: "50Gi"
        allowNamespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: disk-pvc
      namespace: test-gatekeeper
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 20Gi

    Disallowed:

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: bad-disk-pvc
      namespace: test-gatekeeper
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 200Gi
    ---
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: bad-namespace-pvc
      namespace: test-gatekeeper-bad
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 20Gi      
  • ACKBlockVolumeTypes

    Policy description: Specifies the volumes that cannot be used by pods in the specified namespaces.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    volumes

    array

    The list of volumes that are disallowed to use.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockVolumeTypes
    metadata:
      name: block-volume-types
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
      parameters:
         volumes:
           - "gitRepo"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: use-empty-dir
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
      - name: emptydir-volume
        emptyDir: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: use-git-repo
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
      - name: git-volume
        gitRepo:
          repository: "git@***:***/my-git-repository.git"
          revision: "22f1d8406d464b0c08***"

K8s-general

  • ACKAllowedRepos

    Policy description: Pods in the specified namespaces can pull images only from the specified image repositories.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    repos

    array

    Specifies the image repositories from which pods can pull images.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKAllowedRepos
    metadata:
      name: allowed-repos
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        repos:
          - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
          - "registry.cn-hangzhou.aliyuncs.com/acs/"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-01
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container-1
      initContainers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container-3
  • ACKBlockAutoinjectServiceEnv

    Policy description: Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables.

    Severity: Low

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutoinjectServiceEnv
    metadata:
      name: block-auto-inject-service-env
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      enableServiceLinks: false
      containers:
      - image: openpolicyagent/test-webserver:1.0
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockAutomountToken

    Policy description: Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutomountToken
    metadata:
      name: block-auto-mount-service-account-token
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      automountServiceAccountToken: false
      containers:
      - image: openpolicyagent/test-webserver:v1.0
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockEphemeralContainer

    Policy description: Pods in the specified namespaces cannot launch ephemeral containers.

    Severity: Medium

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockEphemeralContainer
    metadata:
      name: block-ephemeral-container
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: good-1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      ephemeralContainers:
        - name: test
          image: test
  • ACKBlockLoadBalancer

    Policy description: LoadBalancer Services cannot be deployed in the specified namespaces.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    restrictedNamespaces

    array

    Specifies the names of the namespaces in which resources cannot be deployed.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockLoadBalancer
    metadata:
      name: block-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKBlockNodePort

    Policy description: NodePort Services cannot be deployed in the specified namespaces.

    Severity: Low

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockNodePort
    metadata:
      name: block-node-port
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: NodePort
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKContainerLimits

    Policy description: Pods in the specified namespaces must be configured with resource limits.

    Severity: Low

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKContainerLimits
    metadata:
      name: container-must-have-limits
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        cpu: "1000m"
        memory: "1Gi"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Mi"
            cpu: "500m"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Gi"
            cpu: "2000m"
  • ACKExternalIPs

    Policy description: Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    allowedIPs

    array

    Specifies external IP addresses that can be used.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKExternalIPs
    metadata:
      name: external-ips
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedIPs:
          - "192.168.0.5"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-3
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      externalIPs:
        - 80.11.XX.XX
  • ACKImageDigests

    Policy description: Pods in the specified namespaces must be deployed from images whose digests comply with the specified format.

    Severity: Low

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKImageDigests
    metadata:
      name: container-image-must-have-digest
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container2
  • ACKRequiredLabels

    Policy description: Pods in the specified namespaces must have labels that are specified by the allowedRegex parameter.

    Severity: Low

    The following table describes the parameters.

    Parameter

    Type

    Description

    allowedRegex

    string

    Specifies the labels in regular expressions.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredLabels
    metadata:
      name: must-have-label-test
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
    #            message: ''
        labels:
          - key: test
            # value
            allowedRegex: "^test.*$"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: test
      namespace: test-gatekeeper
      labels:
        'test': 'test_233'
    spec:
      containers:
      - name: mycontainer
        image: redis

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: bad2
      namespace: test-gatekeeper
      labels:
        'test': '233'
    spec:
      containers:
      - name: mycontainer
        image: redis
  • ACKRequiredProbes

    Policy description: Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    probes

    array

    Specifies the probes that must be configured for a pod. Valid values: readinessProbe and livenessProbe.

    probeTypes

    array

    Specifies the types of probes that must be configured for a pod. Valid values: tcpSocket, httpGet, and exec.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredProbes
    metadata:
      name: must-have-probes
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        probes: ["readinessProbe", "livenessProbe"]
        probeTypes: ["tcpSocket", "httpGet", "exec"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: p4
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
        readinessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5
        livenessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: p1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
  • ACKCheckNginxPath

    This policy prevents you from using high-risk configurations in the spec.rules[].http.paths[].path field of Ingresses. We recommend that you enable the policy for Ingress-nginx whose version is earlier than 1.2.1.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxPath
    metadata:
      name: block-nginx-path
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-paths
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80

    Disallowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: bad-path-secrets
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /var/run/secrets
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
  • ACKCheckNginxAnnotation

    This policy prevents you from using high-risk configurations in the metadata.annotations field of Ingresses. We recommend that you enable the policy for Ingress-nginx whose version is earlier than 1.2.1.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxAnnotation
    metadata:
      name: block-nginx-annotation
    spec:
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-annotations
      namespace: test-gatekeeper
      annotations:
        nginx.org/good: "value"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80

    Disallowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: var-run-secrets
      namespace: test-gatekeeper
      annotations:
        nginx.org/bad: "/var/run/secrets"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80
  • ACKBlockInternetLoadBalancer

    Policy description: Internet-facing LoadBalancer Services cannot be created.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockInternetLoadBalancer
    metadata:
      name: block-internet-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: non-test-gatekeeper
      annotations:
        'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      type: LoadBalancer

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: bad-service-2
      namespace: test-gatekeeper
      annotations:
        'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • RatifyVerification

    Policy description: After you install the ratify component on the Marketplace page in your cluster, you can use the component to verify the signatures or security metadata such as a software bill of materials (SBOM) in the images of pods that are deployed in specific namespaces.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: RatifyVerification
    metadata:
      name: ratify-constraint
    spec:
      enforcementAction: deny
    match:
      kinds:
        - apiGroups: [""]
          kinds: ["Pod"]
      namespaces: ["default"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/signed   # Deploy an image with a valid signature.
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned   # Deploy an image without a valid signature.
        name: test-container

PSP

  • ACKPSPAllowedUsers

    Policy description: Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    runAsUser

    object

    For more information about the parameter, see the configurations of User, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.

    runAsGroup

    object

    For more information about the parameter, see the configurations of Group, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.

    supplementalGroups

    object

    For more information about the parameter, see the configurations of SupplementalGroups, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.

    fsGroup

    object

    For more information about the parameter, see the configurations of fsGroup, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowedUsers
    metadata:
      name: psp-pods-allowed-user-ranges
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        runAsUser:
          rule: MustRunAs # MustRunAsNonRoot # RunAsAny
          ranges:
            - min: 100
              max: 200
        runAsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        supplementalGroups:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        fsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good2
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 150
        supplementalGroups:
          - 150
      containers:
      - image: test
        name: test
        securityContext:
          runAsUser: 150
          runAsGroup: 150

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAllowPrivilegeEscalationContainer

    Policy description: Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.

    Severity: Medium

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowPrivilegeEscalationContainer
    metadata:
      name: psp-allow-privilege-escalation-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          allowPrivilegeEscalation: false
      initContainers:
        - image: test
          name: test2
          securityContext:
            allowPrivilegeEscalation: false

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAppArmor

    Policy description: Pods in the specified namespaces must be configured with the AppArmor settings.

    Severity: Low

    The following table describes the parameters.

    Parameter

    Type

    Description

    probes

    array

    Specifies the probes that must be configured for a pod. Valid values: readinessProbe and livenessProbe.

    probeTypes

    array

    Specifies the types of probes that must be configured for a pod. Valid values: tcpSocket, httpGet, and exec.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAppArmor
    metadata:
      name: psp-apparmor
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfiles:
          - runtime/default

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
      annotations:
        'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
        'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
    spec:
      containers:
      - image: test
        name: test
      initContainers:
      - image: test
        name: test2

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPCapabilities

    Policy description: Pods in the specified namespaces must be configured with the Linux Capabilities settings.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    allowedCapabilities

    array

    Specifies the capabilities that can be configured for a pod.

    requiredDropCapabilities

    array

    Specifies the capabilities that cannot be configured for a pod.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPCapabilities
    metadata:
      name: psp-capabilities
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedCapabilities: ["CHOWN"]
        requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-4
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          capabilities:
            add:
              - CHOWN
            drop:
             - "NET_ADMIN"
             - "SYS_ADMIN"
             - "NET_RAW"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPFlexVolumes

    Policy description: Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    allowedFlexVolumes

    array

    Specifies the FlexVolume drivers that can be used by a pod.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFlexVolumes
    metadata:
      name: psp-flexvolume-drivers
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod", "PersistentVolume"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedFlexVolumes: #[]
          - driver: "alicloud/disk"
          - driver: "alicloud/nas"
          - driver: "alicloud/oss"
          - driver: "alicloud/cpfs"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-nas
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/nas"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss-flexvolume
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/ossxx"
  • ACKPSPForbiddenSysctls

    Policy description: Pods in the specified namespaces cannot use the specified sysctls.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    forbiddenSysctls

    array

    Specifies the sysctls that cannot be used by a pod.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPForbiddenSysctls
    metadata:
      name: psp-forbidden-sysctls
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        forbiddenSysctls:
          # - "*" # * may be used to forbid all sysctls
          - "kernel.*"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-2
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'net.ipv4.tcp_syncookies'
            value: "65536"
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'kernel.shm_rmid_forced'
            value: '1024'
      containers:
      - image: test
        name: test
  • ACKPSPFSGroup

    Policy description: Pods in the specified namespaces must be configured with the fsGroup settings that comply with the policy content.

    Severity: Medium

    The following table describes the parameters.

    Parameter

    Type

    Description

    rule

    string

    For more information about the parameter, see the configurations of fsGroup in the PSP of Kubernetes.The MustRunAs, MayRunAs, and RunAsAny parameters are supported. For more information, see Volumes and file systems.

    ranges

    object

    Valid values:

    • min: the minimum value of fsGroup ID.

    • max: the maximum value of fsGroup ID.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFSGroup
    metadata:
      name: psp-fsgroup
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
        ranges:
          - min: 1
            max: 1000

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 100
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      securityContext:
        fsGroup: 0
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
  • ACKPSPHostFilesystem

    Policy description: hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    allowedHostPaths

    object

    Specifies the hostPath volumes that can be mounted to a pod.

    readOnly

    boolean

    Specifies whether the volumes are read-only.

    pathPrefix

    string

    Specifies the prefixes of the volumes.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostFilesystem
    metadata:
      name: psp-host-filesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedHostPaths:
          - readOnly: true
            pathPrefix: "/foo"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        volumeMounts:
          - name: test-volume
            mountPath: "/projected-volume"
            readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          path: /foo

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data
          type: File
  • ACKPSPHostNamespace

    Policy description: Pods in the specified namespaces cannot share the host namespaces.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNamespace
    metadata:
      name: psp-host-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      hostPID: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKPSPHostNetworkingPorts

    Policy description: Specifies whether pods in the specified namespaces can use the host network and specified ports.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    hostNetwork

    boolean

    Specifies whether pods can use the host network.

    min

    int

    Specifies the lowest host port number.

    max

    int

    Specifies the highest host port number.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNetworkingPorts
    metadata:
      name: psp-host-network-ports
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        hostNetwork: true
        min: 80
        max: 9000

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: good-2
      namespace: test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 80
            containerPort: 80
      initContainers:
        - image: k8s.gcr.io/test-webserver
          name: test-container2
          ports:
            - hostPort: 8080
              containerPort: 8080

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 22
            containerPort: 22
  • ACKPSPPrivilegedContainer

    Policy description: Pods in the specified namespaces cannot run privileged containers.

    Severity: High

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPPrivilegedContainer
    metadata:
      name: psp-privileged-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          privileged: true
      dnsPolicy: ClusterFirst
      restartPolicy: Never
  • ACKPSPProcMount

    Policy description: Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.

    Severity: High

    The following table describes the parameters.

    Parameter

    Type

    Description

    procMount

    string

    Specifies the Proc Mount type. Valid values:

    • Default: The /proc directory cannot be mounted.

    • Unmasked: The /proc directory can be mounted.

    For more information, see AllowedProcMountTypes.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPProcMount
    metadata:
      name: psp-proc-mount
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        procMount: Default  # Default or Unmasked

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Default"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Unmasked"
      initContainers:
      - image: test
        name: test2
  • ACKPSPReadOnlyRootFilesystem

    Policy description: Pods in the specified namespaces must run with read-only root file systems.

    Severity: Medium

    Parameter description: None

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPReadOnlyRootFilesystem
    metadata:
      name: psp-readonlyrootfilesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: true

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: false
      initContainers:
      - image: test
        name: test2
  • ACKPSPSeccomp

    Policy description: Pods in the specified namespaces must be configured with the specified seccomp profiles.

    Severity: Low

    The following table describes the parameters.

    Parameter

    Type

    Description

    allowedProfileTypes

    array

    Specifies the type of seccomp profiles that are allowed.

    allowedProfiles

    array

    Specifies the seccomp profiles that are allowed.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSeccomp
    metadata:
      name: psp-seccomp
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfileTypes:
          # - Unconfined
          - RuntimeDefault
          - Localhost
        allowedProfiles:
          - runtime/default
          - docker/default
          - localhost/profiles/audit.json

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json
      initContainers:
      - image: test
        name: test2
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
        echo-k8s-webhook-enabled: 'true'
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPSELinuxV2

    Policy description: Pods in the specified namespaces cannot be configured with the SELinux options that are not specified by the allowedSELinuxOptions parameter.

    Severity: Low

    The following table describes the parameters.

    Parameter

    Type

    Description

    allowedSELinuxOptions

    object

    Specifies SELinux options that can be configured for a pod. For more information, see SELinuxOptions v1 core.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSELinuxV2
    metadata:
      name: psp-selinux-v2
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedSELinuxOptions:
          - level: s0:c123,c456
            role: object_r
            type: svirt_sandbox_file_t
            user: system_u

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        seLinuxOptions:
          level: "s0:c123,c456"
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seLinuxOptions:
            level: "s0:c123,c455"
  • ACKPSPVolumeTypes

    Policy description: Only volumes of the specified types can be mounted to pods in the specified namespace.

    Severity: Low

    The following table describes the parameters.

    Parameter

    Type

    Description

    volumes

    array

    The list of volumes that are allowed to use.

    Example:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPVolumeTypes
    metadata:
      name: psp-volume-types
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        volumes:
          # - "*" # * may be used to allow all volume types
          - configMap
          # - emptyDir
          - projected
          - secret
          - downwardAPI
          - persistentVolumeClaim
          # - hostPath #required for allowedHostPaths
          - flexVolume #required for allowedFlexVolumes

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/oss"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data