You can configure security policies for pods to verify the security of requests for deploying or updating pods. The cluster policy management feature provides four built-in rule libraries: Compliance, Infra, K8s-general, and PSP.
Background information
ACK provides the following types of predefined security policies:
Compliance: Security policies of this type are customized based on compliance standards such as Alibaba Cloud Kubernetes Security Hardening.
Infra: Security policies of this type are used to ensure and enhance the security of cloud infrastructure resources.
K8s-general: Security policies of this type are used to limit and normalize the configurations of sensitive resources in Container Service for Kubernetes (ACK) clusters and enhance the security of applications in ACK clusters.
PSP: Security policies of this type can be used as an alternative to pod security policies (PSPs) of open source Kubernetes and provide the same access control capabilities.
Predefined security policies
The following table describes the predefined security policies of ACK.
Category | Policy | Description | Severity |
Compliance |
| The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables. | medium |
| Pods in the specified namespaces must be configured with the | low | |
| Resources of the specified types cannot be deployed in the specified namespaces. | low | |
| RoleBindings in the specified namespaces can be used to bind only the specified roles or cluster roles. | high | |
| Specified namespaces cannot be deleted. | medium | |
| Service instances in the specified namespaces cannot be deleted. | medium | |
Infra |
| Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter. | high |
| The | low | |
| Pods in the specified namespaces must be configured with the | low | |
| Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces. | low | |
| Specifies the maximum disk capacity that can be requested for persistent volumes (PVs) that are created in an ACK cluster. | medium | |
| Specifies the namespaces in which persistent volume claims (PVCs) can be deployed and the maximum disk capacity that can be requested for PVs. | medium | |
| Pods in the specified namespaces cannot use the specified volumes. | medium | |
K8s-general |
| Pods in the specified namespaces can pull images only from the specified image repositories. | high |
| Pods in the specified namespaces must be configured with | low | |
| Pods in the specified namespaces must be configured with | high | |
| Pods in the specified namespaces cannot launch ephemeral containers. | medium | |
| LoadBalancer Services cannot be deployed in the specified namespaces. | high | |
| NodePort Services cannot be deployed in the specified namespaces. | high | |
| Pods in the specified namespaces must be configured with resource | low | |
| Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content. | high | |
| Pods in the specified namespaces must be deployed from images whose digests comply with the specified format. | low | |
| Pods in the specified namespaces must have labels that comply with the policy content. | low | |
| Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes. | medium | |
| The | high | |
| The | high | |
| Internet-facing LoadBalancer Services cannot be created. | high | |
| After you install the ratify component on the Marketplace page in your cluster, you can use the component to verify the signatures or security metadata such as a software bill of materials (SBOM) in the images of pods that are deployed in specific namespaces. | high | |
PSP |
| Pods in the specified namespaces must be configured with the | medium |
| Pods in the specified namespaces must be configured with the | medium | |
| Pods in the specified namespaces must be configured with AppArmor settings. | low | |
| Pods in the specified namespaces must be configured with Linux Capabilities settings. | high | |
| Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content. | medium | |
| Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content. | medium | |
| Pods in the specified namespaces cannot use the specified sysctls. | high | |
| hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions. | high | |
| Pods in the specified namespaces cannot share the host namespaces. | high | |
| Specifies whether pods in the specified namespaces can use the host network and specified ports. | high | |
| Pods in the specified namespaces cannot run privileged containers. | high | |
| Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content. | low | |
| Pods in the specified namespaces must run with read-only root file systems. | medium | |
| Pods in the specified namespaces cannot be configured with SELinux options that are not specified in the policy content. | low | |
| Pods in the specified namespaces must be configured with the specified seccomp profiles. | low | |
| Only volumes of the specified types can be mounted to pods in the specified namespace. | medium |
Compliance
ACKNoEnvVarSecrets
Policy description: The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.
Severity: Medium
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKNoEnvVarSecrets metadata: name: no-env-var-secrets spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: mypod namespace: test-gatekeeper spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-usernameDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: NeverACKPodsRequireSecurityContext
Policy description: Pods in the specified namespaces must be configured with the
securityContextparameter.Severity: Low
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPodsRequireSecurityContext metadata: name: pods-require-security-context annotations: description: "Requires that Pods must have a `securityContext` defined." spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: test-gatekeeper spec: securityContext: runAsNonRoot: false containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: non-test-gatekeeper spec: containers: - image: test name: test2 - image: test name: test resources: {} securityContext: runAsNonRoot: falseACKRestrictNamespaces
Policy description: Resources of the specified types cannot be deployed in the specified namespaces.
Severity: Low
The following table describes the parameters.
Parameter
Type
Description
restrictedNamespaces
array
Specifies the names of the namespaces in which resources cannot be deployed.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictNamespaces metadata: name: restrict-default-namespace annotations: description: "Restricts resources from using the restricted namespace." spec: match: kinds: - apiGroups: [''] kinds: ['Pod'] parameters: restrictedNamespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: non-test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis restartPolicy: NeverACKRestrictRoleBindings
Policy description: RoleBindings in the specified namespaces can be used to assign only the specified roles or cluster roles.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
restrictedRole
object
Specifies the cluster roles or roles that are not allowed to assign.
allowedSubjects
array
Specifies the subjects that can be mounted.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings annotations: description: "Restricts use of sensitive role in specific rolebinding." spec: match: kinds: - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["RoleBinding"] parameters: restrictedRole: apiGroup: "rbac.authorization.k8s.io" kind: "ClusterRole" name: "cluster-admin" allowedSubjects: - apiGroup: "rbac.authorization.k8s.io" kind: "Group" name: "system:masters"Allowed:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: good-2 namespace: test-gatekeeper subjects: - kind: Group name: 'system:masters' roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioDisallowed:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: bad-1 namespace: test-gatekeeper subjects: - kind: ServiceAccount name: policy-template-controller roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
Policy description: The specified namespaces cannot be deleted. You can set the
protectionNamespacesparameter to the names of the namespaces that cannot be deleted.To enable this policy, you must use gatekeeper 3.10.0.130-g0e79597d-aliyun or later. For more information about gatekeeper versions, see gatekeeper.
Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
protectionNamespaces
array
The names of namespaces that cannot be deleted.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKNamespacesDeleteProtection metadata: name: namespace-delete-protection spec: match: kinds: - apiGroups: [''] kinds: ['Namespace'] parameters: protectionNamespaces: - test-gatekeeperAllowed:
apiVersion: v1 kind: Namespace metadata: name: will-deleteDisallowed:
apiVersion: v1 kind: Namespace metadata: name: test-gatekeeperACKServicesDeleteProtection
Policy description: The Service instances in the specified namespaces cannot be deleted. You can set the
protectionServicesparameter to the names of the Service instances that cannot be deleted.Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
protectionServices
array
The names of Service instances in the specified namespaces that cannot be deleted.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKServicesDeleteProtection metadata: name: service-delete-protection annotations: description: "Protect to delete specific service." spec: enforcementAction: deny match: kinds: - apiGroups: [''] kinds: ['Service'] namespaces: ["test-gatekeeper"] parameters: protectionServices: - test-svcAllowed:
apiVersion: v1 kind: Service metadata: name: good namespace: test-gatekeeperDisallowed:
apiVersion: v1 kind: Service metadata: name: test-svc
Infra
ACKBlockProcessNamespaceSharing
Policy description: Pods in the specified namespaces cannot be configured with the
shareProcessNamespaceparameter.Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockProcessNamespaceSharing ACKCheckNginxPathmetadata: name: block-share-process-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test-3 namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: shareProcessNamespace: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKEmptyDirHasSizeLimit
Policy description: The
sizelimitparameter must be configured when you mount emptyDir volumes.Severity: Low
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKEmptyDirHasSizeLimit metadata: name: empty-dir-has-sizelimit spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: sizeLimit: "10Mi"Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKLocalStorageRequireSafeToEvict
Policy description: Pods in the specified namespaces must be configured with the
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"annotation. Pods that are not configured with this annotation are not deleted during scaling activities.Severity: Low
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper annotations: 'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true' spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # directory location on host path: /data # this field is optional type: DirectoryDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKOSSStorageLocationConstraint
Policy description: Specifies whether OSS buckets in the specified regions can be mounted to pods in the specified namespaces.
Severity: Low
The following table describes the parameters.
Parameter
Type
Description
mode
string
Specifies whether to enable whitelist mode. Default value:
allowlist, which indicates that the whitelist mode is enabled. Other values indicate that the blacklist mode is enabled.regions
array
The specified region IDs.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKOSSStorageLocationConstraint metadata: name: restrict-oss-location annotations: description: "Restricts location of oss storage in cluster." spec: match: kinds: - apiGroups: [""] kinds: ["PersistentVolume", "Pod"] namespaces: - "test-gatekeeper" parameters: mode: "allowlist" regions: - "cn-beijing"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-oss-csi-good namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pod-oss-csi namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-hangzhou.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"ACKPVSizeConstraint
Policy description: Specifies the maximum disk capacity that can be requested for PVs that are created in an ACK cluster.
Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
maxSize
string
The maximum disk capacity that can be requested for PVs in an ACK cluster. Default value: 50 GiB.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPVSizeConstraint metadata: name: limit-pv-size annotations: description: "Limit the pv storage capacity size within a specified maximum amount." spec: enforcementAction: deny match: kinds: - apiGroups: [ "" ] kinds: [ "PersistentVolume" ] parameters: maxSize: "50Gi"Allowed:
apiVersion: v1 kind: PersistentVolume metadata: name: pv-oss-csi labels: alicloud-pvname: pv-oss spec: capacity: storage: 25Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"Disallowed:
apiVersion: v1 kind: PersistentVolume metadata: name: pv-oss-csi-bad labels: alicloud-pvname: pv-oss spec: capacity: storage: 500Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"ACKPVCConstraint
Policy description: Specifies the namespaces in which PVCs can be deployed and the maximum disk capacity that can be requested for PVs.
Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
maxSize
string
The maximum disk capacity that can be requested for PVs. Default value: 50 GiB.
allowNamespaces
array
The names of the namespaces in which PVCs can be deployed.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPVCConstraint metadata: name: limit-pvc-size-and-ns annotations: description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed." spec: enforcementAction: deny match: kinds: - apiGroups: [ "" ] kinds: [ "PersistentVolumeClaim" ] parameters: maxSize: "50Gi" allowNamespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disk-pvc namespace: test-gatekeeper spec: accessModes: - ReadWriteOnce resources: requests: storage: 20GiDisallowed:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: bad-disk-pvc namespace: test-gatekeeper spec: accessModes: - ReadWriteOnce resources: requests: storage: 200Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: bad-namespace-pvc namespace: test-gatekeeper-bad spec: accessModes: - ReadWriteOnce resources: requests: storage: 20GiACKBlockVolumeTypes
Policy description: Specifies the volumes that cannot be used by pods in the specified namespaces.
Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
volumes
array
The list of volumes that are disallowed to use.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockVolumeTypes metadata: name: block-volume-types spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"] parameters: volumes: - "gitRepo"Allowed:
apiVersion: v1 kind: Pod metadata: name: use-empty-dir namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: emptydir-volume emptyDir: {}Disallowed:
apiVersion: v1 kind: Pod metadata: name: use-git-repo namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: git-volume gitRepo: repository: "git@***:***/my-git-repository.git" revision: "22f1d8406d464b0c08***"
K8s-general
ACKAllowedRepos
Policy description: Pods in the specified namespaces can pull images only from the specified image repositories.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
repos
array
Specifies the image repositories from which pods can pull images.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKAllowedRepos metadata: name: allowed-repos spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: repos: - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/" - "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-01 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-container-1 initContainers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container-3ACKBlockAutoinjectServiceEnv
Policy description: Pods in the specified namespaces must be configured with
enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables.Severity: Low
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutoinjectServiceEnv metadata: name: block-auto-inject-service-env spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: enableServiceLinks: false containers: - image: openpolicyagent/test-webserver:1.0 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockAutomountToken
Policy description: Pods in the specified namespaces must be configured with
automountServiceAccountToken: false, which specifies thatservice accountsare not automatically mounted.Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutomountToken metadata: name: block-auto-mount-service-account-token spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: automountServiceAccountToken: false containers: - image: openpolicyagent/test-webserver:v1.0 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockEphemeralContainer
Policy description: Pods in the specified namespaces cannot launch ephemeral containers.
Severity: Medium
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockEphemeralContainer metadata: name: block-ephemeral-container spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: good-1 namespace: test-gatekeeper spec: containers: - name: mycontainer image: redisDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: containers: - name: mycontainer image: redis ephemeralContainers: - name: test image: testACKBlockLoadBalancer
Policy description: LoadBalancer Services cannot be deployed in the specified namespaces.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
restrictedNamespaces
array
Specifies the names of the namespaces in which resources cannot be deployed.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: LoadBalancer selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKBlockNodePort
Policy description: NodePort Services cannot be deployed in the specified namespaces.
Severity: Low
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: NodePort selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKContainerLimits
Policy description: Pods in the specified namespaces must be configured with resource
limits.Severity: Low
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: cpu: "1000m" memory: "1Gi"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-1 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Mi" cpu: "500m"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pod-2 namespace: non-test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Gi" cpu: "2000m"ACKExternalIPs
Policy description: Services in the specified namespaces cannot use
external IP addressesthat are not specified in the policy content.Severity: High
The following table describes the parameters.
Parameter
Type
Description
allowedIPs
array
Specifies
external IP addressesthat can be used.Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper" parameters: allowedIPs: - "192.168.0.5"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-3 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 externalIPs: - 80.11.XX.XXACKImageDigests
Policy description: Pods in the specified namespaces must be deployed from images whose
digestscomply with the specified format.Severity: Low
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container2ACKRequiredLabels
Policy description: Pods in the specified namespaces must have
labelsthat are specified by theallowedRegexparameter.Severity: Low
The following table describes the parameters.
Parameter
Type
Description
allowedRegex
string
Specifies the labels in regular expressions.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredLabels metadata: name: must-have-label-test spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: # message: '' labels: - key: test # value allowedRegex: "^test.*$"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: test namespace: test-gatekeeper labels: 'test': 'test_233' spec: containers: - name: mycontainer image: redisDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: bad2 namespace: test-gatekeeper labels: 'test': '233' spec: containers: - name: mycontainer image: redisACKRequiredProbes
Policy description: Pods in the specified namespaces must be configured with the specified types of
readiness probesandliveness probes.Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
probes
array
Specifies the probes that must be configured for a pod. Valid values: readinessProbe and livenessProbe.
probeTypes
array
Specifies the types of probes that must be configured for a pod. Valid values: tcpSocket, httpGet, and exec.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: probes: ["readinessProbe", "livenessProbe"] probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed:
apiVersion: v1 kind: Pod metadata: name: p4 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busybox readinessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5Disallowed:
apiVersion: v1 kind: Pod metadata: name: p1 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busyboxACKCheckNginxPath
This policy prevents you from using high-risk configurations in the
spec.rules[].http.paths[].pathfield of Ingresses. We recommend that you enable the policy for Ingress-nginx whose version is earlier than 1.2.1.Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxPath metadata: name: block-nginx-path spec: enforcementAction: deny match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-paths namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: bad-path-secrets namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /var/run/secrets pathType: Prefix backend: service: name: tea-svc port: number: 80ACKCheckNginxAnnotation
This policy prevents you from using high-risk configurations in the metadata.annotations field of Ingresses. We recommend that you enable the policy for Ingress-nginx whose version is earlier than 1.2.1.
Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxAnnotation metadata: name: block-nginx-annotation spec: match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-annotations namespace: test-gatekeeper annotations: nginx.org/good: "value" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: var-run-secrets namespace: test-gatekeeper annotations: nginx.org/bad: "/var/run/secrets" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80ACKBlockInternetLoadBalancer
Policy description: Internet-facing LoadBalancer Services cannot be created.
Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockInternetLoadBalancer metadata: name: block-internet-load-balancer spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: non-test-gatekeeper annotations: 'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet' spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 type: LoadBalancerDisallowed:
apiVersion: v1 kind: Service metadata: name: bad-service-2 namespace: test-gatekeeper annotations: 'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet' spec: type: LoadBalancer selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376RatifyVerification
Policy description: After you install the ratify component on the Marketplace page in your cluster, you can use the component to verify the signatures or security metadata such as a software bill of materials (SBOM) in the images of pods that are deployed in specific namespaces.
Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RatifyVerification metadata: name: ratify-constraint spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["default"]Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-1 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/signed # Deploy an image with a valid signature. name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # Deploy an image without a valid signature. name: test-container
PSP
ACKPSPAllowedUsers
Policy description: Pods in the specified namespaces must be configured with the
user,group,supplementalGroups, andfsGroupsettings.Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
runAsUser
object
For more information about the parameter, see the configurations of User, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.
runAsGroup
object
For more information about the parameter, see the configurations of Group, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.
supplementalGroups
object
For more information about the parameter, see the configurations of SupplementalGroups, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.
fsGroup
object
For more information about the parameter, see the configurations of fsGroup, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Pod Security Policies.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: runAsUser: rule: MustRunAs # MustRunAsNonRoot # RunAsAny ranges: - min: 100 max: 200 runAsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 supplementalGroups: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 fsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good2 namespace: test-gatekeeper spec: securityContext: fsGroup: 150 supplementalGroups: - 150 containers: - image: test name: test securityContext: runAsUser: 150 runAsGroup: 150Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAllowPrivilegeEscalationContainer
Policy description: Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.
Severity: Medium
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: allowPrivilegeEscalation: false initContainers: - image: test name: test2 securityContext: allowPrivilegeEscalation: falseDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAppArmor
Policy description: Pods in the specified namespaces must be configured with the AppArmor settings.
Severity: Low
The following table describes the parameters.
Parameter
Type
Description
probes
array
Specifies the probes that must be configured for a pod. Valid values: readinessProbe and livenessProbe.
probeTypes
array
Specifies the types of probes that must be configured for a pod. Valid values: tcpSocket, httpGet, and exec.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfiles: - runtime/defaultAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper annotations: 'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default' 'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default' spec: containers: - image: test name: test initContainers: - image: test name: test2Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPCapabilities
Policy description: Pods in the specified namespaces must be configured with the Linux Capabilities settings.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
allowedCapabilities
array
Specifies the capabilities that can be configured for a pod.
requiredDropCapabilities
array
Specifies the capabilities that cannot be configured for a pod.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPCapabilities metadata: name: psp-capabilities spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedCapabilities: ["CHOWN"] requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-4 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: capabilities: add: - CHOWN drop: - "NET_ADMIN" - "SYS_ADMIN" - "NET_RAW"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPFlexVolumes
Policy description: Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.
Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
allowedFlexVolumes
array
Specifies the FlexVolume drivers that can be used by a pod.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: [""] kinds: ["Pod", "PersistentVolume"] namespaces: - "test-gatekeeper" parameters: allowedFlexVolumes: #[] - driver: "alicloud/disk" - driver: "alicloud/nas" - driver: "alicloud/oss" - driver: "alicloud/cpfs"Allowed:
apiVersion: v1 kind: Pod metadata: name: pv-nas namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/nas"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pv-oss-flexvolume namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
Policy description: Pods in the specified namespaces cannot use the specified sysctls.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
forbiddenSysctls
array
Specifies the sysctls that cannot be used by a pod.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: forbiddenSysctls: # - "*" # * may be used to forbid all sysctls - "kernel.*"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-2 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'net.ipv4.tcp_syncookies' value: "65536" containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'kernel.shm_rmid_forced' value: '1024' containers: - image: test name: testACKPSPFSGroup
Policy description: Pods in the specified namespaces must be configured with the fsGroup settings that comply with the policy content.
Severity: Medium
The following table describes the parameters.
Parameter
Type
Description
rule
string
For more information about the parameter, see the configurations of fsGroup in the PSP of Kubernetes.The MustRunAs, MayRunAs, and RunAsAny parameters are supported. For more information, see Volumes and file systems.
ranges
object
Valid values:
min: the minimum value of fsGroup ID.
max: the maximum value of fsGroup ID.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" ranges: - min: 1 max: 1000Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: fsGroup: 100 containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: non-test-gatekeeper spec: securityContext: fsGroup: 0 shareProcessNamespace: true containers: - image: test name: testACKPSPHostFilesystem
Policy description: hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
allowedHostPaths
object
Specifies the hostPath volumes that can be mounted to a pod.
readOnly
boolean
Specifies whether the volumes are read-only.
pathPrefix
string
Specifies the prefixes of the volumes.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedHostPaths: - readOnly: true pathPrefix: "/foo"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test volumeMounts: - name: test-volume mountPath: "/projected-volume" readOnly: true volumes: - name: test-volume hostPath: path: /fooDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data type: FileACKPSPHostNamespace
Policy description: Pods in the specified namespaces cannot share the host namespaces.
Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNamespace metadata: name: psp-host-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: hostPID: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKPSPHostNetworkingPorts
Policy description: Specifies whether pods in the specified namespaces can use the host network and specified ports.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
hostNetwork
boolean
Specifies whether pods can use the host network.
min
int
Specifies the lowest host port number.
max
int
Specifies the highest host port number.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNetworkingPorts metadata: name: psp-host-network-ports spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: hostNetwork: true min: 80 max: 9000Allowed:
apiVersion: v1 kind: Pod metadata: name: good-2 namespace: test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 80 containerPort: 80 initContainers: - image: k8s.gcr.io/test-webserver name: test-container2 ports: - hostPort: 8080 containerPort: 8080Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 22 containerPort: 22ACKPSPPrivilegedContainer
Policy description: Pods in the specified namespaces cannot run privileged containers.
Severity: High
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPPrivilegedContainer metadata: name: psp-privileged-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: privileged: true dnsPolicy: ClusterFirst restartPolicy: NeverACKPSPProcMount
Policy description: Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.
Severity: High
The following table describes the parameters.
Parameter
Type
Description
procMount
string
Specifies the Proc Mount type. Valid values:
Default: The /proc directory cannot be mounted.
Unmasked: The /proc directory can be mounted.
For more information, see AllowedProcMountTypes.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: procMount: Default # Default or UnmaskedAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Default"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad3 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Unmasked" initContainers: - image: test name: test2ACKPSPReadOnlyRootFilesystem
Policy description: Pods in the specified namespaces must run with read-only root file systems.
Severity: Medium
Parameter description: None
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: trueDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad2 namespace: non-test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: false initContainers: - image: test name: test2ACKPSPSeccomp
Policy description: Pods in the specified namespaces must be configured with the specified seccomp profiles.
Severity: Low
The following table describes the parameters.
Parameter
Type
Description
allowedProfileTypes
array
Specifies the type of seccomp profiles that are allowed.
allowedProfiles
array
Specifies the seccomp profiles that are allowed.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfileTypes: # - Unconfined - RuntimeDefault - Localhost allowedProfiles: - runtime/default - docker/default - localhost/profiles/audit.jsonAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json initContainers: - image: test name: test2 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.jsonDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test echo-k8s-webhook-enabled: 'true' name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPSELinuxV2
Policy description: Pods in the specified namespaces cannot be configured with the SELinux options that are not specified by the allowedSELinuxOptions parameter.
Severity: Low
The following table describes the parameters.
Parameter
Type
Description
allowedSELinuxOptions
object
Specifies SELinux options that can be configured for a pod. For more information, see SELinuxOptions v1 core.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_uAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seLinuxOptions: level: "s0:c123,c455"ACKPSPVolumeTypes
Policy description: Only volumes of the specified types can be mounted to pods in the specified namespace.
Severity: Low
The following table describes the parameters.
Parameter
Type
Description
volumes
array
The list of volumes that are allowed to use.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: volumes: # - "*" # * may be used to allow all volume types - configMap # - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim # - hostPath #required for allowedHostPaths - flexVolume #required for allowedFlexVolumesAllowed:
apiVersion: v1 kind: Pod metadata: name: pv-oss namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/oss"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data