您可以為Pod配置安全性原則,驗證Pod部署和更新的請求是否安全。ACK叢集策略管理功能提供了四類內建規則庫,包括Compliance、Infra、K8s-general和PSP。
規則介紹
當前Container ServiceACK容器安全性原則規則庫包含以下四類規則模板:
Compliance:基於阿里雲K8s加固等合規規範定製化的安全規則。
Infra:用於增強和保護雲基礎設施層資源安全。
K8s-general:用於約束和規範K8s叢集內敏感資源配置,增強K8s叢集內應用安全。
PSP:用於替換K8s PSP的相關策略,使用該類策略可以實現等同於原ACK策略管理中PSP提供的安全約束能力。
策略規則庫說明
當前阿里雲Container ServiceACK內建如下類型的策略規則庫,策略分類和簡要說明如下:
Category | Policy | Description | Severity |
Compliance |
| 限制Secret以secretKeyRef的形式掛載到應用Pod環境變數中。 | medium |
| 限制Pod中所有容器必須配置 | low | |
| 限制資源部署在叢集指定的命名空間中。 | low | |
| 限制指定命名空間下的rolebinding使用指定範圍內的Role或Clusterrole。 | high | |
| 限制指定的Namespace被誤刪除。 | medium | |
| 防止指Namespace中的Services執行個體被誤刪除。 | medium | |
Infra |
| 限制在叢集指定範圍部署的應用中使用shareProcessNamespace。 | high |
| 要求emptyDir類型的Volume必須指定 | low | |
| 限制部署在叢集指定範圍內的Pod必須具有 | low | |
| 限制指定Namespaces下的部署只能使用指定Region中的阿里雲OSS儲存卷 | low | |
| 限制叢集中建立的PV執行個體中能夠申請的最大磁碟容量。 | medium | |
| 限制能夠部署PVC執行個體的命名空間白名單列表以及限制PVC執行個體中能夠申請的最大磁碟容量。 | medium | |
| 限制在叢集指定範圍內部署的Pod禁止使用的Volume掛載類型。 | medium | |
K8s-general |
| 限制在叢集指定範圍部署的應用Pod中拉取白名單列表外的鏡像。 | high |
| 要求在應用中配置 | low | |
| 要求在應用中設定 | high | |
| 限制在叢集指定範圍的應用Pod中啟動臨時容器。 | medium | |
| 限制在叢集指定範圍內部署LoadBalancer類型的Service。 | high | |
| 限制在叢集指定範圍內使用NodePort類型的Service。 | high | |
| 要求叢集指定範圍的應用Pod配置資源 | low | |
| 限制在叢集指定範圍內的Services執行個體使用白名單範圍之外的externalIPs。 | high | |
| 限制在叢集指定範圍內部署不符合digest格式的鏡像。 | low | |
| 限制在叢集指定範圍內部署沒有指定範式label標籤的應用。 | low | |
| 限制在叢集指定範圍內部署的Pod配置指定類型的readinessProbe和livenessProbe。 | medium | |
| 限制在Ingress執行個體的 | high | |
| 限制在Ingress執行個體的 | high | |
| 限制建立公網類型的LoadBalancer Service。 | high | |
| 您在叢集中安裝應用市場組件Ratify後,可以驗證在叢集指定範圍內部署的Pod鏡像中的簽名或SBOM等安全中繼資料。 | high | |
PSP |
| 限制在叢集指定範圍內部署的Pod配置 | medium |
| 限制在叢集指定範圍內部署的Pod中的啟動 | medium | |
| 限制在叢集指定範圍內部署的Pod配置AppArmor。 | low | |
| 限制在叢集指定範圍內部署的Pod配置Linux Capabilities能力。 | high | |
| 限制在叢集指定範圍內部署的Pod配置 fsGroup。 | medium | |
| 限制在叢集指定範圍內部署Pod的FlexVolume驅動配置。 | medium | |
| 限制在叢集指定範圍內部署Pod的禁止的Sysctl範圍。 | high | |
| 限制在叢集指定範圍內部署的Pod允許掛載的主機host目錄範圍。 | high | |
| 限制在叢集指定範圍內部署的Pod是否允許共用主機host命名空間。 | high | |
| 限制在叢集指定範圍內部署的Pod使用主機網路和指定連接埠。 | high | |
| 限制在叢集指定範圍內部署的Pod中啟動特權容器。 | high | |
| 限制在叢集指定範圍內部署的Pod允許掛載的Proc類型。 | low | |
| 限制在叢集指定範圍內部署的Pod使用唯讀根檔案系統。 | medium | |
| 限制在叢集指定範圍內部署的Pod必須使用AllowedSELinuxOptions參數中規定的Selinux配置。 | low | |
| 限制在叢集指定範圍內部署的Pod使用指定的Seccomp設定檔。 | low | |
| 限制在叢集指定範圍內部署的Pod使用指定的Volume掛載類型。 | medium |
Compliance
ACKNoEnvVarSecrets
規則說明:限制Secret以secretKeyRef的形式掛載到應用Pod環境變數中使用。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKNoEnvVarSecrets metadata: name: no-env-var-secrets spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: mypod namespace: test-gatekeeper spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-usernameDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: NeverACKPodsRequireSecurityContext
規則說明:限制Pod中所有容器必須配置
securitycontext欄位。重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPodsRequireSecurityContext metadata: name: pods-require-security-context annotations: description: "Requires that Pods must have a `securityContext` defined." spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: test-gatekeeper spec: securityContext: runAsNonRoot: false containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: non-test-gatekeeper spec: containers: - image: test name: test2 - image: test name: test resources: {} securityContext: runAsNonRoot: falseACKRestrictNamespaces
規則說明:限制資源部署在叢集指定的命名空間中。
重要等級:low。
參數說明:
參數名稱
參數類型
參數說明
restrictedNamespaces
array
禁止資源部署在該參數聲明的列表中。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictNamespaces metadata: name: restrict-default-namespace annotations: description: "Restricts resources from using the restricted namespace." spec: match: kinds: - apiGroups: [''] kinds: ['Pod'] parameters: restrictedNamespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: non-test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis restartPolicy: NeverACKRestrictRoleBindings
規則說明:限制在指定命名空間下的rolebinding使用指定範圍內的Role或Clusterrole。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
restrictedRole
object
限制使用的Clusterrole或Role。
allowedSubjects
array
允許掛載的Subjects白名單列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings annotations: description: "Restricts use of sensitive role in specific rolebinding." spec: match: kinds: - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["RoleBinding"] parameters: restrictedRole: apiGroup: "rbac.authorization.k8s.io" kind: "ClusterRole" name: "cluster-admin" allowedSubjects: - apiGroup: "rbac.authorization.k8s.io" kind: "Group" name: "system:masters"Allowed:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: good-2 namespace: test-gatekeeper subjects: - kind: Group name: 'system:masters' roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioDisallowed:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: bad-1 namespace: test-gatekeeper subjects: - kind: ServiceAccount name: policy-template-controller roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
規則說明:限制指定的Namespcace被誤刪除。可以通過
protectionNamespaces參數配置受保護命名空間的Name。使用前提:需確保gatekeeper組件已升級至v3.10.0.130-g0e79597d-aliyun或以上版本。關於gatekeeper組件版本資訊,請參見gatekeeper。
重要等級:medium。
參數說明:
參數名稱
參數類型
參數說明
protectionNamespaces
array
受保護Namespace的名稱列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKNamespacesDeleteProtection metadata: name: namespace-delete-protection spec: match: kinds: - apiGroups: [''] kinds: ['Namespace'] parameters: protectionNamespaces: - test-gatekeeperAllowed:
apiVersion: v1 kind: Namespace metadata: name: will-deleteDisallowed:
apiVersion: v1 kind: Namespace metadata: name: test-gatekeeperACKServicesDeleteProtection
規則說明:限制指定Namespace中的Services執行個體被誤刪除,可以通過
protectionServices參數配置受保護的Services執行個體名稱。重要等級:medium。
參數說明:
參數名稱
參數類型
參數說明
protectionServices
array
指定命名空間下受保護的Services執行個體名稱列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKServicesDeleteProtection metadata: name: service-delete-protection annotations: description: "Protect to delete specific service." spec: enforcementAction: deny match: kinds: - apiGroups: [''] kinds: ['Service'] namespaces: ["test-gatekeeper"] parameters: protectionServices: - test-svcAllowed:
apiVersion: v1 kind: Service metadata: name: good namespace: test-gatekeeperDisallowed:
apiVersion: v1 kind: Service metadata: name: test-svc
Infra基礎設施
ACKBlockProcessNamespaceSharing
規則說明:限制在叢集指定範圍部署的應用中使用
shareProcessNamespace。重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockProcessNamespaceSharing ACKCheckNginxPathmetadata: name: block-share-process-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test-3 namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: shareProcessNamespace: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKEmptyDirHasSizeLimit
規則說明:要求emptyDir類型的Volume必須指定
sizelimit。重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKEmptyDirHasSizeLimit metadata: name: empty-dir-has-sizelimit spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: sizeLimit: "10Mi"Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKLocalStorageRequireSafeToEvict
規則說明:限制部署在叢集指定範圍內的Pod必須具有
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"注釋標籤。叢集自動調整時不會刪除沒有此注釋標籤的Pod。重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper annotations: 'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true' spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # directory location on host path: /data # this field is optional type: DirectoryDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKOSSStorageLocationConstraint
規則說明:限制指定命名空間下的部署只能使用指定地區中的阿里雲OSS儲存卷。
重要等級:low。
參數說明:
參數名稱
參數類型
參數說明
mode
string
是否採用白名單模式,預設值
allowlist為白名單模式,其他值為黑名單模式。regions
array
指定的阿里雲Region ID列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKOSSStorageLocationConstraint metadata: name: restrict-oss-location annotations: description: "Restricts location of oss storage in cluster." spec: match: kinds: - apiGroups: [""] kinds: ["PersistentVolume", "Pod"] namespaces: - "test-gatekeeper" parameters: mode: "allowlist" regions: - "cn-beijing"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-oss-csi-good namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pod-oss-csi namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-hangzhou.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"ACKPVSizeConstraint
規則說明:限制叢集中建立的PV執行個體中能夠申請的最大磁碟容量。
重要等級:medium。
參數說明:
參數名稱
參數類型
參數說明
maxSize
string
PV執行個體中能申請的最大磁碟容量,預設為50 GiB。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPVSizeConstraint metadata: name: limit-pv-size annotations: description: "Limit the pv storage capacity size within a specified maximum amount." spec: enforcementAction: deny match: kinds: - apiGroups: [ "" ] kinds: [ "PersistentVolume" ] parameters: maxSize: "50Gi"Allowed:
apiVersion: v1 kind: PersistentVolume metadata: name: pv-oss-csi labels: alicloud-pvname: pv-oss spec: capacity: storage: 25Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"Disallowed:
apiVersion: v1 kind: PersistentVolume metadata: name: pv-oss-csi-bad labels: alicloud-pvname: pv-oss spec: capacity: storage: 500Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"ACKPVCConstraint
規則說明:限制能夠部署PVC執行個體的命名空間白名單列表以及限制PVC執行個體中能夠申請的最大磁碟容量。
重要等級:medium
參數說明:
參數名稱
參數類型
參數說明
maxSize
string
PV執行個體中能申請的最大磁碟容量,預設為50 GiB.
allowNamespaces
array
能夠部署PVC執行個體的命名空間白名單列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPVCConstraint metadata: name: limit-pvc-size-and-ns annotations: description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed." spec: enforcementAction: deny match: kinds: - apiGroups: [ "" ] kinds: [ "PersistentVolumeClaim" ] parameters: maxSize: "50Gi" allowNamespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disk-pvc namespace: test-gatekeeper spec: accessModes: - ReadWriteOnce resources: requests: storage: 20GiDisallowed:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: bad-disk-pvc namespace: test-gatekeeper spec: accessModes: - ReadWriteOnce resources: requests: storage: 200Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: bad-namespace-pvc namespace: test-gatekeeper-bad spec: accessModes: - ReadWriteOnce resources: requests: storage: 20GiACKBlockVolumeTypes
規則說明:限制在叢集指定範圍內部署的Pod禁止使用的Volume掛載類型。
重要等級:medium
參數說明:
參數名稱
參數類型
參數說明
volumes
array
禁止使用的Volume掛載類型列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockVolumeTypes metadata: name: block-volume-types spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"] parameters: volumes: - "gitRepo"Allowed:
apiVersion: v1 kind: Pod metadata: name: use-empty-dir namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: emptydir-volume emptyDir: {}Disallowed:
apiVersion: v1 kind: Pod metadata: name: use-git-repo namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: git-volume gitRepo: repository: "git@***:***/my-git-repository.git" revision: "22f1d8406d464b0c08***"
K8s-general
ACKAllowedRepos
規則說明:限制在叢集指定範圍部署的應用Pod中拉取白名單列表外的鏡像。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
repos
array
合法的鏡像倉庫白名單。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKAllowedRepos metadata: name: allowed-repos spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: repos: - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/" - "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-01 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-container-1 initContainers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container-3ACKBlockAutoinjectServiceEnv
規則說明:要求在應用中配置
enableServiceLinks: false防止在Pod環境變數中透出服務IP。重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutoinjectServiceEnv metadata: name: block-auto-inject-service-env spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: enableServiceLinks: false containers: - image: openpolicyagent/test-webserver:1.0 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockAutomountToken
規則說明:要求在應用中設定
automountServiceAccountToken: false欄位防止自動掛載serviceaccount。重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutomountToken metadata: name: block-auto-mount-service-account-token spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: automountServiceAccountToken: false containers: - image: openpolicyagent/test-webserver:v1.0 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockEphemeralContainer
規則說明:限制在叢集指定範圍的應用Pod中啟動臨時容器。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockEphemeralContainer metadata: name: block-ephemeral-container spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: good-1 namespace: test-gatekeeper spec: containers: - name: mycontainer image: redisDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: containers: - name: mycontainer image: redis ephemeralContainers: - name: test image: testACKBlockLoadBalancer
規則說明:限制在指定叢集範圍內部署LoadBalancer類型的Service。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
restrictedNamespaces
array
禁止資源部署在該參數聲明的列表中。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: LoadBalancer selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKBlockNodePort
規則說明:限制在叢集指定範圍內使用NodePort類型的Service。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: NodePort selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKContainerLimits
規則說明:要求叢集指定範圍的應用Pod配置資源
limits。重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: cpu: "1000m" memory: "1Gi"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-1 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Mi" cpu: "500m"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pod-2 namespace: non-test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Gi" cpu: "2000m"ACKExternalIPs
規則說明:限制在叢集指定範圍內的Services執行個體使用白名單範圍之外的
externalIPs。重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
allowedIPs
array
externalIPs白名單列表。樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper" parameters: allowedIPs: - "192.168.0.5"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-3 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 externalIPs: - 80.11.XX.XXACKImageDigests
規則說明:限制在叢集指定範圍內部署不符合
digest格式的鏡像。重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container2ACKRequiredLabels
規則說明:限制在叢集指定範圍內部署的Pod必須包含
allowedRegex參數中定義的label。重要等級:low。
參數說明:
參數名稱
參數類型
參數說明
allowedRegex
string
label白名單的Regex。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredLabels metadata: name: must-have-label-test spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: # message: '' labels: - key: test # value allowedRegex: "^test.*$"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: test namespace: test-gatekeeper labels: 'test': 'test_233' spec: containers: - name: mycontainer image: redisDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: bad2 namespace: test-gatekeeper labels: 'test': '233' spec: containers: - name: mycontainer image: redisACKRequiredProbes
規則說明:限制在叢集指定範圍內部署的Pod配置指定類型的
readinessProbe和livenessProbe。重要等級:medium。
參數說明:
參數名稱
參數類型
參數說明
probes
array
Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。
probeTypes
array
Pod中需要配置的Probe類型。例如,tcpSocket,httpGet和exec類型。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: probes: ["readinessProbe", "livenessProbe"] probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed:
apiVersion: v1 kind: Pod metadata: name: p4 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busybox readinessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5Disallowed:
apiVersion: v1 kind: Pod metadata: name: p1 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busyboxACKCheckNginxPath
限制在Ingress執行個體
spec.rules[].http.paths[].path欄位中使用危險配置,Ingress-nginx 1.2.1以下版本建議開啟該策略。重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxPath metadata: name: block-nginx-path spec: enforcementAction: deny match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-paths namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: bad-path-secrets namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /var/run/secrets pathType: Prefix backend: service: name: tea-svc port: number: 80ACKCheckNginxAnnotation
限制在Ingress執行個體metadata.annotations欄位中使用危險配置,Ingress-nginx 1.2.1以下版本建議開啟該策略。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxAnnotation metadata: name: block-nginx-annotation spec: match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-annotations namespace: test-gatekeeper annotations: nginx.org/good: "value" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: var-run-secrets namespace: test-gatekeeper annotations: nginx.org/bad: "/var/run/secrets" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80ACKBlockInternetLoadBalancer
規則說明:限制建立公網類型的LoadBalancer Service。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockInternetLoadBalancer metadata: name: block-internet-load-balancer spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: non-test-gatekeeper annotations: 'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet' spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 type: LoadBalancerDisallowed:
apiVersion: v1 kind: Service metadata: name: bad-service-2 namespace: test-gatekeeper annotations: 'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet' spec: type: LoadBalancer selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376RatifyVerification
規則說明:您在叢集中安裝應用市場組件Ratify後,可以驗證在叢集指定範圍內部署的Pod鏡像中的簽名或SBOM等安全中繼資料。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RatifyVerification metadata: name: ratify-constraint spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["default"]Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-1 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/signed # 部署合法簽名的鏡像。 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # 部署不滿足Ratify簽名校正的非法鏡像。 name: test-container
PSP
ACKPSPAllowedUsers
規則說明:限制在叢集指定範圍內部署的Pod中的啟動
user、group、supplementalGroups以及fsGroup。重要等級:medium。
參數說明:
參數名稱
參數類型
參數說明
runAsUser
object
關於該參數的具體說明,請參見原PSP規則中對User的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。
runAsGroup
object
關於該參數的具體說明,請參見原PSP規則中對Group的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。
supplementalGroups
object
關於該參數的具體說明,請參見原PSP規則中對SupplementalGroups的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。
fsGroup
object
關於該參數的具體說明,請參見原PSP規則中對fsGroup的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: runAsUser: rule: MustRunAs # MustRunAsNonRoot # RunAsAny ranges: - min: 100 max: 200 runAsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 supplementalGroups: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 fsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good2 namespace: test-gatekeeper spec: securityContext: fsGroup: 150 supplementalGroups: - 150 containers: - image: test name: test securityContext: runAsUser: 150 runAsGroup: 150Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAllowPrivilegeEscalationContainer
規則說明:限制在叢集指定範圍內部署的Pod配置allowPrivilegeEscalation參數。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: allowPrivilegeEscalation: false initContainers: - image: test name: test2 securityContext: allowPrivilegeEscalation: falseDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAppArmor
規則說明:限制在叢集指定範圍內部署的Pod配置AppArmor。
重要等級:low。
參數說明:
參數名稱
參數類型
參數說明
probes
array
Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。
probeTypes
array
Pod中需要配置的Probe類型。例如,tcpSocket、httpGet和exec類型。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfiles: - runtime/defaultAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper annotations: 'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default' 'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default' spec: containers: - image: test name: test initContainers: - image: test name: test2Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPCapabilities
規則說明:限制在叢集指定範圍內部署的Pod配置Linux Capabilities能力。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
allowedCapabilities
array
允許的capabilities白名單。
requiredDropCapabilities
array
需要強制Drop的capabilities。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPCapabilities metadata: name: psp-capabilities spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedCapabilities: ["CHOWN"] requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-4 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: capabilities: add: - CHOWN drop: - "NET_ADMIN" - "SYS_ADMIN" - "NET_RAW"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPFlexVolumes
規則說明:限制在叢集指定範圍內部署Pod的FlexVolume驅動配置。
重要等級:medium。
參數說明:
參數名稱
參數類型
參數說明
allowedFlexVolumes
array
允許配置的FlexVolume驅動列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: [""] kinds: ["Pod", "PersistentVolume"] namespaces: - "test-gatekeeper" parameters: allowedFlexVolumes: #[] - driver: "alicloud/disk" - driver: "alicloud/nas" - driver: "alicloud/oss" - driver: "alicloud/cpfs"Allowed:
apiVersion: v1 kind: Pod metadata: name: pv-nas namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/nas"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pv-oss-flexvolume namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
規則說明:限制在叢集指定範圍內部署的Pod禁止的Sysctl範圍。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
forbiddenSysctls
array
Pod中禁止的Sysctl列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: forbiddenSysctls: # - "*" # * may be used to forbid all sysctls - "kernel.*"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-2 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'net.ipv4.tcp_syncookies' value: "65536" containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'kernel.shm_rmid_forced' value: '1024' containers: - image: test name: testACKPSPFSGroup
規則說明:限制在叢集指定範圍內部署的Pod的fsGroup配置。
重要等級:medium。
參數說明:
參數名稱
參數類型
參數說明
rule
string
關於該參數的具體說明,請參見原PSP規則中對fsGroup的配置,支援MustRunAs、MayRunAs、RunAsAny。更多資訊,請參見Volumes and file systems。
ranges
object
包含以下取值。
min:fsGroup id的最小值。
max:fsGroup id的最大值。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" ranges: - min: 1 max: 1000Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: fsGroup: 100 containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: non-test-gatekeeper spec: securityContext: fsGroup: 0 shareProcessNamespace: true containers: - image: test name: testACKPSPHostFilesystem
規則說明:限制在叢集指定範圍內部署的Pod允許掛載的主機host目錄範圍。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
allowedHostPaths
object
主機路徑白名單配置。
readOnly
boolean
是否唯讀。
pathPrefix
string
路徑首碼。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedHostPaths: - readOnly: true pathPrefix: "/foo"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test volumeMounts: - name: test-volume mountPath: "/projected-volume" readOnly: true volumes: - name: test-volume hostPath: path: /fooDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data type: FileACKPSPHostNamespace
規則說明:限制在叢集指定範圍內部署的Pod是否允許共用主機host命名空間。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNamespace metadata: name: psp-host-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: hostPID: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKPSPHostNetworkingPorts
規則說明:限制在叢集指定範圍內部署的Pod使用主機網路和指定連接埠。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
hostNetwork
boolean
是否允許Pod共用使用主機網路。
min
int
最小使用的hostPort值。
max
int
最大使用的hostPort值。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNetworkingPorts metadata: name: psp-host-network-ports spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: hostNetwork: true min: 80 max: 9000Allowed:
apiVersion: v1 kind: Pod metadata: name: good-2 namespace: test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 80 containerPort: 80 initContainers: - image: k8s.gcr.io/test-webserver name: test-container2 ports: - hostPort: 8080 containerPort: 8080Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 22 containerPort: 22ACKPSPPrivilegedContainer
規則說明:限制在叢集指定範圍內部署的Pod中啟動特權容器。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPPrivilegedContainer metadata: name: psp-privileged-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: privileged: true dnsPolicy: ClusterFirst restartPolicy: NeverACKPSPProcMount
規則說明:限制在叢集指定範圍內部署的Pod允許掛載的proc類型。
重要等級:high。
參數說明:
參數名稱
參數類型
參數說明
procMount
string
proc掛載類型,允許配置如下類型:
Default:預設屏蔽掛載/proc目錄。
Unmasked:不屏蔽掛載/proc。
關於參數配置的具體說明,請參見AllowedProcMountTypes。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: procMount: Default # Default or UnmaskedAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Default"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad3 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Unmasked" initContainers: - image: test name: test2ACKPSPReadOnlyRootFilesystem
規則說明:限制在叢集指定範圍內部署的Pod使用唯讀根檔案系統。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: trueDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad2 namespace: non-test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: false initContainers: - image: test name: test2ACKPSPSeccomp
規則說明:限制在叢集指定範圍內部署的Pod使用指定的Seccomp設定檔。
重要等級:low。
參數說明:
參數名稱
參數類型
參數說明
allowedProfileTypes
array
允許的Seccomp profile類型白名單。
allowedProfiles
array
允許的Seccomp profile。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfileTypes: # - Unconfined - RuntimeDefault - Localhost allowedProfiles: - runtime/default - docker/default - localhost/profiles/audit.jsonAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json initContainers: - image: test name: test2 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.jsonDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test echo-k8s-webhook-enabled: 'true' name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPSELinuxV2
規則說明:限制在叢集指定範圍內部署的Pod必須使用allowedSELinuxOptions參數中規定的SELinux配置。
重要等級:low。
參數說明:
參數名稱
參數類型
參數說明
allowedSELinuxOptions
object
允許的SELinux配置白名單。更多資訊,請參見SELinuxOptions v1 core。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_uAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seLinuxOptions: level: "s0:c123,c455"ACKPSPVolumeTypes
規則說明:限制在叢集指定範圍內部署的Pod使用指定Volume掛載類型。
重要等級:low。
參數說明:
參數名稱
參數類型
參數說明
volumes
array
允許使用的Volume掛載類型列表。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: volumes: # - "*" # * may be used to allow all volume types - configMap # - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim # - hostPath #required for allowedHostPaths - flexVolume #required for allowedFlexVolumesAllowed:
apiVersion: v1 kind: Pod metadata: name: pv-oss namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/oss"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data