全部產品
Search
文件中心

Container Service for Kubernetes:容器安全性原則規則庫說明

更新時間:Aug 31, 2024

您可以為Pod配置安全性原則,驗證Pod部署和更新的請求是否安全。ACK叢集策略管理功能提供了四類內建規則庫,包括Compliance、Infra、K8s-general和PSP。

規則介紹

當前Container ServiceACK容器安全性原則規則庫包含以下四類規則模板:

  • Compliance:基於阿里雲K8s加固等合規規範定製化的安全規則。

  • Infra:用於增強和保護雲基礎設施層資源安全。

  • K8s-general:用於約束和規範K8s叢集內敏感資源配置,增強K8s叢集內應用安全。

  • PSP:用於替換K8s PSP的相關策略,使用該類策略可以實現等同於原ACK策略管理中PSP提供的安全約束能力。

策略規則庫說明

當前阿里雲Container ServiceACK內建如下類型的策略規則庫,策略分類和簡要說明如下:

Category

Policy

Description

Severity

Compliance

ACKNoEnvVarSecrets

限制Secret以secretKeyRef的形式掛載到應用Pod環境變數中。

medium

ACKPodsRequireSecurityContext

限制Pod中所有容器必須配置securitycontext欄位。

low

ACKRestrictNamespaces

限制資源部署在叢集指定的命名空間中。

low

ACKRestrictRoleBindings

限制指定命名空間下的rolebinding使用指定範圍內的Role或Clusterrole。

high

ACKNamespacesDeleteProtection

限制指定的Namespace被誤刪除。

medium

ACKServicesDeleteProtection

防止指Namespace中的Services執行個體被誤刪除。

medium

Infra

ACKBlockProcessNamespaceSharing

限制在叢集指定範圍部署的應用中使用shareProcessNamespace

high

ACKEmptyDirHasSizeLimit

要求emptyDir類型的Volume必須指定sizelimit

low

ACKLocalStorageRequireSafeToEvict

限制部署在叢集指定範圍內的Pod必須具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注釋標籤。預設情況下autoscaler在叢集自動調整時不會驅逐使用HostPath或EmptyDir卷的Pod。為了允許驅逐這些Pod,必須在Pod上添加該注釋標籤。

low

ACKOSSStorageLocationConstraint

限制指定Namespaces下的部署只能使用指定Region中的阿里雲OSS儲存卷

low

ACKPVSizeConstraint

限制叢集中建立的PV執行個體中能夠申請的最大磁碟容量。

medium

ACKPVCConstraint

限制能夠部署PVC執行個體的命名空間白名單列表以及限制PVC執行個體中能夠申請的最大磁碟容量。

medium

ACKBlockVolumeTypes

限制在叢集指定範圍內部署的Pod禁止使用的Volume掛載類型。

medium

K8s-general

ACKAllowedRepos

限制在叢集指定範圍部署的應用Pod中拉取白名單列表外的鏡像。

high

ACKBlockAutoinjectServiceEnv

要求在應用中配置enableServiceLinks: false防止在Pod環境變數中透出服務IP。

low

ACKBlockAutomountToken

要求在應用中設定automountServiceAccountToken: false欄位以防止自動掛載serviceaccount

high

ACKBlockEphemeralContainer

限制在叢集指定範圍的應用Pod中啟動臨時容器。

medium

ACKBlockLoadBalancer

限制在叢集指定範圍內部署LoadBalancer類型的Service。

high

ACKBlockNodePort

限制在叢集指定範圍內使用NodePort類型的Service。

high

ACKContainerLimits

要求叢集指定範圍的應用Pod配置資源limits

low

ACKExternalIPs

限制在叢集指定範圍內的Services執行個體使用白名單範圍之外的externalIPs。

high

ACKImageDigests

限制在叢集指定範圍內部署不符合digest格式的鏡像。

low

ACKRequiredLabels

限制在叢集指定範圍內部署沒有指定範式label標籤的應用。

low

ACKRequiredProbes

限制在叢集指定範圍內部署的Pod配置指定類型的readinessProbe和livenessProbe。

medium

ACKCheckNginxPath

限制在Ingress執行個體的spec.rules[].http.paths[].path欄位中使用危險配置。Ingress-nginx 1.2.1以下版本建議開啟該策略。

high

ACKCheckNginxAnnotation

限制在Ingress執行個體的metadata.annotations欄位中使用危險配置。Ingress-nginx 1.2.1以下版本建議開啟該策略。

high

ACKBlockInternetLoadBalancer

限制建立公網類型的LoadBalancer Service。

high

RatifyVerification

您在叢集中安裝應用市場組件Ratify後,可以驗證在叢集指定範圍內部署的Pod鏡像中的簽名或SBOM等安全中繼資料。

high

PSP

ACKPSPAllowPrivilegeEscalationContainer

限制在叢集指定範圍內部署的Pod配置allowPrivilegeEscalation參數。

medium

ACKPSPAllowedUsers

限制在叢集指定範圍內部署的Pod中的啟動usergroupsupplementalGroups以及fsGroup

medium

ACKPSPAppArmor

限制在叢集指定範圍內部署的Pod配置AppArmor。

low

ACKPSPCapabilities

限制在叢集指定範圍內部署的Pod配置Linux Capabilities能力。

high

ACKPSPFSGroup

限制在叢集指定範圍內部署的Pod配置 fsGroup。

medium

ACKPSPFlexVolumes

限制在叢集指定範圍內部署Pod的FlexVolume驅動配置。

medium

ACKPSPForbiddenSysctls

限制在叢集指定範圍內部署Pod的禁止的Sysctl範圍。

high

ACKPSPHostFilesystem

限制在叢集指定範圍內部署的Pod允許掛載的主機host目錄範圍。

high

ACKPSPHostNamespace

限制在叢集指定範圍內部署的Pod是否允許共用主機host命名空間。

high

ACKPSPHostNetworkingPorts

限制在叢集指定範圍內部署的Pod使用主機網路和指定連接埠。

high

ACKPSPPrivilegedContainer

限制在叢集指定範圍內部署的Pod中啟動特權容器。

high

ACKPSPProcMount

限制在叢集指定範圍內部署的Pod允許掛載的Proc類型。

low

ACKPSPReadOnlyRootFilesystem

限制在叢集指定範圍內部署的Pod使用唯讀根檔案系統。

medium

ACKPSPSELinuxV2

限制在叢集指定範圍內部署的Pod必須使用AllowedSELinuxOptions參數中規定的Selinux配置。

low

ACKPSPSeccomp

限制在叢集指定範圍內部署的Pod使用指定的Seccomp設定檔。

low

ACKPSPVolumeTypes

限制在叢集指定範圍內部署的Pod使用指定的Volume掛載類型。

medium

Compliance

  • ACKNoEnvVarSecrets

    規則說明:限制Secret以secretKeyRef的形式掛載到應用Pod環境變數中使用。

    重要等級:medium。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKNoEnvVarSecrets
    metadata:
      name: no-env-var-secrets
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: mypod
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mypod
        image: redis
        volumeMounts:
        - name: foo
          mountPath: "/etc/foo"
      volumes:
      - name: foo
        secret:
          secretName: mysecret
          items:
          - key: username
            path: my-group/my-username

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
        env:
          - name: SECRET_USERNAME
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: username
          - name: SECRET_PASSWORD
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: password
      restartPolicy: Never
  • ACKPodsRequireSecurityContext

    規則說明:限制Pod中所有容器必須配置securitycontext欄位。

    重要等級:low。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPodsRequireSecurityContext
    metadata:
      name: pods-require-security-context
      annotations:
        description: "Requires that Pods must have a `securityContext` defined."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: test-gatekeeper
    spec:
      securityContext:
        runAsNonRoot: false
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test2
      - image: test
        name: test
        resources: {}
        securityContext:
          runAsNonRoot: false
  • ACKRestrictNamespaces

    規則說明:限制資源部署在叢集指定的命名空間中。

    重要等級:low。

    參數說明:

    參數名稱

    參數類型

    參數說明

    restrictedNamespaces

    array

    禁止資源部署在該參數聲明的列表中。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictNamespaces
    metadata:
      name: restrict-default-namespace
      annotations:
        description: "Restricts resources from using the restricted namespace."
    spec:
      match:
        kinds:
          - apiGroups: ['']
            kinds: ['Pod']
      parameters:
        restrictedNamespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      restartPolicy: Never
  • ACKRestrictRoleBindings

    規則說明:限制在指定命名空間下的rolebinding使用指定範圍內的Role或Clusterrole。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    restrictedRole

    object

    限制使用的Clusterrole或Role。

    allowedSubjects

    array

    允許掛載的Subjects白名單列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictRoleBindings
    metadata:
      name: restrict-clusteradmin-rolebindings
      annotations:
        description: "Restricts use of sensitive role in specific rolebinding."
    spec:
      match:
        kinds:
          - apiGroups: ["rbac.authorization.k8s.io"]
            kinds: ["RoleBinding"]
      parameters:
        restrictedRole:
          apiGroup: "rbac.authorization.k8s.io"
          kind: "ClusterRole"
          name: "cluster-admin"
        allowedSubjects:
          - apiGroup: "rbac.authorization.k8s.io"
            kind: "Group"
            name: "system:masters"

    Allowed:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: good-2
      namespace: test-gatekeeper
    subjects:
      - kind: Group
        name: 'system:masters'
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io

    Disallowed:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    subjects:
      - kind: ServiceAccount
        name: policy-template-controller
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
  • ACKNamespacesDeleteProtection

    規則說明:限制指定的Namespcace被誤刪除。可以通過protectionNamespaces參數配置受保護命名空間的Name。

    使用前提:需確保gatekeeper組件已升級至v3.10.0.130-g0e79597d-aliyun或以上版本。關於gatekeeper組件版本資訊,請參見gatekeeper

    重要等級:medium。

    參數說明:

    參數名稱

    參數類型

    參數說明

    protectionNamespaces

    array

    受保護Namespace的名稱列表。

    樣本:

    Constraint:

       apiVersion: constraints.gatekeeper.sh/v1beta1
      kind: ACKNamespacesDeleteProtection
      metadata:
        name: namespace-delete-protection
      spec:
        match:
          kinds:
            - apiGroups: ['']
              kinds: ['Namespace']
        parameters:
          protectionNamespaces:
            - test-gatekeeper

    Allowed:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: will-delete

    Disallowed:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: test-gatekeeper
  • ACKServicesDeleteProtection

    規則說明:限制指定Namespace中的Services執行個體被誤刪除,可以通過protectionServices參數配置受保護的Services執行個體名稱。

    重要等級:medium。

    參數說明:

    參數名稱

    參數類型

    參數說明

    protectionServices

    array

    指定命名空間下受保護的Services執行個體名稱列表。

    樣本:

    Constraint:

      apiVersion: constraints.gatekeeper.sh/v1beta1
      kind: ACKServicesDeleteProtection
      metadata:
        name: service-delete-protection
        annotations:
          description: "Protect to delete specific service."
      spec:
        enforcementAction: deny
        match:
          kinds:
            - apiGroups: ['']
              kinds: ['Service']
          namespaces: ["test-gatekeeper"]
        parameters:
          protectionServices:
            - test-svc

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: good
      namespace: test-gatekeeper

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: test-svc

Infra基礎設施

  • ACKBlockProcessNamespaceSharing

    規則說明:限制在叢集指定範圍部署的應用中使用shareProcessNamespace

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockProcessNamespaceSharing
    ACKCheckNginxPathmetadata:
      name: block-share-process-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test-3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKEmptyDirHasSizeLimit

    規則說明:要求emptyDir類型的Volume必須指定sizelimit

    重要等級:low。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKEmptyDirHasSizeLimit
    metadata:
      name: empty-dir-has-sizelimit
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir:
          sizeLimit: "10Mi"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKLocalStorageRequireSafeToEvict

    規則說明:限制部署在叢集指定範圍內的Pod必須具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注釋標籤。叢集自動調整時不會刪除沒有此注釋標籤的Pod。

    重要等級:low。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKLocalStorageRequireSafeToEvict
    metadata:
      name: local-storage-require-safe-to-evict
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
      annotations:
        'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /data
          # this field is optional
          type: Directory

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKOSSStorageLocationConstraint

    規則說明:限制指定命名空間下的部署只能使用指定地區中的阿里雲OSS儲存卷。

    重要等級:low。

    參數說明:

    參數名稱

    參數類型

    參數說明

    mode

    string

    是否採用白名單模式,預設值allowlist為白名單模式,其他值為黑名單模式。

    regions

    array

    指定的阿里雲Region ID列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKOSSStorageLocationConstraint
    metadata:
      name: restrict-oss-location
      annotations:
        description: "Restricts location of oss storage in cluster."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["PersistentVolume", "Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        mode: "allowlist"
        regions:
          - "cn-beijing"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi-good
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-beijing.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeHandle: pv-oss
            nodePublishSecretRef:
              name: oss-secret
              namespace: default
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-hangzhou.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"
  • ACKPVSizeConstraint

    規則說明:限制叢集中建立的PV執行個體中能夠申請的最大磁碟容量。

    重要等級:medium。

    參數說明:

    參數名稱

    參數類型

    參數說明

    maxSize

    string

    PV執行個體中能申請的最大磁碟容量,預設為50 GiB。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPVSizeConstraint
    metadata:
      name: limit-pv-size
      annotations:
        description: "Limit the pv storage capacity size within a specified maximum amount."
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [ "" ]
            kinds: [ "PersistentVolume" ]
      parameters:
        maxSize: "50Gi"

    Allowed:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-oss-csi
      labels:
        alicloud-pvname: pv-oss
    spec:
      capacity:
        storage: 25Gi
      accessModes:
        - ReadWriteMany
      persistentVolumeReclaimPolicy: Retain
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: pv-oss
        nodePublishSecretRef:
          name: oss-secret
          namespace: default
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-beijing.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

    Disallowed:

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: pv-oss-csi-bad
      labels:
        alicloud-pvname: pv-oss
    spec:
      capacity:
        storage: 500Gi
      accessModes:
        - ReadWriteMany
      persistentVolumeReclaimPolicy: Retain
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: pv-oss
        nodePublishSecretRef:
          name: oss-secret
          namespace: default
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-beijing.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"
  • ACKPVCConstraint

    規則說明:限制能夠部署PVC執行個體的命名空間白名單列表以及限制PVC執行個體中能夠申請的最大磁碟容量。

    重要等級:medium

    參數說明:

    參數名稱

    參數類型

    參數說明

    maxSize

    string

    PV執行個體中能申請的最大磁碟容量,預設為50 GiB.

    allowNamespaces

    array

    能夠部署PVC執行個體的命名空間白名單列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPVCConstraint
    metadata:
      name: limit-pvc-size-and-ns
      annotations:
        description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [ "" ]
            kinds: [ "PersistentVolumeClaim" ]
      parameters:
        maxSize: "50Gi"
        allowNamespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: disk-pvc
      namespace: test-gatekeeper
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 20Gi

    Disallowed:

    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: bad-disk-pvc
      namespace: test-gatekeeper
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 200Gi
    ---
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: bad-namespace-pvc
      namespace: test-gatekeeper-bad
    spec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 20Gi      
  • ACKBlockVolumeTypes

    規則說明:限制在叢集指定範圍內部署的Pod禁止使用的Volume掛載類型。

    重要等級:medium

    參數說明:

    參數名稱

    參數類型

    參數說明

    volumes

    array

    禁止使用的Volume掛載類型列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockVolumeTypes
    metadata:
      name: block-volume-types
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
      parameters:
         volumes:
           - "gitRepo"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: use-empty-dir
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
      - name: emptydir-volume
        emptyDir: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: use-git-repo
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
      - name: git-volume
        gitRepo:
          repository: "git@***:***/my-git-repository.git"
          revision: "22f1d8406d464b0c08***"

K8s-general

  • ACKAllowedRepos

    規則說明:限制在叢集指定範圍部署的應用Pod中拉取白名單列表外的鏡像。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    repos

    array

    合法的鏡像倉庫白名單。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKAllowedRepos
    metadata:
      name: allowed-repos
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        repos:
          - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
          - "registry.cn-hangzhou.aliyuncs.com/acs/"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-01
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container-1
      initContainers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container-3
  • ACKBlockAutoinjectServiceEnv

    規則說明:要求在應用中配置enableServiceLinks: false防止在Pod環境變數中透出服務IP。

    重要等級:low。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutoinjectServiceEnv
    metadata:
      name: block-auto-inject-service-env
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      enableServiceLinks: false
      containers:
      - image: openpolicyagent/test-webserver:1.0
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockAutomountToken

    規則說明:要求在應用中設定automountServiceAccountToken: false欄位防止自動掛載serviceaccount

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutomountToken
    metadata:
      name: block-auto-mount-service-account-token
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      automountServiceAccountToken: false
      containers:
      - image: openpolicyagent/test-webserver:v1.0
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockEphemeralContainer

    規則說明:限制在叢集指定範圍的應用Pod中啟動臨時容器。

    重要等級:medium。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockEphemeralContainer
    metadata:
      name: block-ephemeral-container
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: good-1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      ephemeralContainers:
        - name: test
          image: test
  • ACKBlockLoadBalancer

    規則說明:限制在指定叢集範圍內部署LoadBalancer類型的Service。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    restrictedNamespaces

    array

    禁止資源部署在該參數聲明的列表中。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockLoadBalancer
    metadata:
      name: block-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKBlockNodePort

    規則說明:限制在叢集指定範圍內使用NodePort類型的Service。

    重要等級:low。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockNodePort
    metadata:
      name: block-node-port
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: NodePort
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKContainerLimits

    規則說明:要求叢集指定範圍的應用Pod配置資源limits

    重要等級:low。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKContainerLimits
    metadata:
      name: container-must-have-limits
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        cpu: "1000m"
        memory: "1Gi"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Mi"
            cpu: "500m"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Gi"
            cpu: "2000m"
  • ACKExternalIPs

    規則說明:限制在叢集指定範圍內的Services執行個體使用白名單範圍之外的externalIPs

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    allowedIPs

    array

    externalIPs白名單列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKExternalIPs
    metadata:
      name: external-ips
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedIPs:
          - "192.168.0.5"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-3
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      externalIPs:
        - 80.11.XX.XX
  • ACKImageDigests

    規則說明:限制在叢集指定範圍內部署不符合digest格式的鏡像。

    重要等級:low。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKImageDigests
    metadata:
      name: container-image-must-have-digest
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container2
  • ACKRequiredLabels

    規則說明:限制在叢集指定範圍內部署的Pod必須包含allowedRegex參數中定義的label

    重要等級:low。

    參數說明:

    參數名稱

    參數類型

    參數說明

    allowedRegex

    string

    label白名單的Regex。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredLabels
    metadata:
      name: must-have-label-test
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
    #            message: ''
        labels:
          - key: test
            # value
            allowedRegex: "^test.*$"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: test
      namespace: test-gatekeeper
      labels:
        'test': 'test_233'
    spec:
      containers:
      - name: mycontainer
        image: redis

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: bad2
      namespace: test-gatekeeper
      labels:
        'test': '233'
    spec:
      containers:
      - name: mycontainer
        image: redis
  • ACKRequiredProbes

    規則說明:限制在叢集指定範圍內部署的Pod配置指定類型的readinessProbelivenessProbe

    重要等級:medium。

    參數說明:

    參數名稱

    參數類型

    參數說明

    probes

    array

    Pod中需要配置的Probe。例如,readinessProbelivenessProbe

    probeTypes

    array

    Pod中需要配置的Probe類型。例如,tcpSockethttpGetexec類型。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredProbes
    metadata:
      name: must-have-probes
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        probes: ["readinessProbe", "livenessProbe"]
        probeTypes: ["tcpSocket", "httpGet", "exec"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: p4
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
        readinessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5
        livenessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: p1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
  • ACKCheckNginxPath

    限制在Ingress執行個體spec.rules[].http.paths[].path欄位中使用危險配置,Ingress-nginx 1.2.1以下版本建議開啟該策略。

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxPath
    metadata:
      name: block-nginx-path
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-paths
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80

    Disallowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: bad-path-secrets
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /var/run/secrets
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
  • ACKCheckNginxAnnotation

    限制在Ingress執行個體metadata.annotations欄位中使用危險配置,Ingress-nginx 1.2.1以下版本建議開啟該策略。

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxAnnotation
    metadata:
      name: block-nginx-annotation
    spec:
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-annotations
      namespace: test-gatekeeper
      annotations:
        nginx.org/good: "value"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80

    Disallowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: var-run-secrets
      namespace: test-gatekeeper
      annotations:
        nginx.org/bad: "/var/run/secrets"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80
  • ACKBlockInternetLoadBalancer

    規則說明:限制建立公網類型的LoadBalancer Service。

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockInternetLoadBalancer
    metadata:
      name: block-internet-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: non-test-gatekeeper
      annotations:
        'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      type: LoadBalancer

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: bad-service-2
      namespace: test-gatekeeper
      annotations:
        'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • RatifyVerification

    規則說明:您在叢集中安裝應用市場組件Ratify後,可以驗證在叢集指定範圍內部署的Pod鏡像中的簽名或SBOM等安全中繼資料。

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: RatifyVerification
    metadata:
      name: ratify-constraint
    spec:
      enforcementAction: deny
    match:
      kinds:
        - apiGroups: [""]
          kinds: ["Pod"]
      namespaces: ["default"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/signed   # 部署合法簽名的鏡像。
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned   # 部署不滿足Ratify簽名校正的非法鏡像。
        name: test-container

PSP

  • ACKPSPAllowedUsers

    規則說明:限制在叢集指定範圍內部署的Pod中的啟動usergroupsupplementalGroups以及fsGroup

    重要等級:medium。

    參數說明:

    參數名稱

    參數類型

    參數說明

    runAsUser

    object

    關於該參數的具體說明,請參見原PSP規則中對User的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups

    runAsGroup

    object

    關於該參數的具體說明,請參見原PSP規則中對Group的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups

    supplementalGroups

    object

    關於該參數的具體說明,請參見原PSP規則中對SupplementalGroups的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups

    fsGroup

    object

    關於該參數的具體說明,請參見原PSP規則中對fsGroup的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowedUsers
    metadata:
      name: psp-pods-allowed-user-ranges
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        runAsUser:
          rule: MustRunAs # MustRunAsNonRoot # RunAsAny
          ranges:
            - min: 100
              max: 200
        runAsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        supplementalGroups:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        fsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good2
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 150
        supplementalGroups:
          - 150
      containers:
      - image: test
        name: test
        securityContext:
          runAsUser: 150
          runAsGroup: 150

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAllowPrivilegeEscalationContainer

    規則說明:限制在叢集指定範圍內部署的Pod配置allowPrivilegeEscalation參數。

    重要等級:medium。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowPrivilegeEscalationContainer
    metadata:
      name: psp-allow-privilege-escalation-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          allowPrivilegeEscalation: false
      initContainers:
        - image: test
          name: test2
          securityContext:
            allowPrivilegeEscalation: false

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAppArmor

    規則說明:限制在叢集指定範圍內部署的Pod配置AppArmor。

    重要等級:low。

    參數說明:

    參數名稱

    參數類型

    參數說明

    probes

    array

    Pod中需要配置的Probe。例如,readinessProbelivenessProbe

    probeTypes

    array

    Pod中需要配置的Probe類型。例如,tcpSockethttpGetexec類型。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAppArmor
    metadata:
      name: psp-apparmor
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfiles:
          - runtime/default

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
      annotations:
        'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
        'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
    spec:
      containers:
      - image: test
        name: test
      initContainers:
      - image: test
        name: test2

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPCapabilities

    規則說明:限制在叢集指定範圍內部署的Pod配置Linux Capabilities能力。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    allowedCapabilities

    array

    允許的capabilities白名單。

    requiredDropCapabilities

    array

    需要強制Drop的capabilities

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPCapabilities
    metadata:
      name: psp-capabilities
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedCapabilities: ["CHOWN"]
        requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-4
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          capabilities:
            add:
              - CHOWN
            drop:
             - "NET_ADMIN"
             - "SYS_ADMIN"
             - "NET_RAW"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPFlexVolumes

    規則說明:限制在叢集指定範圍內部署Pod的FlexVolume驅動配置。

    重要等級:medium。

    參數說明:

    參數名稱

    參數類型

    參數說明

    allowedFlexVolumes

    array

    允許配置的FlexVolume驅動列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFlexVolumes
    metadata:
      name: psp-flexvolume-drivers
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod", "PersistentVolume"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedFlexVolumes: #[]
          - driver: "alicloud/disk"
          - driver: "alicloud/nas"
          - driver: "alicloud/oss"
          - driver: "alicloud/cpfs"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-nas
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/nas"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss-flexvolume
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/ossxx"
  • ACKPSPForbiddenSysctls

    規則說明:限制在叢集指定範圍內部署的Pod禁止的Sysctl範圍。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    forbiddenSysctls

    array

    Pod中禁止的Sysctl列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPForbiddenSysctls
    metadata:
      name: psp-forbidden-sysctls
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        forbiddenSysctls:
          # - "*" # * may be used to forbid all sysctls
          - "kernel.*"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-2
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'net.ipv4.tcp_syncookies'
            value: "65536"
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'kernel.shm_rmid_forced'
            value: '1024'
      containers:
      - image: test
        name: test
  • ACKPSPFSGroup

    規則說明:限制在叢集指定範圍內部署的Pod的fsGroup配置。

    重要等級:medium。

    參數說明:

    參數名稱

    參數類型

    參數說明

    rule

    string

    關於該參數的具體說明,請參見原PSP規則中對fsGroup的配置,支援MustRunAsMayRunAsRunAsAny。更多資訊,請參見Volumes and file systems

    ranges

    object

    包含以下取值。

    • min:fsGroup id的最小值。

    • max:fsGroup id的最大值。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFSGroup
    metadata:
      name: psp-fsgroup
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
        ranges:
          - min: 1
            max: 1000

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 100
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      securityContext:
        fsGroup: 0
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
  • ACKPSPHostFilesystem

    規則說明:限制在叢集指定範圍內部署的Pod允許掛載的主機host目錄範圍。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    allowedHostPaths

    object

    主機路徑白名單配置。

    readOnly

    boolean

    是否唯讀。

    pathPrefix

    string

    路徑首碼。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostFilesystem
    metadata:
      name: psp-host-filesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedHostPaths:
          - readOnly: true
            pathPrefix: "/foo"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        volumeMounts:
          - name: test-volume
            mountPath: "/projected-volume"
            readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          path: /foo

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data
          type: File
  • ACKPSPHostNamespace

    規則說明:限制在叢集指定範圍內部署的Pod是否允許共用主機host命名空間。

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNamespace
    metadata:
      name: psp-host-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      hostPID: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKPSPHostNetworkingPorts

    規則說明:限制在叢集指定範圍內部署的Pod使用主機網路和指定連接埠。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    hostNetwork

    boolean

    是否允許Pod共用使用主機網路。

    min

    int

    最小使用的hostPort值。

    max

    int

    最大使用的hostPort值。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNetworkingPorts
    metadata:
      name: psp-host-network-ports
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        hostNetwork: true
        min: 80
        max: 9000

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: good-2
      namespace: test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 80
            containerPort: 80
      initContainers:
        - image: k8s.gcr.io/test-webserver
          name: test-container2
          ports:
            - hostPort: 8080
              containerPort: 8080

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 22
            containerPort: 22
  • ACKPSPPrivilegedContainer

    規則說明:限制在叢集指定範圍內部署的Pod中啟動特權容器。

    重要等級:high。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPPrivilegedContainer
    metadata:
      name: psp-privileged-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          privileged: true
      dnsPolicy: ClusterFirst
      restartPolicy: Never
  • ACKPSPProcMount

    規則說明:限制在叢集指定範圍內部署的Pod允許掛載的proc類型。

    重要等級:high。

    參數說明:

    參數名稱

    參數類型

    參數說明

    procMount

    string

    proc掛載類型,允許配置如下類型:

    • Default:預設屏蔽掛載/proc目錄。

    • Unmasked:不屏蔽掛載/proc

    關於參數配置的具體說明,請參見AllowedProcMountTypes

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPProcMount
    metadata:
      name: psp-proc-mount
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        procMount: Default  # Default or Unmasked

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Default"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Unmasked"
      initContainers:
      - image: test
        name: test2
  • ACKPSPReadOnlyRootFilesystem

    規則說明:限制在叢集指定範圍內部署的Pod使用唯讀根檔案系統。

    重要等級:medium。

    參數說明:無。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPReadOnlyRootFilesystem
    metadata:
      name: psp-readonlyrootfilesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: true

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: false
      initContainers:
      - image: test
        name: test2
  • ACKPSPSeccomp

    規則說明:限制在叢集指定範圍內部署的Pod使用指定的Seccomp設定檔。

    重要等級:low。

    參數說明:

    參數名稱

    參數類型

    參數說明

    allowedProfileTypes

    array

    允許的Seccomp profile類型白名單。

    allowedProfiles

    array

    允許的Seccomp profile。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSeccomp
    metadata:
      name: psp-seccomp
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfileTypes:
          # - Unconfined
          - RuntimeDefault
          - Localhost
        allowedProfiles:
          - runtime/default
          - docker/default
          - localhost/profiles/audit.json

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json
      initContainers:
      - image: test
        name: test2
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
        echo-k8s-webhook-enabled: 'true'
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPSELinuxV2

    規則說明:限制在叢集指定範圍內部署的Pod必須使用allowedSELinuxOptions參數中規定的SELinux配置。

    重要等級:low。

    參數說明:

    參數名稱

    參數類型

    參數說明

    allowedSELinuxOptions

    object

    允許的SELinux配置白名單。更多資訊,請參見SELinuxOptions v1 core

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSELinuxV2
    metadata:
      name: psp-selinux-v2
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedSELinuxOptions:
          - level: s0:c123,c456
            role: object_r
            type: svirt_sandbox_file_t
            user: system_u

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        seLinuxOptions:
          level: "s0:c123,c456"
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seLinuxOptions:
            level: "s0:c123,c455"
  • ACKPSPVolumeTypes

    規則說明:限制在叢集指定範圍內部署的Pod使用指定Volume掛載類型。

    重要等級:low。

    參數說明:

    參數名稱

    參數類型

    參數說明

    volumes

    array

    允許使用的Volume掛載類型列表。

    樣本:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPVolumeTypes
    metadata:
      name: psp-volume-types
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        volumes:
          # - "*" # * may be used to allow all volume types
          - configMap
          # - emptyDir
          - projected
          - secret
          - downwardAPI
          - persistentVolumeClaim
          # - hostPath #required for allowedHostPaths
          - flexVolume #required for allowedFlexVolumes

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/oss"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data