您可以为Pod配置安全策略,验证Pod部署和更新的请求是否安全。ACK集群策略管理功能提供了四类内置规则库,包括Compliance、Infra、K8s-general和PSP。
规则介绍
当前容器服务ACK容器安全策略规则库包含以下四类规则模板:
Compliance:基于阿里云K8s加固等合规规范定制化的安全规则。
Infra:用于增强和保护云基础设施层资源安全。
K8s-general:用于约束和规范K8s集群内敏感资源配置,增强K8s集群内应用安全。
PSP:用于替换K8s PSP的相关策略,使用该类策略可以实现等同于原ACK策略管理中PSP提供的安全约束能力。
策略规则库说明
当前阿里云容器服务ACK内置如下类型的策略规则库,策略分类和简要说明如下:
Category | Policy | Description | Severity |
Compliance |
| 限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中。 | medium |
| 限制Pod中所有容器必须配置 | low | |
| 限制资源部署在集群指定的命名空间中。 | low | |
| 限制指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。 | high | |
| 限制指定的Namespace被误删除。 | medium | |
| 防止指Namespace中的Services实例被误删除。 | medium | |
Infra |
| 限制在集群指定范围部署的应用中使用shareProcessNamespace。 | high |
| 要求emptyDir类型的Volume必须指定 | low | |
| 限制部署在集群指定范围内的Pod必须具有 | low | |
| 限制指定Namespaces下的部署只能使用指定Region中的阿里云OSS存储卷 | low | |
| 限制集群中创建的PV实例中能够申请的最大磁盘容量。 | medium | |
| 限制能够部署PVC实例的命名空间白名单列表以及限制PVC实例中能够申请的最大磁盘容量。 | medium | |
| 限制在集群指定范围内部署的Pod禁止使用的Volume挂载类型。 | medium | |
K8s-general |
| 限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。 | high |
| 要求在应用中配置 | low | |
| 要求在应用中设置 | high | |
| 限制在集群指定范围的应用Pod中启动临时容器。 | medium | |
| 限制在集群指定范围内部署LoadBalancer类型的Service。 | high | |
| 限制在集群指定范围内使用NodePort类型的Service。 | high | |
| 要求集群指定范围的应用Pod配置资源 | low | |
| 限制在集群指定范围内的Services实例使用白名单范围之外的externalIPs。 | high | |
| 限制在集群指定范围内部署不符合digest格式的镜像。 | low | |
| 限制在集群指定范围内部署没有指定范式label标签的应用。 | low | |
| 限制在集群指定范围内部署的Pod配置指定类型的readinessProbe和livenessProbe。 | medium | |
| 限制在Ingress实例的 | high | |
| 限制在Ingress实例的 | high | |
| 限制创建公网类型的LoadBalancer Service。 | high | |
| 您在集群中安装应用市场组件Ratify后,可以验证在集群指定范围内部署的Pod镜像中的签名或SBOM等安全元数据。 | high | |
PSP |
| 限制在集群指定范围内部署的Pod配置 | medium |
| 限制在集群指定范围内部署的Pod中的启动 | medium | |
| 限制在集群指定范围内部署的Pod配置AppArmor。 | low | |
| 限制在集群指定范围内部署的Pod配置Linux Capabilities能力。 | high | |
| 限制在集群指定范围内部署的Pod配置 fsGroup。 | medium | |
| 限制在集群指定范围内部署Pod的FlexVolume驱动配置。 | medium | |
| 限制在集群指定范围内部署Pod的禁止的Sysctl范围。 | high | |
| 限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。 | high | |
| 限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。 | high | |
| 限制在集群指定范围内部署的Pod使用主机网络和指定端口。 | high | |
| 限制在集群指定范围内部署的Pod中启动特权容器。 | high | |
| 限制在集群指定范围内部署的Pod允许挂载的Proc类型。 | low | |
| 限制在集群指定范围内部署的Pod使用只读的根文件系统。 | medium | |
| 限制在集群指定范围内部署的Pod必须使用AllowedSELinuxOptions参数中规定的Selinux配置。 | low | |
| 限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。 | low | |
| 限制在集群指定范围内部署的Pod使用指定的Volume挂载类型。 | medium |
Compliance
ACKNoEnvVarSecrets
规则说明:限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中使用。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKNoEnvVarSecrets metadata: name: no-env-var-secrets spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: mypod namespace: test-gatekeeper spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-usernameDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: NeverACKPodsRequireSecurityContext
规则说明:限制Pod中所有容器必须配置
securitycontext字段。重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPodsRequireSecurityContext metadata: name: pods-require-security-context annotations: description: "Requires that Pods must have a `securityContext` defined." spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: test-gatekeeper spec: securityContext: runAsNonRoot: false containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: non-test-gatekeeper spec: containers: - image: test name: test2 - image: test name: test resources: {} securityContext: runAsNonRoot: falseACKRestrictNamespaces
规则说明:限制资源部署在集群指定的命名空间中。
重要等级:low。
参数说明:
参数名称
参数类型
参数说明
restrictedNamespaces
array
禁止资源部署在该参数声明的列表中。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictNamespaces metadata: name: restrict-default-namespace annotations: description: "Restricts resources from using the restricted namespace." spec: match: kinds: - apiGroups: [''] kinds: ['Pod'] parameters: restrictedNamespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: non-test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis restartPolicy: NeverACKRestrictRoleBindings
规则说明:限制在指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
restrictedRole
object
限制使用的Clusterrole或Role。
allowedSubjects
array
允许挂载的Subjects白名单列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings annotations: description: "Restricts use of sensitive role in specific rolebinding." spec: match: kinds: - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["RoleBinding"] parameters: restrictedRole: apiGroup: "rbac.authorization.k8s.io" kind: "ClusterRole" name: "cluster-admin" allowedSubjects: - apiGroup: "rbac.authorization.k8s.io" kind: "Group" name: "system:masters"Allowed:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: good-2 namespace: test-gatekeeper subjects: - kind: Group name: 'system:masters' roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioDisallowed:
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: bad-1 namespace: test-gatekeeper subjects: - kind: ServiceAccount name: policy-template-controller roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
规则说明:限制指定的Namespcace被误删除。可以通过
protectionNamespaces参数配置受保护命名空间的Name。使用前提:需确保gatekeeper组件已升级至v3.10.0.130-g0e79597d-aliyun或以上版本。关于gatekeeper组件版本信息,请参见gatekeeper。
重要等级:medium。
参数说明:
参数名称
参数类型
参数说明
protectionNamespaces
array
受保护Namespace的名称列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKNamespacesDeleteProtection metadata: name: namespace-delete-protection spec: match: kinds: - apiGroups: [''] kinds: ['Namespace'] parameters: protectionNamespaces: - test-gatekeeperAllowed:
apiVersion: v1 kind: Namespace metadata: name: will-deleteDisallowed:
apiVersion: v1 kind: Namespace metadata: name: test-gatekeeperACKServicesDeleteProtection
规则说明:限制指定Namespace中的Services实例被误删除,可以通过
protectionServices参数配置受保护的Services实例名称。重要等级:medium。
参数说明:
参数名称
参数类型
参数说明
protectionServices
array
指定命名空间下受保护的Services实例名称列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKServicesDeleteProtection metadata: name: service-delete-protection annotations: description: "Protect to delete specific service." spec: enforcementAction: deny match: kinds: - apiGroups: [''] kinds: ['Service'] namespaces: ["test-gatekeeper"] parameters: protectionServices: - test-svcAllowed:
apiVersion: v1 kind: Service metadata: name: good namespace: test-gatekeeperDisallowed:
apiVersion: v1 kind: Service metadata: name: test-svc
Infra基础设施
ACKBlockProcessNamespaceSharing
规则说明:限制在集群指定范围部署的应用中使用
shareProcessNamespace。重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockProcessNamespaceSharing ACKCheckNginxPathmetadata: name: block-share-process-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test-3 namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: shareProcessNamespace: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKEmptyDirHasSizeLimit
规则说明:要求emptyDir类型的Volume必须指定
sizelimit。重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKEmptyDirHasSizeLimit metadata: name: empty-dir-has-sizelimit spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: sizeLimit: "10Mi"Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKLocalStorageRequireSafeToEvict
规则说明:限制部署在集群指定范围内的Pod必须具有
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"注释标签。集群自动伸缩时不会删除没有此注释标签的Pod。重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper annotations: 'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true' spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # directory location on host path: /data # this field is optional type: DirectoryDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKOSSStorageLocationConstraint
规则说明:限制指定命名空间下的部署只能使用指定地域中的阿里云OSS存储卷。
重要等级:low。
参数说明:
参数名称
参数类型
参数说明
mode
string
是否采用白名单模式,默认值
allowlist为白名单模式,其他值为黑名单模式。regions
array
指定的阿里云Region ID列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKOSSStorageLocationConstraint metadata: name: restrict-oss-location annotations: description: "Restricts location of oss storage in cluster." spec: match: kinds: - apiGroups: [""] kinds: ["PersistentVolume", "Pod"] namespaces: - "test-gatekeeper" parameters: mode: "allowlist" regions: - "cn-beijing"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-oss-csi-good namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pod-oss-csi namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-hangzhou.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"ACKPVSizeConstraint
规则说明:限制集群中创建的PV实例中能够申请的最大磁盘容量。
重要等级:medium。
参数说明:
参数名称
参数类型
参数说明
maxSize
string
PV实例中能申请的最大磁盘容量,默认为50 GiB。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPVSizeConstraint metadata: name: limit-pv-size annotations: description: "Limit the pv storage capacity size within a specified maximum amount." spec: enforcementAction: deny match: kinds: - apiGroups: [ "" ] kinds: [ "PersistentVolume" ] parameters: maxSize: "50Gi"Allowed:
apiVersion: v1 kind: PersistentVolume metadata: name: pv-oss-csi labels: alicloud-pvname: pv-oss spec: capacity: storage: 25Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"Disallowed:
apiVersion: v1 kind: PersistentVolume metadata: name: pv-oss-csi-bad labels: alicloud-pvname: pv-oss spec: capacity: storage: 500Gi accessModes: - ReadWriteMany persistentVolumeReclaimPolicy: Retain csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"ACKPVCConstraint
规则说明:限制能够部署PVC实例的命名空间白名单列表以及限制PVC实例中能够申请的最大磁盘容量。
重要等级:medium
参数说明:
参数名称
参数类型
参数说明
maxSize
string
PV实例中能申请的最大磁盘容量,默认为50 GiB.
allowNamespaces
array
能够部署PVC实例的命名空间白名单列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPVCConstraint metadata: name: limit-pvc-size-and-ns annotations: description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed." spec: enforcementAction: deny match: kinds: - apiGroups: [ "" ] kinds: [ "PersistentVolumeClaim" ] parameters: maxSize: "50Gi" allowNamespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disk-pvc namespace: test-gatekeeper spec: accessModes: - ReadWriteOnce resources: requests: storage: 20GiDisallowed:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: bad-disk-pvc namespace: test-gatekeeper spec: accessModes: - ReadWriteOnce resources: requests: storage: 200Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: bad-namespace-pvc namespace: test-gatekeeper-bad spec: accessModes: - ReadWriteOnce resources: requests: storage: 20GiACKBlockVolumeTypes
规则说明:限制在集群指定范围内部署的Pod禁止使用的Volume挂载类型。
重要等级:medium
参数说明:
参数名称
参数类型
参数说明
volumes
array
禁止使用的Volume挂载类型列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockVolumeTypes metadata: name: block-volume-types spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"] parameters: volumes: - "gitRepo"Allowed:
apiVersion: v1 kind: Pod metadata: name: use-empty-dir namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: emptydir-volume emptyDir: {}Disallowed:
apiVersion: v1 kind: Pod metadata: name: use-git-repo namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: git-volume gitRepo: repository: "git@***:***/my-git-repository.git" revision: "22f1d8406d464b0c08***"
K8s-general
ACKAllowedRepos
规则说明:限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
repos
array
合法的镜像仓库白名单。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKAllowedRepos metadata: name: allowed-repos spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: repos: - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/" - "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-01 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-container-1 initContainers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container-3ACKBlockAutoinjectServiceEnv
规则说明:要求在应用中配置
enableServiceLinks: false防止在Pod环境变量中透出服务IP。重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutoinjectServiceEnv metadata: name: block-auto-inject-service-env spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: enableServiceLinks: false containers: - image: openpolicyagent/test-webserver:1.0 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockAutomountToken
规则说明:要求在应用中设置
automountServiceAccountToken: false字段防止自动挂载serviceaccount。重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutomountToken metadata: name: block-auto-mount-service-account-token spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: automountServiceAccountToken: false containers: - image: openpolicyagent/test-webserver:v1.0 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockEphemeralContainer
规则说明:限制在集群指定范围的应用Pod中启动临时容器。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockEphemeralContainer metadata: name: block-ephemeral-container spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: good-1 namespace: test-gatekeeper spec: containers: - name: mycontainer image: redisDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: containers: - name: mycontainer image: redis ephemeralContainers: - name: test image: testACKBlockLoadBalancer
规则说明:限制在指定集群范围内部署LoadBalancer类型的Service。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
restrictedNamespaces
array
禁止资源部署在该参数声明的列表中。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: LoadBalancer selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKBlockNodePort
规则说明:限制在集群指定范围内使用NodePort类型的Service。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: NodePort selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKContainerLimits
规则说明:要求集群指定范围的应用Pod配置资源
limits。重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: cpu: "1000m" memory: "1Gi"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-1 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Mi" cpu: "500m"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pod-2 namespace: non-test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Gi" cpu: "2000m"ACKExternalIPs
规则说明:限制在集群指定范围内的Services实例使用白名单范围之外的
externalIPs。重要等级:high。
参数说明:
参数名称
参数类型
参数说明
allowedIPs
array
externalIPs白名单列表。示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper" parameters: allowedIPs: - "192.168.0.5"Allowed:
apiVersion: v1 kind: Service metadata: name: my-service-3 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 externalIPs: - 80.11.XX.XXACKImageDigests
规则说明:限制在集群指定范围内部署不符合
digest格式的镜像。重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container2ACKRequiredLabels
规则说明:限制在集群指定范围内部署的Pod必须包含
allowedRegex参数中定义的label。重要等级:low。
参数说明:
参数名称
参数类型
参数说明
allowedRegex
string
label白名单的正则表达式。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredLabels metadata: name: must-have-label-test spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: # message: '' labels: - key: test # value allowedRegex: "^test.*$"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: test namespace: test-gatekeeper labels: 'test': 'test_233' spec: containers: - name: mycontainer image: redisDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: bad2 namespace: test-gatekeeper labels: 'test': '233' spec: containers: - name: mycontainer image: redisACKRequiredProbes
规则说明:限制在集群指定范围内部署的Pod配置指定类型的
readinessProbe和livenessProbe。重要等级:medium。
参数说明:
参数名称
参数类型
参数说明
probes
array
Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。
probeTypes
array
Pod中需要配置的Probe类型。例如,tcpSocket,httpGet和exec类型。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: probes: ["readinessProbe", "livenessProbe"] probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed:
apiVersion: v1 kind: Pod metadata: name: p4 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busybox readinessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5Disallowed:
apiVersion: v1 kind: Pod metadata: name: p1 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busyboxACKCheckNginxPath
限制在Ingress实例
spec.rules[].http.paths[].path字段中使用危险配置,Ingress-nginx 1.2.1以下版本建议开启该策略。重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxPath metadata: name: block-nginx-path spec: enforcementAction: deny match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-paths namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: bad-path-secrets namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /var/run/secrets pathType: Prefix backend: service: name: tea-svc port: number: 80ACKCheckNginxAnnotation
限制在Ingress实例metadata.annotations字段中使用危险配置,Ingress-nginx 1.2.1以下版本建议开启该策略。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxAnnotation metadata: name: block-nginx-annotation spec: match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-annotations namespace: test-gatekeeper annotations: nginx.org/good: "value" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: var-run-secrets namespace: test-gatekeeper annotations: nginx.org/bad: "/var/run/secrets" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80ACKBlockInternetLoadBalancer
规则说明:限制创建公网类型的LoadBalancer Service。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockInternetLoadBalancer metadata: name: block-internet-load-balancer spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1 kind: Service metadata: name: my-service namespace: non-test-gatekeeper annotations: 'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet' spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 type: LoadBalancerDisallowed:
apiVersion: v1 kind: Service metadata: name: bad-service-2 namespace: test-gatekeeper annotations: 'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet' spec: type: LoadBalancer selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376RatifyVerification
规则说明:您在集群中安装应用市场组件Ratify后,可以验证在集群指定范围内部署的Pod镜像中的签名或SBOM等安全元数据。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RatifyVerification metadata: name: ratify-constraint spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["default"]Allowed:
apiVersion: v1 kind: Pod metadata: name: pod-1 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/signed # 部署合法签名的镜像。 name: test-containerDisallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # 部署不满足Ratify签名校验的非法镜像。 name: test-container
PSP
ACKPSPAllowedUsers
规则说明:限制在集群指定范围内部署的Pod中的启动
user、group、supplementalGroups以及fsGroup。重要等级:medium。
参数说明:
参数名称
参数类型
参数说明
runAsUser
object
关于该参数的具体说明,请参见原PSP规则中对User的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。
runAsGroup
object
关于该参数的具体说明,请参见原PSP规则中对Group的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。
supplementalGroups
object
关于该参数的具体说明,请参见原PSP规则中对SupplementalGroups的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。
fsGroup
object
关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: runAsUser: rule: MustRunAs # MustRunAsNonRoot # RunAsAny ranges: - min: 100 max: 200 runAsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 supplementalGroups: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 fsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good2 namespace: test-gatekeeper spec: securityContext: fsGroup: 150 supplementalGroups: - 150 containers: - image: test name: test securityContext: runAsUser: 150 runAsGroup: 150Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAllowPrivilegeEscalationContainer
规则说明:限制在集群指定范围内部署的Pod配置allowPrivilegeEscalation参数。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: allowPrivilegeEscalation: false initContainers: - image: test name: test2 securityContext: allowPrivilegeEscalation: falseDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAppArmor
规则说明:限制在集群指定范围内部署的Pod配置AppArmor。
重要等级:low。
参数说明:
参数名称
参数类型
参数说明
probes
array
Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。
probeTypes
array
Pod中需要配置的Probe类型。例如,tcpSocket、httpGet和exec类型。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfiles: - runtime/defaultAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper annotations: 'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default' 'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default' spec: containers: - image: test name: test initContainers: - image: test name: test2Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPCapabilities
规则说明:限制在集群指定范围内部署的Pod配置Linux Capabilities能力。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
allowedCapabilities
array
允许的capabilities白名单。
requiredDropCapabilities
array
需要强制Drop的capabilities。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPCapabilities metadata: name: psp-capabilities spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedCapabilities: ["CHOWN"] requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-4 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: capabilities: add: - CHOWN drop: - "NET_ADMIN" - "SYS_ADMIN" - "NET_RAW"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPFlexVolumes
规则说明:限制在集群指定范围内部署Pod的FlexVolume驱动配置。
重要等级:medium。
参数说明:
参数名称
参数类型
参数说明
allowedFlexVolumes
array
允许配置的FlexVolume驱动列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: [""] kinds: ["Pod", "PersistentVolume"] namespaces: - "test-gatekeeper" parameters: allowedFlexVolumes: #[] - driver: "alicloud/disk" - driver: "alicloud/nas" - driver: "alicloud/oss" - driver: "alicloud/cpfs"Allowed:
apiVersion: v1 kind: Pod metadata: name: pv-nas namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/nas"Disallowed:
apiVersion: v1 kind: Pod metadata: name: pv-oss-flexvolume namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
规则说明:限制在集群指定范围内部署的Pod禁止的Sysctl范围。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
forbiddenSysctls
array
Pod中禁止的Sysctl列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: forbiddenSysctls: # - "*" # * may be used to forbid all sysctls - "kernel.*"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-2 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'net.ipv4.tcp_syncookies' value: "65536" containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'kernel.shm_rmid_forced' value: '1024' containers: - image: test name: testACKPSPFSGroup
规则说明:限制在集群指定范围内部署的Pod的fsGroup配置。
重要等级:medium。
参数说明:
参数名称
参数类型
参数说明
rule
string
关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持MustRunAs、MayRunAs、RunAsAny。更多信息,请参见Volumes and file systems。
ranges
object
包含以下取值。
min:fsGroup id的最小值。
max:fsGroup id的最大值。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" ranges: - min: 1 max: 1000Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: fsGroup: 100 containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: non-test-gatekeeper spec: securityContext: fsGroup: 0 shareProcessNamespace: true containers: - image: test name: testACKPSPHostFilesystem
规则说明:限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
allowedHostPaths
object
主机路径白名单配置。
readOnly
boolean
是否只读。
pathPrefix
string
路径前缀。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedHostPaths: - readOnly: true pathPrefix: "/foo"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test volumeMounts: - name: test-volume mountPath: "/projected-volume" readOnly: true volumes: - name: test-volume hostPath: path: /fooDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data type: FileACKPSPHostNamespace
规则说明:限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNamespace metadata: name: psp-host-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: hostPID: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKPSPHostNetworkingPorts
规则说明:限制在集群指定范围内部署的Pod使用主机网络和指定端口。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
hostNetwork
boolean
是否允许Pod共享使用主机网络。
min
int
最小使用的hostPort值。
max
int
最大使用的hostPort值。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNetworkingPorts metadata: name: psp-host-network-ports spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: hostNetwork: true min: 80 max: 9000Allowed:
apiVersion: v1 kind: Pod metadata: name: good-2 namespace: test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 80 containerPort: 80 initContainers: - image: k8s.gcr.io/test-webserver name: test-container2 ports: - hostPort: 8080 containerPort: 8080Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 22 containerPort: 22ACKPSPPrivilegedContainer
规则说明:限制在集群指定范围内部署的Pod中启动特权容器。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPPrivilegedContainer metadata: name: psp-privileged-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: privileged: true dnsPolicy: ClusterFirst restartPolicy: NeverACKPSPProcMount
规则说明:限制在集群指定范围内部署的Pod允许挂载的proc类型。
重要等级:high。
参数说明:
参数名称
参数类型
参数说明
procMount
string
proc挂载类型,允许配置如下类型:
Default:默认屏蔽挂载/proc目录。
Unmasked:不屏蔽挂载/proc。
关于参数配置的具体说明,请参见AllowedProcMountTypes。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: procMount: Default # Default or UnmaskedAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Default"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad3 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Unmasked" initContainers: - image: test name: test2ACKPSPReadOnlyRootFilesystem
规则说明:限制在集群指定范围内部署的Pod使用只读的根文件系统。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: trueDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad2 namespace: non-test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: false initContainers: - image: test name: test2ACKPSPSeccomp
规则说明:限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。
重要等级:low。
参数说明:
参数名称
参数类型
参数说明
allowedProfileTypes
array
允许的Seccomp profile类型白名单。
allowedProfiles
array
允许的Seccomp profile。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfileTypes: # - Unconfined - RuntimeDefault - Localhost allowedProfiles: - runtime/default - docker/default - localhost/profiles/audit.jsonAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json initContainers: - image: test name: test2 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.jsonDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test echo-k8s-webhook-enabled: 'true' name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPSELinuxV2
规则说明:限制在集群指定范围内部署的Pod必须使用allowedSELinuxOptions参数中规定的SELinux配置。
重要等级:low。
参数说明:
参数名称
参数类型
参数说明
allowedSELinuxOptions
object
允许的SELinux配置白名单。更多信息,请参见SELinuxOptions v1 core。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_uAllowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - image: test name: testDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seLinuxOptions: level: "s0:c123,c455"ACKPSPVolumeTypes
规则说明:限制在集群指定范围内部署的Pod使用指定Volume挂载类型。
重要等级:low。
参数说明:
参数名称
参数类型
参数说明
volumes
array
允许使用的Volume挂载类型列表。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: volumes: # - "*" # * may be used to allow all volume types - configMap # - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim # - hostPath #required for allowedHostPaths - flexVolume #required for allowedFlexVolumesAllowed:
apiVersion: v1 kind: Pod metadata: name: pv-oss namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/oss"Disallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data