תבניות של אילוצים מאפשרות להגדיר איך אילוץ פועל, אבל להעביר את ההגדרה של הפרטים הספציפיים של האילוץ לאדם או לקבוצה עם מומחיות בנושא. בנוסף להפרדת הדאגות, ההפרדה הזו גם מפרידה בין הלוגיקה של האילוץ לבין ההגדרה שלו.
כל האילוצים מכילים קטע match שמגדיר את האובייקטים שאליהם האילוץ חל. פרטים על אופן ההגדרה של הקטע הזה מופיעים במאמר בנושא התאמה של אילוצים.
לא כל תבניות האילוצים זמינות לכל הגרסאות של Policy Controller, והתבניות עשויות להשתנות בין הגרסאות. אפשר להשתמש בקישורים הבאים כדי להשוות בין אילוצים מגרסאות נתמכות:
קישורים לגרסאות נתמכות של הדף הזה
כדי לקבל תמיכה מלאה, מומלץ להשתמש בתבניות של אילוצים מגרסה נתמכת של Policy Controller.
כדי להמחיש את הפעולה של תבניות האילוצים, כל תבנית כוללת אילוץ לדוגמה ומשאב שמפר את האילוץ.
תבניות אילוצים זמינות
| תבנית אילוץ | תיאור | רפרנסיאלי |
|---|---|---|
| AllowedServicePortName | הדרישה היא ששמות יציאות השירות יתחילו בקידומת מתוך רשימה שצוינה. | לא |
| AsmAuthzPolicyDefaultDeny | אכיפה של מדיניות ברירת המחדל לדחיית הרשאות ברמת הרשת. הפניה לכתובת https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns. | כן |
| AsmAuthzPolicyDisallowedPrefix | הכלל הזה דורש שחשבונות המשתמשים ומרחבי השמות בכללי Istio `AuthorizationPolicy` לא יכללו תחילית מרשימה שצוינה. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | לא |
| AsmAuthzPolicyEnforceSourcePrincipals | הדרישה היא שבשדה 'from' של Istio AuthorizationPolicy, אם הוא מוגדר, יהיו עקרונות מקור, והם לא יוכלו להיות מוגדרים כ-'*'. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | לא |
| AsmAuthzPolicyNormalization | אכיפת הנירמול של AuthorizationPolicy. הפניה אל https://istio.io/latest/docs/reference/config/security/normalization/. | לא |
| AsmAuthzPolicySafePattern | אכיפה של דפוסי שימוש בטוחים ב-AuthorizationPolicy. הפניה אל https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. | לא |
| AsmIngressgatewayLabel | אכיפה של השימוש בתווית istio ingressgateway רק בתרמילים של ingressgateway. | לא |
| AsmPeerAuthnMeshStrictMtls | אכיפה של mTLS קפדני ברמת הרשת, PeerAuthentication. הפניה אל https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | כן |
| AsmPeerAuthnStrictMtls | אי אפשר להשתמש באפשרות Enforce all PeerAuthentications כדי לשנות את ההגדרה strict mtls. הפניה אל https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | לא |
| AsmRequestAuthnProhibitedOutputHeaders | ב-RequestAuthentication, אוכפים את השדה jwtRules.outPayloadToHeader כך שלא יכיל כותרות ידועות של בקשות HTTP או כותרות מותאמות אישית שאסורות לשימוש. הפניה אל https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. | לא |
| AsmSidecarInjection | האפשרות הזו מאפשרת לוודא ש-istio proxy sidecar תמיד מוזרק ל-workload pods. | לא |
| DestinationRuleTLSEnabled | האיסור על השבתת TLS לכל המארחים ולתתי-קבוצות של מארחים ב-Istio DestinationRules. | לא |
| DisallowedAuthzPrefix | הכלל הזה דורש שחשבונות המשתמשים ומרחבי השמות בכללי Istio `AuthorizationPolicy` לא יכללו תחילית מרשימה שצוינה. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | לא |
| GCPStorageLocationConstraintV1 | מגביל את המיקומים המותרים (locations) למשאבי StorageBucket Config Connector לרשימת המיקומים שצוינו באילוץ. שמות של קטגוריות ברשימת ה-`exemptions` מוחרגים. | לא |
| GkeSpotVMTerminationGrace | נדרש ש-Pods ו-Pod Templates עם nodeSelector או nodeAfffinty של gke-spot יכללו terminationGracePeriodSeconds של 15 שניות או פחות. | כן |
| K8sAllowedRepos | התמונות של הקונטיינרים צריכות להתחיל במחרוזת מתוך הרשימה שצוינה. | לא |
| K8sAvoidUseOfSystemMastersGroup | הגדרה שמונעת שימוש בקבוצה 'system:masters'. אין השפעה במהלך ביקורת. | לא |
| K8sBlockAllIngress | האפשרות הזו אוסרת על יצירת אובייקטים של Ingress (סוגי Ingress, Gateway ו-Service של NodePort ו-LoadBalancer). | לא |
| K8sBlockCreationWithDefaultServiceAccount | הכלל אוסר על יצירת משאבים באמצעות חשבון שירות שמוגדר כברירת מחדל. אין השפעה במהלך ביקורת. | לא |
| K8sBlockEndpointEditDefaultRole | בהרבה התקנות של Kubernetes, יש כברירת מחדל ClusterRole של system:aggregate-to-edit שלא מגביל את הגישה לעריכת נקודות קצה בצורה נכונה. תבנית האילוץ הזו אוסרת על המערכת:aggregate-to-edit ClusterRole להעניק הרשאה ליצור/לתקן/לעדכן נקודות קצה. ClusterRole/system:aggregate-to-edit לא אמור לאפשר הרשאות עריכה של Endpoint בגלל CVE-2021-25740. הרשאות Endpoint ו-EndpointSlice מאפשרות העברה בין מרחבי שמות, https://github.com/kubernetes/kubernetes/issues/103675 | לא |
| K8sBlockLoadBalancer | הכלל אוסר על כל השירותים מסוג LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | לא |
| K8sBlockNodePort | האפשרות הזו משביתה את כל השירותים מסוג NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | לא |
| K8sBlockObjectsOfType | הכלל אוסר על אובייקט מסוגים אסורים. | לא |
| K8sBlockProcessNamespaceSharing | האיסור חל על מפרטי Pod עם הערך true שהוגדר ל-shareProcessNamespace. כך נמנעים תרחישים שבהם כל הקונטיינרים ב-Pod חולקים מרחב שמות של PID ויכולים לגשת למערכת הקבצים ולזיכרון של כל אחד מהם. | לא |
| K8sBlockWildcardIngress | המשתמשים לא אמורים להיות מסוגלים ליצור Ingresses עם שם מארח ריק או עם תו כללי (*), כי זה יאפשר להם ליירט תעבורה לשירותים אחרים באשכול, גם אם אין להם גישה לשירותים האלה. | לא |
| K8sContainerEphemeralStorageLimit | ההגדרה מחייבת להגדיר מגבלת אחסון זמני לקונטיינרים, ומגבילה את המגבלה כך שתהיה בטווח הערכים המקסימליים שצוינו. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | לא |
| K8sContainerLimits | הדרישה היא שהקונטיינרים יכללו הגדרות של מגבלות זיכרון ומעבד, והמגבלות יהיו בטווח הערכים המקסימליים שצוינו. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | לא |
| K8sContainerRatios | מגדיר יחס מקסימלי בין מגבלות המשאבים של מאגרים לבין בקשות. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | לא |
| K8sContainerRequests | התכונה מחייבת הגדרת בקשות לזיכרון ולמעבד (CPU) עבור קונטיינרים, ומגבילה את הבקשות לערכים המקסימליים שצוינו. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | לא |
| K8sCronJobAllowedRepos | התמונות של הקונטיינרים של CronJobs צריכות להתחיל במחרוזת מהרשימה שצוינה. | לא |
| K8sDisallowAnonymous | האפשרות הזו אוסרת לשייך משאבי ClusterRole ו-Role למשתמש system:anonymous ולקבוצה system:unauthenticated. | לא |
| K8sDisallowInteractiveTTY | נדרש שהשדות `spec.tty` ו-`spec.stdin` של האובייקטים יוגדרו כ-false או שלא יוגדרו בכלל. | לא |
| K8sDisallowedRepos | מאגרי קונטיינרים שאסור להשתמש בהם, שמתחילים במחרוזת מהרשימה שצוינה. | לא |
| K8sDisallowedRoleBindingSubjects | הכלל אוסר על RoleBindings או ClusterRoleBindings עם נושאים שתואמים לכל `disallowedSubjects` שמועבר כפרמטרים. | לא |
| K8sDisallowedTags | הכלל הזה מחייב שתמונות הקונטיינרים יכללו תג תמונה ששונה מהתגים שמופיעים ברשימה שצוינה. https://kubernetes.io/docs/concepts/containers/images/#image-names | לא |
| K8sEmptyDirHasSizeLimit | ההגבלה מחייבת שכל נפחי `emptyDir` יציינו `sizeLimit`. לחלופין, אפשר לספק פרמטר `maxSizeLimit` בהגבלה כדי לציין מגבלת גודל מקסימלית מותרת. | לא |
| K8sEnforceCloudArmorBackendConfig | אכיפה של הגדרת Cloud Armor במשאבי BackendConfig | לא |
| K8sEnforceConfigManagement | נדרשת נוכחות של ניהול תצורות והפעלה שלו. אילוצים שמשתמשים ב-`ConstraintTemplate` הזה יהיו רק לביקורת, ללא קשר לערך של `enforcementAction`. | כן |
| K8sExternalIPs | מגביל את כתובות ה-IP החיצוניות של השירות לרשימה מותרת של כתובות IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | לא |
| K8sHorizontalPodAutoscaler | לא מאפשרים את התרחישים הבאים כשפורסים את `HorizontalPodAutoscalers` 1. פריסה של HorizontalPodAutoscalers עם .spec.minReplicas או .spec.maxReplicas מחוץ לטווחים שמוגדרים באילוץ 2. פריסה של HorizontalPodAutoscalers שבה ההפרש בין .spec.minReplicas לבין .spec.maxReplicas קטן מ-minimumReplicaSpread 3 שהוגדר. פריסה של HorizontalPodAutoscalers שלא מפנים אל `scaleTargetRef` תקין (למשל Deployment, ReplicationController, ReplicaSet, StatefulSet). | כן |
| K8sHttpsOnly | נדרש שמשאבי Ingress יהיו HTTPS בלבד. משאבי Ingress צריכים לכלול את ההערה `kubernetes.io/ingress.allow-http` , שמוגדרת כ- `false`. כברירת מחדל, נדרשת הגדרת TLS {} תקינה, אבל אפשר להגדיר את הפרמטר `tlsOptional` כ- `true` כדי להפוך את ההגדרה הזו לאופציונלית. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | לא |
| K8sImageDigests | נדרש שקובצי אימג' של קונטיינרים יכילו תקציר. https://kubernetes.io/docs/concepts/containers/images/ | לא |
| K8sLocalStorageRequireSafeToEvict | נדרש שפודים שמשתמשים באחסון מקומי (<code>emptyDir</code> או <code>hostPath</code>) יכללו את ההערה <code>"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"</code>. הכלי Cluster Autoscaler לא ימחק פודים ללא ההערה הזו. | לא |
| K8sMemoryRequestEqualsLimit | התכונה משפרת את יציבות ה-Pod בכך שהיא מחייבת שזיכרון ה-RAM שנדרש לכל הקונטיינרים יהיה שווה בדיוק למגבלת הזיכרון, כך שה-Pods אף פעם לא יהיו במצב שבו השימוש בזיכרון חורג מהכמות הנדרשת. אחרת, Kubernetes יכול לסיים את הפעולה של Pods שמבקשים זיכרון נוסף אם יש צורך בזיכרון בצומת. | לא |
| K8sNoEnvVarSecrets | האיסור חל על סודות שמוגדרים כמשתני סביבה בהגדרות של קונטיינרים מסוג Pod. במקום זאת, אפשר להשתמש בקובצי סודות שמוצמדים לנפחי נתונים: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod | לא |
| K8sNoExternalServices | המגבלה אוסרת על יצירת משאבים מוכרים שחושפים עומסי עבודה לכתובות IP חיצוניות. כולל משאבי Istio Gateway ומשאבי Kubernetes Ingress. אסור להשתמש בשירותי Kubernetes אלא אם הם עומדים בקריטריונים הבאים: לכל שירות מסוג LoadBalancer ב-Google Cloud חייבת להיות הערה [annotation] `"networking.gke.io/load-balancer-type": "Internal"`. לכל שירות מסוג LoadBalancer ב-AWS צריך להיות הערה service.beta.kubernetes.io/aws-load-balancer-internal: "true. כל כתובות ה-IP החיצוניות (חיצוניות לאשכול) שמשויכות לשירות חייבות להיות חלק מטווח של CIDR פנימיים, כפי שצוין במגבלה. | לא |
| K8sPSPAllowPrivilegeEscalationContainer | ההגדרה הזו קובעת אם להגביל את ההרשאות להרשאות הבסיסיות ביותר (root). תואם לשדה `allowPrivilegeEscalation` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation | לא |
| K8sPSPAllowedUsers | קובעת את מזהי המשתמשים והקבוצות של הגורם המכיל ושל כמה אמצעי אחסון. מתאים לשדות runAsUser, runAsGroup, supplementalGroups ו-fsGroup ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups | לא |
| K8sPSPAppArmor | המדיניות הזו מגדירה רשימת היתרים של פרופילי AppArmor לשימוש על ידי קונטיינרים. ההגדרה הזו תואמת לאנוטציות ספציפיות שמוחלות על PodSecurityPolicy. מידע על AppArmor זמין בכתובת https://kubernetes.io/docs/tutorials/clusters/apparmor/ | לא |
| K8sPSPAutomountServiceAccountTokenPod | קובע את היכולת של כל Pod להפעיל את automountServiceAccountToken. | לא |
| K8sPSPCapabilities | שליטה ביכולות של Linux בקונטיינרים. מתאים לשדות allowedCapabilities ו-requiredDropCapabilities ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities | לא |
| K8sPSPFSGroup | ההגדרה הזו קובעת הקצאה של FSGroup בבעלות של נפחי האחסון של ה-Pod. תואם לשדה `fsGroup` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | לא |
| K8sPSPFlexVolumes | ההגדרה קובעת את רשימת ההיתרים של מנהלי התקנים של FlexVolume. תואם לשדה `allowedFlexVolumes` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers | לא |
| K8sPSPForbiddenSysctls | קובעת את פרופיל ה-sysctl שמשמש את הקונטיינרים. תואם לשדות `allowedUnsafeSysctls` ו-`forbiddenSysctls` ב-PodSecurityPolicy. אם מציינים sysctl, כל sysctl שלא מופיע בפרמטר `allowedSysctls` נחשב אסור. הפרמטר `forbiddenSysctls` מקבל עדיפות על פני הפרמטר `allowedSysctls`. מידע נוסף זמין בכתובת https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | לא |
| K8sPSPHostFilesystem | המדיניות הזו שולטת בשימוש במערכת הקבצים של המארח. תואם לשדה `allowedHostPaths` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | לא |
| K8sPSPHostNamespace | האפשרות הזו מונעת שיתוף של מרחבי שמות של PID ומארח ו-IPC על ידי קונטיינרים של פודים. הערך תואם לשדות `hostPID` ו-`hostIPC` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | לא |
| K8sPSPHostNetworkingPorts | ההגדרה קובעת את השימוש במרחב השמות של רשת המארח על ידי קונטיינרים של פודים. צריך לציין יציאות ספציפיות. הערך תואם לשדות `hostNetwork` ו-`hostPorts` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | לא |
| K8sPSPPrivilegedContainer | המדיניות קובעת את היכולת של כל מאגר להפעיל מצב הרשאות. הערך תואם לשדה privileged ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | לא |
| K8sPSPProcMount | קובעת את סוגי ה-`procMount` המותרים עבור הקונטיינר. תואם לשדה allowedProcMountTypes ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes | לא |
| K8sPSPReadOnlyRootFilesystem | נדרש שימוש במערכת קבצים בסיסית לקריאה בלבד על ידי קונטיינרים של פודים. תואם לשדה `readOnlyRootFilesystem` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | לא |
| K8sPSPSELinuxV2 | מגדירה רשימת היתרים של הגדרות seLinuxOptions עבור מאגרי pod. תואם ל-PodSecurityPolicy שדורש הגדרות SELinux. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux | לא |
| K8sPSPSeccomp | הגדרה שקובעת את פרופיל ה-seccomp שבו משתמשים קונטיינרים. תואם להערה `seccomp.security.alpha.kubernetes.io/allowedProfileNames` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp | לא |
| K8sPSPVolumeTypes | ההגדרה מגבילה את סוגי אמצעי האחסון שאפשר לטעון לאלה שצוינו על ידי המשתמש. תואם לשדה `volumes` ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | לא |
| K8sPSPWindowsHostProcess | מגביל את ההפעלה של מאגרי נתונים או פודים של Windows HostProcess. מידע נוסף זמין בכתובת https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/. | לא |
| K8sPSSRunAsNonRoot | נדרש להריץ קונטיינרים כמשתמשים לא-בסיסיים. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/security/pod-security-standards/ | לא |
| K8sPodDisruptionBudget | אל תאפשרו את התרחישים הבאים כשפורסים את PodDisruptionBudgets או משאבים שמטמיעים את משאב המשנה replica (לדוגמה, Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. פריסה של PodDisruptionBudgets עם .spec.maxUnavailable == 0 2. פריסה של PodDisruptionBudgets עם .spec.minAvailable == .spec.replicas של המשאב עם משאב המשנה replica. כך אפשר למנוע מ-PodDisruptionBudgets לחסום שיבושים מרצון, כמו ניקוי של צומת. | כן |
| K8sPodResourcesBestPractices | הדרישה היא שהקונטיינרים לא יהיו מסוג best-effort (על ידי הגדרת בקשות לשימוש במעבד ובזיכרון) ושהם יפעלו לפי השיטות המומלצות לשימוש בזיכרון (הבקשה לשימוש בזיכרון חייבת להיות שווה בדיוק למגבלה). אפשר גם להגדיר מקשי הערות כדי לאפשר דילוג על האימותים השונים. | לא |
| K8sPodsRequireSecurityContext | כל ה-Pods צריכים להגדיר securityContext. כל המאגרים שמוגדרים ב-Pods צריכים להגדיר SecurityContext ברמת ה-Pod או ברמת המאגר. | לא |
| K8sProhibitRoleWildcardAccess | הדרישה היא שהתפקידים והתפקידים ברמת האשכול לא יגדירו גישה למשאבים לערך של תו כללי '"*"', למעט התפקידים והתפקידים ברמת האשכול שמוגדרים כפטורים. לא מגביל גישה של תווים כלליים למשאבי משנה, כמו '"*/status"'. | לא |
| K8sReplicaLimits | הפונקציה דורשת שאובייקטים עם השדה spec.replicas (פריסות, ReplicaSets וכו') יציינו מספר עותקים בטווחים מוגדרים. | לא |
| K8sRequireAdmissionController | נדרש Pod Security Admission או מערכת חיצונית לשליטה במדיניות | כן |
| K8sRequireBinAuthZ | נדרש Binary Authorization Validating Admission Webhook. אילוצים שמשתמשים ב-`ConstraintTemplate` הזה יהיו רק לביקורת, ללא קשר לערך של `enforcementAction`. | כן |
| K8sRequireCosNodeImage | אוכפת את השימוש במערכת הפעלה שמותאמת לקונטיינרים מבית Google בצמתים. | לא |
| K8sRequireDaemonsets | נדרשת נוכחות של רשימת ה-daemonsets שצוינה. | כן |
| K8sRequireDefaultDenyEgressPolicy | הדרישה היא שלכל מרחב שמות שמוגדר באשכול תהיה מדיניות NetworkPolicy של דחייה כברירת מחדל לתעבורת נתונים יוצאת. | כן |
| K8sRequireNamespaceNetworkPolicies | הדרישה היא שלכל מרחב שמות שמוגדר באשכול תהיה מדיניות NetworkPolicy. | כן |
| K8sRequireValidRangesForNetworks | ההגדרה קובעת אילו בלוקים של CIDR מותרים לתעבורת נתונים נכנסת (ingress) וליציאת נתונים (egress) ברשת. | לא |
| K8sRequiredAnnotations | הכלל דורש שהמשאבים יכילו הערות שצוינו, עם ערכים שתואמים לביטויים רגולריים שסופקו. | לא |
| K8sRequiredLabels | הכלל דורש שהמשאבים יכילו תוויות שצוינו, עם ערכים שתואמים לביטויים רגולריים שסופקו. | לא |
| K8sRequiredProbes | נדרש שיהיו ל-Pods בדיקות מוכנות ו/או בדיקות פעילות. | לא |
| K8sRequiredResources | נדרש להגדיר משאבים עבור קונטיינרים. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | לא |
| K8sRestrictAdmissionController | הגבלת בקרי קבלה דינמיים לאלה שמותרים | לא |
| K8sRestrictAutomountServiceAccountTokens | מגביל את השימוש בטוקנים של חשבונות שירות. | לא |
| K8sRestrictLabels | הכלל אוסר על משאבים להכיל תוויות שצוינו, אלא אם יש חריג למשאב הספציפי. | לא |
| K8sRestrictNamespaces | הגבלת השימוש במרחבי שמות שמפורטים בפרמטר restrictedNamespaces. | לא |
| K8sRestrictNfsUrls | ההגדרה הזו אוסרת על משאבים להכיל כתובות URL של NFS, אלא אם צוין אחרת. | לא |
| K8sRestrictRbacSubjects | מגביל את השימוש בשמות בנושאי RBAC לערכים מותרים. | לא |
| K8sRestrictRoleBindings | מגביל את הנושאים שצוינו ב-ClusterRoleBindings וב-RoleBindings לרשימה של נושאים מותרים. | לא |
| K8sRestrictRoleRules | מגביל את הכללים שאפשר להגדיר באובייקטים של Role ו-ClusterRole. | לא |
| K8sStorageClass | נדרש לציין סוגי אחסון (storage classes) כשמשתמשים בו. יש תמיכה רק ב-Gatekeeper בגרסה 3.9 ומעלה ובמאגרים לא ארעיים. | כן |
| K8sUniqueIngressHost | כל המארחים בכללי Ingress צריכים להיות ייחודיים. אין תמיכה בתווים כלליים לחיפוש בשמות מארחים: https://kubernetes.io/docs/concepts/services-networking/ingress/ | כן |
| K8sUniqueServiceSelector | נדרש שלשירותים יהיו סלקטורים ייחודיים במרחב שמות. שני סלקטורים נחשבים זהים אם יש להם מפתחות וערכים זהים. יכול להיות שסלקטורים ישתפו צמד מפתח/ערך, כל עוד יש לפחות צמד מפתח/ערך אחד שונה ביניהם. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | כן |
| NoUpdateServiceAccount | חסימת העדכון של חשבון השירות במשאבים שמבצעים הפשטה של Pods. המערכת מתעלמת מהמדיניות הזו במצב ביקורת. | לא |
| PolicyStrictOnly | נדרש לציין תמיד את ה-TLS ההדדי של Istio `STRICT` כשמשתמשים ב-[PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). ההגבלה הזו גם מבטיחה שהמשאבים [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) ו-MeshPolicy שהוצאו משימוש יאכפו TLS הדדי מסוג `STRICT`. למידע נוסף: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh | לא |
| RestrictNetworkExclusions | המדיניות קובעת אילו יציאות נכנסות, יציאות יוצאות וטווחים של כתובות IP יוצאות אפשר להחריג מאיסוף נתונים ברשת Istio. יציאות וטווחים של כתובות IP שעוקפים את לכידת הרשת של Istio לא מטופלים על ידי ה-proxy של Istio ולא חלים עליהם אימות mTLS של Istio, מדיניות הרשאות ותכונות אחרות של Istio. אפשר להשתמש באילוץ הזה כדי להחיל הגבלות על השימוש בהערות הבאות:
פרטים נוספים זמינים בכתובת https://istio.io/latest/docs/reference/config/annotations/. כשמגבילים טווחי כתובות IP יוצאות, ההגבלה מחשבת אם טווחי כתובות IP מוחרגים תואמים או מהווים קבוצת משנה של ההחרגות המותרות של טווח כתובות ה-IP. כשמשתמשים באילוץ הזה, תמיד צריך לכלול את כל היציאות הנכנסות, היציאות היוצאות וטווח כתובות ה-IP היוצאות. כדי לעשות את זה, צריך להגדיר את הערך `"*"` בהערות המתאימות של 'include' או להשאיר אותן ללא הגדרה. אסור להגדיר את ההערות הבאות לערך שונה מ-`"*"`:
ההגבלה הזו תמיד מאפשרת להחריג את יציאה 15020, כי מנגנון הזרקת ה-sidecar של Istio תמיד מוסיף אותה להערה |
לא |
| SourceNotAllAuthz | הדרישה היא שכללי Istio AuthorizationPolicy יכללו מקורות ראשיים שמוגדרים לערך שונה מ-"*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | לא |
| VerifyDeprecatedAPI | בודק ממשקי Kubernetes API שהוצאו משימוש כדי לוודא שכל גרסאות ה-API עדכניות. התבנית הזו לא רלוונטית לביקורת, כי הביקורת בודקת את המשאבים שכבר קיימים באשכול עם גרסאות API שלא הוצאו משימוש. | לא |
AllowedServicePortName
Allowed Service Port Names v1.0.1
הדרישה היא ששמות יציאות השירות יתחילו בקידומת מתוך רשימה שצוינה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
דוגמאות
port-name-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: port-name-constraint spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Service parameters: prefixes: - http- - http2- - grpc- - mongo- - redis- - tcp-
מותר
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-http spec: ports: - name: http-helloport port: 5000 selector: app: helloworld
לא חוקי
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-tcp spec: ports: - name: foo-helloport port: 5000 selector: app: helloworld
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-bad spec: ports: - name: helloport port: 5000 selector: app: helloworld
AsmAuthzPolicyDefaultDeny
ASM AuthorizationPolicy Default Deny v1.0.4
אכיפה של מדיניות ברירת המחדל לדחיית הרשאות ברמת הרשת. הפניה אל https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "AuthorizationPolicy"
דוגמאות
asm-authz-policy-default-deny-with-input-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High
מותר
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
לא חוקי
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
asm-authz-policy-default-deny-no-input-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
מותר
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
לא חוקי
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
AsmAuthzPolicyDisallowedPrefix
ASM AuthorizationPolicy Disallowed Prefixes v1.0.2
הכלל הזה מחייב שחשבונות משתמשים ומרחבי שמות בכללי Istio AuthorizationPolicy לא יכללו קידומת מרשימה שצוינה.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
disallowedNamespacePrefixes:
- <string>
# disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
disallowedPrincipalPrefixes:
- <string>
דוגמאות
asm-authz-policy-disallowed-prefix-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: asm-authz-policy-disallowed-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedNamespacePrefixes: - bad-ns-prefix - worse-ns-prefix disallowedPrincipalPrefixes: - bad-principal-prefix - worse-principal-prefix
מותר
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test selector: matchLabels: app: httpbin
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/worse-principal-prefix-sleep - source: namespaces: - test selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - bad-ns-prefix-test selector: matchLabels: app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
ASM AuthorizationPolicy Enforcement Principals v1.0.2
הדרישה היא שבשדה 'from' של Istio AuthorizationPolicy, אם הוא מוגדר, יהיו עקרונות מקור, והם לא יוכלו להיות מוגדרים כ-'*'. https://istio.io/latest/docs/reference/config/security/authorization-policy/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
asm-authz-policy-enforce-source-principals-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: asm-authz-policy-enforce-source-principals-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
מותר
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: no-source-principals spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-wildcard spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-contains-wildcard spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
AsmAuthzPolicyNormalization
ASM AuthorizationPolicy Normalization v1.0.2
אכיפת הנירמול של AuthorizationPolicy. הפניה אל https://istio.io/latest/docs/reference/config/security/normalization/.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
asm-authz-policy-normalization-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: asm-authz-policy-normalization-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
מותר
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-method-lowercase spec: action: ALLOW rules: - to: - operation: methods: - get selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-request-header-whitespace spec: action: ALLOW rules: - to: - operation: methods: - GET - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Ag ent] values: - Mozilla/* selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: path-unnormalized spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test\/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
AsmAuthzPolicySafePattern
ASM AuthorizationPolicy Safe Patterns v1.0.4
אכיפה של דפוסי שימוש בטוחים ב-AuthorizationPolicy. הפניה אל https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
דוגמאות
asm-authz-policy-safe-pattern-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: asm-authz-policy-safe-pattern-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: strictnessLevel: High
מותר
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-istio-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-asm-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: asm: ingressgateway
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: hosts-on-noningress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: invalid-hosts spec: action: ALLOW rules: - to: - operation: hosts: - test.com methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-negative-match spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* notMethods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-positive-match spec: action: DENY rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
AsmIngressgatewayLabel
ASM Ingress Gateway Label v1.0.3
אכיפה של השימוש בתווית istio ingressgateway רק בתרמילים של ingressgateway.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
asm-ingressgateway-label-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: asm-ingressgateway-label-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: istio name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: istio-ingressgateway istio: ingressgateway name: istio-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: asm-ingressgateway asm: ingressgateway name: asm-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep asm: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
AsmPeerAuthnMeshStrictMtls
ASM Peer Authentication Mesh Strict mTLS v1.0.4
אכיפה של mTLS קפדני ברמת הרשת, PeerAuthentication. הפניה אל https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "PeerAuthentication"
דוגמאות
asm-peer-authn-mesh-strict-mtls-with-input-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High
מותר
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: asm-root spec: mtls: mode: STRICT
לא חוקי
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: asm-root spec: mtls: mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
מותר
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: istio-system spec: mtls: mode: STRICT
לא חוקי
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: istio-system spec: mtls: mode: PERMISSIVE
AsmPeerAuthnStrictMtls
אימות עמיתים ב-ASM Strict mTLS v1.0.3
אי אפשר להשתמש באפשרות Enforce all PeerAuthentications כדי לשנות את ההגדרה strict mtls. הפניה אל https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
דוגמאות
asm-peer-authn-strict-mtls-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: asm-peer-authn-strict-mtls-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication parameters: strictnessLevel: High
מותר
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: valid-strict-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-permissive-mtls-pa namespace: foo spec: mtls: mode: PERMISSIVE portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-port-disable-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: DISABLE "443": mode: STRICT selector: matchLabels: app: bar
AsmRequestAuthnProhibitedOutputHeaders
ASM RequestAuthentication Prohibited Output Headers v1.0.2
ב-RequestAuthentication, אוכפים את השדה jwtRules.outPayloadToHeader כך שלא יכיל כותרות ידועות של בקשות HTTP או כותרות מותאמות אישית שאסורות לשימוש. הפניה אל https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
דוגמאות
asm-request-authn-prohibited-output-headers-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: asm-request-authn-prohibited-output-headers-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - RequestAuthentication parameters: prohibitedHeaders: - Bad-Header - X-Bad-Header
מותר
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: valid-request-authn namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Good-Header selector: matchLabels: app: istio-ingressgateway
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Host selector: matchLabels: app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: X-Bad-Header selector: matchLabels: app: istio-ingressgateway
AsmSidecarInjection
הזרקת ASM Sidecar גרסה 1.0.2
האפשרות הזו מאפשרת לוודא ש-istio proxy sidecar תמיד מוזרק ל-workload pods.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of sidecar injection strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
דוגמאות
asm-sidecar-injection-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: asm-sidecar-injection-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: strictnessLevel: High
מותר
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "true" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: annotations: "false": "false" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
לא חוקי
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "false" name: sleep spec: containers: - image: curlimages/curl name: sleep
DestinationRuleTLSEnabled
כלל יעד TLS מופעל v1.0.1
האיסור על השבתת TLS לכל המארחים ולתתי-קבוצות של מארחים ב-Istio DestinationRules.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
dr-tls-enabled
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: dr-tls-enabled spec: enforcementAction: dryrun match: kinds: - apiGroups: - networking.istio.io kinds: - DestinationRule
לא חוקי
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-subset-tls-disable namespace: default spec: host: myservice subsets: - name: v1 trafficPolicy: tls: mode: DISABLE - name: v2 trafficPolicy: tls: mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-traffic-tls-disable namespace: default spec: host: myservice trafficPolicy: tls: mode: DISABLE
DisallowedAuthzPrefix
איסור שימוש בקידומות של Istio AuthorizationPolicy גרסה 1.0.2
הכלל הזה מחייב שחשבונות משתמשים ומרחבי שמות בכללי Istio AuthorizationPolicy לא יכללו קידומת מרשימה שצוינה.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
דוגמאות
disallowed-authz-prefix-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: disallowed-authz-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedprefixes: - badprefix - reallybadprefix
מותר
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/badprefix-sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - badprefix-test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
GCPStorageLocationConstraintV1
GCP Storage Location Constraint v1.0.3
מגבילה את locations המותרים למשאבי StorageBucket Config Connector לרשימת המיקומים שצוינו באילוץ. שמות הקטגוריות ברשימה exemptions מוחרגים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
דוגמאות
singapore-and-jakarta-only
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: singapore-and-jakarta-only spec: enforcementAction: deny match: kinds: - apiGroups: - storage.cnrm.cloud.google.com kinds: - StorageBucket parameters: exemptions: - my_project_id_cloudbuild locations: - asia-southeast1 - asia-southeast2
מותר
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
לא חוקי
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
GkeSpotVMTerminationGrace
הגבלת terminationGracePeriodSeconds למכונות וירטואליות מסוג GKE Spot v1.1.3
נדרש להשתמש ב-Pods וב-Pod Templates עם nodeSelector או nodeAfffinty מתוך gke-spot עם terminationGracePeriodSeconds של 15 שניות או פחות.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
# of 15s or less for all `Pod` on a `gke-spot` Node.
includePodOnSpotNodes: <boolean>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Node"
דוגמאות
spotvm-termination-grace
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: spotvm-termination-grace spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: includePodOnSpotNodes: true
מותר
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
לא חוקי
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
K8sAllowedRepos
Allowed Repositories v1.0.1
התמונות של הקונטיינרים צריכות להתחיל במחרוזת מתוך הרשימה שצוינה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
דוגמאות
repo-is-openpolicyagent
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: repo-is-openpolicyagent spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: repos: - openpolicyagent/
מותר
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi
לא חוקי
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi ephemeralContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
K8sAvoidUseOfSystemMastersGroup
אי אפשר להשתמש בקבוצה 'system:masters' גרסה 1.0.0
הגדרה שמונעת שימוש בקבוצה 'system:masters'. אין השפעה במהלך ביקורת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowlistedUsernames <array>: allowlistedUsernames is the list of
# usernames that are allowed to use system:masters group.
allowlistedUsernames:
- <string>
דוגמאות
avoid-use-of-system-masters-group
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: avoid-use-of-system-masters-group
מותר
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockAllIngress
חסימה של כל Ingress v1.0.4
האפשרות הזו מונעת יצירה של אובייקטים מסוג Ingress (סוגים Ingress, Gateway ו-Service של NodePort ו-LoadBalancer).
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowList <array>: A list of regular expressions for the Ingress object
# names that are exempt from the constraint.
allowList:
- <string>
דוגמאות
block-all-ingress
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: block-all-ingress spec: enforcementAction: dryrun parameters: allowList: - name1 - name2 - name3 - my-*
מותר
apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: allowed-clusterip-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: ClusterIP
לא חוקי
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: disallowed-gateway-example spec: gatewayClassName: istio listeners: - allowedRoutes: namespaces: from: All hostname: '*.example.com' name: default port: 80 protocol: HTTP
K8sBlockCreationWithDefaultServiceAccount
חסימת יצירה באמצעות חשבון שירות שמוגדר כברירת מחדל v1.0.2
הכלל אוסר על יצירת משאבים באמצעות חשבון שירות שמוגדר כברירת מחדל. אין השפעה במהלך ביקורת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
block-creation-with-default-serviceaccount
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
מותר
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockEndpointEditDefaultRole
חסימת עריכה של נקודת קצה – תפקיד ברירת מחדל v1.0.0
בהרבה התקנות של Kubernetes, יש כברירת מחדל ClusterRole של system:aggregate-to-edit שלא מגביל את הגישה לעריכת נקודות קצה בצורה נכונה. תבנית האילוץ הזו אוסרת על המערכת:aggregate-to-edit ClusterRole להעניק הרשאה ליצור/לתקן/לעדכן נקודות קצה. ClusterRole/system:aggregate-to-edit לא אמור לאפשר הרשאות עריכה של Endpoint בגלל CVE-2021-25740. הרשאות Endpoint ו-EndpointSlice מאפשרות העברה בין מרחבי שמות, https://github.com/kubernetes/kubernetes/issues/103675
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
block-endpoint-edit-default-role
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: block-endpoint-edit-default-role spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - endpoints - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update
K8sBlockLoadBalancer
חסימת שירותים מסוג LoadBalancer גרסה 1.0.0
הכלל אוסר על כל השירותים מסוג LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
block-load-balancer
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: - "" kinds: - Service
מותר
apiVersion: v1 kind: Service metadata: name: my-service-allowed spec: ports: - port: 80 targetPort: 80 type: ClusterIP
לא חוקי
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: LoadBalancer
K8sBlockNodePort
Block NodePort v1.0.0
האפשרות הזו משביתה את כל השירותים מסוג NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
block-node-port
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: - "" kinds: - Service
לא חוקי
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: NodePort
K8sBlockObjectsOfType
Block Objects of Type v1.0.1
הכלל אוסר על אובייקט מסוגים אסורים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
forbiddenTypes:
- <string>
דוגמאות
block-secrets-of-type-basic-auth
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: block-secrets-of-type-basic-auth spec: match: kinds: - apiGroups: - "" kinds: - Secret parameters: forbiddenTypes: - kubernetes.io/basic-auth
מותר
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
לא חוקי
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
K8sBlockProcessNamespaceSharing
חסימת שיתוף של מרחב שמות של תהליך v1.0.1
אוסר על מפרטי Pod עם shareProcessNamespace שמוגדר ל-true. כך נמנעים תרחישים שבהם כל המאגדים ב-Pod חולקים מרחב שמות של PID ויכולים לגשת למערכת הקבצים ולזיכרון של כל אחד מהם.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
block-process-namespace-sharing
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
מותר
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx
לא חוקי
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx shareProcessNamespace: true
K8sBlockWildcardIngress
Block Wildcard Ingress v1.0.1
המשתמשים לא אמורים להיות מסוגלים ליצור Ingresses עם שם מארח ריק או עם תו כללי (*), כי זה יאפשר להם ליירט תעבורה לשירותים אחרים באשכול, גם אם אין להם גישה לשירותים האלה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
block-wildcard-ingress
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: block-wildcard-ingress spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
מותר
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: non-wildcard-ingress spec: rules: - host: myservice.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
לא חוקי
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: "" http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: '*.example.com' http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix - host: valid.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
K8sContainerEphemeralStorageLimit
מגבלת שטח האחסון הזמני של מאגר התגים גרסה 1.0.2
ההגדרה מחייבת להגדיר מגבלת אחסון זמני לקונטיינרים, ומגבילה את המגבלה כך שתהיה בטווח הערכים המקסימליים שצוינו. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ephemeral-storage <string>: The maximum allowed ephemeral storage limit
# on a Pod, exclusive.
ephemeral-storage: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
container-ephemeral-storage-limit
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: container-ephemeral-storage-limit spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ephemeral-storage: 500Mi
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
K8sContainerLimits
Container Limits v1.0.1
הדרישה היא שהקונטיינרים יכללו הגדרות של מגבלות זיכרון ומעבד, והמגבלות יהיו בטווח הערכים המקסימליים שצוינו. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
דוגמאות
container-must-have-limits
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
K8sContainerRatios
Container Ratios v1.0.1
מגדיר יחס מקסימלי בין מגבלות המשאבים של מאגרים לבין בקשות. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
# `resources.requests.cpu` on a container. If not specified, equal to
# `ratio`.
cpuRatio: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
דוגמאות
container-must-meet-ratio
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ratio: "2"
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 200m memory: 200Mi requests: cpu: 100m memory: 100Mi
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 800m memory: 2Gi requests: cpu: 100m memory: 100Mi
container-must-meet-memory-and-cpu-ratio
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-memory-and-cpu-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpuRatio: "10" ratio: "1"
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: "1" memory: 2Gi
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: 100m memory: 2Gi
K8sContainerRequests
Container Requests v1.0.1
התכונה מחייבת הגדרת בקשות לזיכרון ולמעבד (CPU) עבור קונטיינרים, ומגבילה את הבקשות לערכים המקסימליים שצוינו. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory request on a Pod, exclusive.
memory: <string>
דוגמאות
container-must-have-requests
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: container-must-have-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 1Gi
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
K8sCronJobAllowedRepos
CronJob Allowed Repositories v1.0.1
התמונות של הקונטיינרים של CronJobs צריכות להתחיל במחרוזת מהרשימה שצוינה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
דוגמאות
cronjob-restrict-repos
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata: name: cronjob-restrict-repos spec: match: kinds: - apiGroups: - batch kinds: - CronJob parameters: repos: - gke.gcr.io/
מותר
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: gke.gcr.io/busybox:1.28 name: hello schedule: '* * * * *'
לא חוקי
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: busybox:1.28 name: hello schedule: '* * * * *'
K8sDisallowAnonymous
חסימת גישה אנונימית גרסה 1.0.0
האפשרות הזו אוסרת לשייך משאבי ClusterRole ו-Role למשתמש system:anonymous ולקבוצה system:unauthenticated.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRoles <array>: The list of ClusterRoles and Roles that may be
# associated with the `system:unauthenticated` group and `system:anonymous`
# user.
allowedRoles:
- <string>
דוגמאות
no-anonymous
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: no-anonymous spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRoleBinding - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding parameters: allowedRoles: - cluster-role-1
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowInteractiveTTY
Disallow Interactive TTY Containers v1.0.0
האובייקטים צריכים לכלול את השדות spec.tty ו-spec.stdin עם הערך false או ללא הגדרה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
no-interactive-tty-containers
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata: name: no-interactive-tty-containers spec: match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-interactive-tty name: nginx-interactive-tty-allowed spec: containers: - image: nginx name: nginx stdin: false tty: false
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx stdin: true tty: true
K8sDisallowedRepos
מאגרי נתונים אסורים גרסה 1.0.0
מאגרי קונטיינרים שאסור להשתמש בהם, שמתחילים במחרוזת מהרשימה שצוינה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is not allowed to
# have.
repos:
- <string>
דוגמאות
repo-must-not-be-k8s-gcr-io
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: repo-must-not-be-k8s-gcr-io spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: repos: - k8s.gcr.io/
מותר
apiVersion: v1 kind: Pod metadata: name: kustomize-allowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize
לא חוקי
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize ephemeralContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
K8sDisallowedRoleBindingSubjects
Disallowed Rolebinding Subjects v1.0.1
האיסור חל על RoleBindings או ClusterRoleBindings עם נושאים שתואמים לכל disallowedSubjects שמועבר כפרמטר.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
דוגמאות
disallowed-rolebinding-subjects
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: disallowed-rolebinding-subjects spec: parameters: disallowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Disallow tags v1.0.1
הכלל הזה מחייב שתמונות הקונטיינרים יכללו תג תמונה ששונה מהתגים שמופיעים ברשימה שצוינה. https://kubernetes.io/docs/concepts/containers/images/#image-names
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# tags <array>: Disallowed container image tags.
tags:
- <string>
דוגמאות
container-image-must-not-have-latest-tag
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: container-image-must-not-have-latest-tag spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: exemptImages: - openpolicyagent/opa-exp:latest - openpolicyagent/opa-exp2:latest tags: - latest
מותר
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa
apiVersion: v1 kind: Pod metadata: name: opa-exempt-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa-exp - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:v1 name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2
לא חוקי
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-2 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-ephemeral spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-3 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:latest name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2 - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/monitor:latest name: opa-monitor
K8sEmptyDirHasSizeLimit
Empty Directory has Size Limit v1.0.5
חובה לציין sizeLimit לכל נפח אחסון emptyDir. אפשר גם לציין פרמטר maxSizeLimit במגבלה כדי להגדיר מגבלת גודל מקסימלית.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptVolumesRegex <array>: Exempt Volume names as regex match.
exemptVolumesRegex:
- <string>
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
דוגמאות
empty-dir-has-size-limit
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: empty-dir-has-size-limit spec: match: excludedNamespaces: - istio-system - kube-system - gatekeeper-system parameters: exemptVolumesRegex: - ^istio-[a-z]+$ maxSizeLimit: 4Gi
מותר
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: sizeLimit: 2Gi name: good-pod-volume
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: istio-envoy
לא חוקי
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: bad-pod-volume
K8sEnforceCloudArmorBackendConfig
אכיפה של Cloud Armor במשאבי BackendConfig גרסה 1.0.2
אכיפה של הגדרת Cloud Armor במשאבי BackendConfig
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
enforce-cloudarmor-backendconfig
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
מותר
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: example-security-policy
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: second-backendconfig spec: securityPolicy: name: my-security-policy
לא חוקי
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: null
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: ""
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig spec: logging: enable: true sampleRate: 0.5
K8sEnforceConfigManagement
אכיפה של Config Management גרסה 1.1.6
נדרשת נוכחות של ניהול תצורות והפעלה שלו. אילוצים שמשתמשים ב-ConstraintTemplate יהיו לביקורת בלבד, ללא קשר לערך של enforcementAction.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# requireDriftPrevention <boolean>: Require Config Sync drift prevention to
# prevent config drift.
requireDriftPrevention: <boolean>
# requireRootSync <boolean>: Require a Config Sync `RootSync` object for
# cluster config management.
requireRootSync: <boolean>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "configsync.gke.io"
version: "v1beta1"
kind: "RootSync"
דוגמאות
enforce-config-management
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: enforce-config-management spec: enforcementAction: dryrun match: kinds: - apiGroups: - configmanagement.gke.io kinds: - ConfigManagement
מותר
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: proxy: {} syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2 healthy: true
לא חוקי
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2
K8sExternalIPs
כתובות IP חיצוניות גרסה 1.0.0
מגביל את כתובות ה-IP החיצוניות של השירות לרשימה מותרת של כתובות IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
דוגמאות
external-ips
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: allowedIPs: - 203.0.113.0
מותר
apiVersion: v1 kind: Service metadata: name: allowed-external-ip spec: externalIPs: - 203.0.113.0 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
לא חוקי
apiVersion: v1 kind: Service metadata: name: disallowed-external-ip spec: externalIPs: - 1.1.1.1 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
K8sHorizontalPodAutoscaler
Horizontal Pod Autoscaler v1.0.1
איסור התרחישים הבאים כשמבצעים פריסה של HorizontalPodAutoscalers 1. פריסה של HorizontalPodAutoscalers עם .spec.minReplicas או .spec.maxReplicas מחוץ לטווחים שמוגדרים באילוץ 2. פריסה של HorizontalPodAutoscalers שבה ההפרש בין .spec.minReplicas לבין .spec.maxReplicas קטן מהערך minimumReplicaSpread 3 שהוגדר. פריסה של HorizontalPodAutoscalers שלא מפנים אל scaleTargetRef תקין (למשל Deployment, ReplicationController, ReplicaSet, StatefulSet).
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# enforceScaleTargetRef <boolean>: If set to true it validates the HPA
# scaleTargetRef exists
enforceScaleTargetRef: <boolean>
# minimumReplicaSpread <integer>: If configured it enforces the minReplicas
# and maxReplicas in an HPA must have a spread of at least this many
# replicas
minimumReplicaSpread: <integer>
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "apps"
version: "v1"
kind: "Deployment"
OR
- group: "apps"
version: "v1"
kind: "StatefulSet"
דוגמאות
horizontal-pod-autoscaler
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: horizontal-pod-autoscaler spec: enforcementAction: deny match: kinds: - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: enforceScaleTargetRef: true minimumReplicaSpread: 1 ranges: - max_replicas: 6 min_replicas: 3
מותר
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-allowed namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
לא חוקי
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicas namespace: default spec: maxReplicas: 7 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 2 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicaspread namespace: default spec: maxReplicas: 4 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 4 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-scaletarget namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment-missing --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sHttpsOnly
HTTPS Only v1.0.2
נדרש שמשאבי Ingress יהיו מסוג HTTPS בלבד. משאבי Ingress חייבים לכלול את ההערה kubernetes.io/ingress.allow-http, שמוגדרת לערך false. כברירת מחדל, נדרשת הגדרה תקינה של TLS {}. אפשר להפוך את ההגדרה לאופציונלית על ידי הגדרת הפרמטר tlsOptional לערך true.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# tlsOptional <boolean>: When set to `true` the TLS {} is optional,
# defaults to false.
tlsOptional: <boolean>
דוגמאות
ingress-https-only
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
מותר
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix tls: - {}
לא חוקי
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
ingress-https-only-tls-optional
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only-tls-optional spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress parameters: tlsOptional: true
מותר
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
לא חוקי
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sImageDigests
תקצירי תמונות גרסה 1.0.1
נדרש שקובצי אימג' של קונטיינרים יכילו תקציר. https://kubernetes.io/docs/concepts/containers/images/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
container-image-must-have-digest
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default
מותר
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a name: opa
לא חוקי
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
K8sLocalStorageRequireSafeToEvict
Local Storage Requires Safe to Evict v1.0.1
כדי להשתמש ב-Pods עם אחסון מקומי (emptyDir או hostPath), צריך להוסיף את האנוטציה "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". הכלי Cluster Autoscaler לא ימחק Pods ללא ההערה הזו.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
local-storage-require-safe-to-evict
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: excludedNamespaces: - kube-system - istio-system - gatekeeper-system
מותר
apiVersion: v1 kind: Pod metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" name: good-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
לא חוקי
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
K8sMemoryRequestEqualsLimit
Memory Request Equals Limit v1.0.4
התכונה משפרת את יציבות ה-Pod בכך שהיא מחייבת שזיכרון ה-RAM שנדרש לכל הקונטיינרים יהיה שווה בדיוק למגבלת הזיכרון, כך שה-Pods אף פעם לא יהיו במצב שבו השימוש בזיכרון חורג מהכמות הנדרשת. אחרת, Kubernetes יכול לסיים את הפעולה של Pods שמבקשים זיכרון נוסף אם יש צורך בזיכרון בצומת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptContainersRegex <array>: Exempt Container names as regex match.
exemptContainersRegex:
- <string>
דוגמאות
container-must-request-limit
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit spec: match: excludedNamespaces: - kube-system - resource-group-system - asm-system - istio-system - config-management-system - config-management-monitoring parameters: exemptContainersRegex: - ^istio-[a-z]+$
מותר
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 4Gi
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: auto name: istio-proxy resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
לא חוקי
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
K8sNoEnvVarSecrets
No Environment Variable Secrets v1.0.1
האיסור חל על סודות שמוגדרים כמשתני סביבה בהגדרות של קונטיינרים מסוג Pod. במקום זאת, אפשר להשתמש בקובצי סודות שמוצמדים לנפחי נתונים: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
no-secrets-as-env-vars-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
מותר
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: redis name: test volumeMounts: - mountPath: /etc/test name: test readOnly: true volumes: - name: test secret: secretName: mysecret
לא חוקי
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - env: - name: MY_PASSWORD valueFrom: secretKeyRef: key: password name: mysecret image: redis name: test
K8sNoExternalServices
No External Services v1.0.3
המגבלה אוסרת על יצירת משאבים מוכרים שחושפים עומסי עבודה לכתובות IP חיצוניות. כולל משאבי Istio Gateway ומשאבי Kubernetes Ingress. גם שירותי Kubernetes אסורים, אלא אם הם עומדים בקריטריונים הבאים:
לכל שירות מסוג LoadBalancer ב-Google Cloud חייבת להיות הערה מסוג "networking.gke.io/load-balancer-type": "Internal".
לכל שירות מסוג LoadBalancer ב-AWS חייבת להיות הערה service.beta.kubernetes.io/aws-load-balancer-internal: "true.
כל כתובות ה-IP החיצוניות (חיצוניות לאשכול) שמשויכות לשירות חייבות להיות חלק מטווח של CIDR פנימיים, כפי שצוין במגבלה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
# are supported currently.
cloudPlatform: <string>
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
דוגמאות
no-external
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external spec: parameters: internalCIDRs: - 10.0.0.1/32
מותר
apiVersion: v1 kind: Service metadata: name: good-service namespace: default spec: externalIPs: - 10.0.0.1 ports: - port: 8888 protocol: TCP targetPort: 8888
apiVersion: v1 kind: Service metadata: annotations: networking.gke.io/load-balancer-type: Internal name: allowed-internal-load-balancer namespace: default spec: type: LoadBalancer
לא חוקי
apiVersion: v1 kind: Service metadata: name: bad-service namespace: default spec: externalIPs: - 10.0.0.2 ports: - port: 8888 protocol: TCP targetPort: 8888
no-external-aws
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external-aws spec: parameters: cloudPlatform: AWS
מותר
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" name: good-aws-service namespace: default spec: type: LoadBalancer
לא חוקי
apiVersion: v1 kind: Service metadata: annotations: cloud.google.com/load-balancer-type: Internal name: bad-aws-service namespace: default spec: type: LoadBalancer
K8sPSPAllowPrivilegeEscalationContainer
אפשרות להרחבת הרשאות ב-Container v1.0.1
ההגדרה הזו קובעת אם להגביל את ההרשאות להרשאות הבסיסיות ביותר (root). מתאים לשדה allowPrivilegeEscalation ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
psp-allow-privilege-escalation-container-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-allowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: false
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
K8sPSPAllowedUsers
משתמשים מורשים v1.0.2
קובעת את מזהי המשתמשים והקבוצות של הגורם המכיל ושל כמה אמצעי אחסון. מתאים לשדות runAsUser, runAsGroup, supplementalGroups ו-fsGroup במדיניות PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
דוגמאות
psp-pods-allowed-user-ranges
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: fsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsUser: ranges: - max: 200 min: 100 rule: MustRunAs supplementalGroups: ranges: - max: 200 min: 100 rule: MustRunAs
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-allowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 199 runAsUser: 199 securityContext: fsGroup: 199 supplementalGroups: - 199
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
K8sPSPAppArmor
App Armor v1.0.0
המדיניות הזו מגדירה רשימת היתרים של פרופילי AppArmor לשימוש על ידי קונטיינרים. ההגדרה הזו תואמת לאנוטציות ספציפיות שמוחלות על PodSecurityPolicy. מידע על AppArmor זמין בכתובת https://kubernetes.io/docs/tutorials/clusters/apparmor/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
psp-apparmor
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default
מותר
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor name: nginx-apparmor-allowed spec: containers: - image: nginx name: nginx
לא חוקי
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPAutomountServiceAccountTokenPod
טוקן של חשבון שירות בהרכבה אוטומטית ל-Pod v1.0.1
קובע את היכולת של כל Pod להפעיל את automountServiceAccountToken.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
דוגמאות
psp-automount-serviceaccount-token-pod
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: psp-automount-serviceaccount-token-pod spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-not-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-allowed spec: automountServiceAccountToken: false containers: - image: nginx name: nginx
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-disallowed spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
K8sPSPCapabilities
Capabilities v1.0.2
שליטה ביכולות של Linux בקונטיינרים. תואם לשדות allowedCapabilities ו-requiredDropCapabilities ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
דוגמאות
capabilities-demo
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: capabilities-demo spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: allowedCapabilities: - something requiredDropCapabilities: - must_drop
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - something drop: - must_drop - another_one
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
K8sPSPFSGroup
FS Group v1.0.2
ההגדרה הזו קובעת הקצאה של FSGroup בבעלות של נפחי האחסון של ה-Pod. מתאים לשדה fsGroup ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
דוגמאות
psp-fsgroup
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ranges: - max: 1000 min: 1 rule: MayRunAs
מותר
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 500 volumes: - emptyDir: {} name: fsgroup-demo-vol
לא חוקי
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 2000 volumes: - emptyDir: {} name: fsgroup-demo-vol
K8sPSPFlexVolumes
FlexVolumes v1.0.1
ההגדרה קובעת את רשימת ההיתרים של מנהלי התקנים של FlexVolume. מתאים לשדה allowedFlexVolumes ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
דוגמאות
psp-flexvolume-drivers
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedFlexVolumes: - driver: example/lvm - driver: example/cifs
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/lvm name: test-volume
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/testdriver name: test-volume
K8sPSPForbiddenSysctls
Forbidden Sysctls v1.1.3
המדיניות הזו קובעת את פרופיל sysctl שמשמש את הקונטיינרים. תואם לשדות allowedUnsafeSysctls ו-forbiddenSysctls ב-PodSecurityPolicy. אם מציינים פרמטר sysctl, כל פרמטר שלא מופיע בפרמטר allowedSysctls נחשב אסור. הפרמטר forbiddenSysctls מקבל עדיפות על פני הפרמטר allowedSysctls. מידע נוסף זמין בכתובת https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
# not listed in the `forbiddenSysctls` parameter.
allowedSysctls:
- <string>
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
דוגמאות
psp-forbidden-sysctls
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSysctls: - '*' forbiddenSysctls: - kernel.*
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: net.core.somaxconn value: "1024"
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536" - name: net.core.somaxconn value: "1024"
K8sPSPHostFilesystem
Host Filesystem v1.0.2
המדיניות הזו שולטת בשימוש במערכת הקבצים של המארח. מתאים לשדה allowedHostPaths ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
דוגמאות
psp-host-filesystem
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedHostPaths: - pathPrefix: /foo readOnly: true
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /foo/bar name: cache-volume
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: ephemeralContainers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
K8sPSPHostNamespace
Host Namespace v1.0.1
האפשרות הזו מונעת שיתוף של מרחבי שמות של PID ומארח ו-IPC על ידי קונטיינרים של פודים. תואם לשדות hostPID ו-hostIPC ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
דוגמאות
psp-host-namespace-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: psp-host-namespace-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-allowed spec: containers: - image: nginx name: nginx hostIPC: false hostPID: false
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-disallowed spec: containers: - image: nginx name: nginx hostIPC: true hostPID: true
K8sPSPHostNetworkingPorts
Host Networking Ports v1.0.2
ההגדרה קובעת את השימוש במרחב השמות של רשת המארח על ידי קונטיינרים של פודים. צריך לציין יציאות ספציפיות. תואם לשדות hostNetwork ו-hostPorts ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
דוגמאות
psp-host-network-ports-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: psp-host-network-ports-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: hostNetwork: true max: 9000 min: 80
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-allowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9000 hostPort: 80 hostNetwork: false
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: ephemeralContainers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
K8sPSPPrivilegedContainer
מאגר עם הרשאות מיוחדות v1.0.1
המדיניות קובעת את היכולת של כל מאגר להפעיל מצב הרשאות. מתאים לשדה privileged ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
psp-privileged-container-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container-sample spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-allowed spec: containers: - image: nginx name: nginx securityContext: privileged: false
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: containers: - image: nginx name: nginx securityContext: privileged: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: privileged: true
K8sPSPProcMount
Proc Mount v1.0.3
המדיניות הזו קובעת את הסוגים המותרים של procMount במאגר התגים. מתאים לשדה allowedProcMountTypes ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
דוגמאות
psp-proc-mount
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: procMount: Default
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Default
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Unmasked
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Read Only Root Filesystem v1.0.1
נדרש שימוש במערכת קבצים בסיסית לקריאה בלבד על ידי קונטיינרים של פודים. מתאים לשדה readOnlyRootFilesystem ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
psp-readonlyrootfilesystem
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-allowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: true
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
K8sPSPSELinuxV2
SELinux V2 v1.0.3
מגדירה רשימת היתרים של הגדרות seLinuxOptions עבור מאגרי pod. תואם ל-PodSecurityPolicy שדורש הגדרות SELinux. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
psp-selinux-v2
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-allowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
K8sPSPSeccomp
Seccomp v1.0.1
הגדרה שקובעת את פרופיל ה-seccomp שבו משתמשים קונטיינרים. מתאים להערה seccomp.security.alpha.kubernetes.io/allowedProfileNames ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
דוגמאות
psp-seccomp
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default - docker/default
מותר
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed2 spec: containers: - image: nginx name: nginx
לא חוקי
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed2 spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPVolumeTypes
Volume Types v1.0.2
ההגדרה מגבילה את סוגי אמצעי האחסון שאפשר לטעון לאלה שצוינו על ידי המשתמש. מתאים לשדה volumes ב-PodSecurityPolicy. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
דוגמאות
psp-volume-types
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - flexVolume
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - emptyDir: {} name: cache-volume - emptyDir: {} name: demo-vol
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - hostPath: path: /tmp name: cache-volume - emptyDir: {} name: demo-vol
K8sPSPWindowsHostProcess
מגביל את השימוש במכלים או בתרמילים של Windows HostProcess. גרסה 1.0.0
מגביל את ההפעלה של מאגרי נתונים או פודים של Windows HostProcess. מידע נוסף זמין בכתובת https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
restrict-windows-hostprocess
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: restrict-windows-hostprocess spec: match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-loop nodeSelector: kubernetes.io/os: windows
לא חוקי
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-container spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM hostNetwork: true nodeSelector: kubernetes.io/os: windows
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-pod spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test hostNetwork: true nodeSelector: kubernetes.io/os: windows securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM
K8sPSSRunAsNonRoot
נדרשת הפעלה של קונטיינרים כמשתמשים ללא הרשאות root. גרסה 1.0.0
נדרש להריץ קונטיינרים כמשתמשים לא-בסיסיים. מידע נוסף זמין בכתובת https://kubernetes.io/docs/concepts/security/pod-security-standards/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
restrict-runasnonroot
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata: name: restrict-runasnonroot spec: match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-allowed spec: containers: - image: nginx name: nginx-allowed securityContext: runAsNonRoot: true
לא חוקי
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: false
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false
K8sPodDisruptionBudget
תקציב לשיבוש Pod גרסה 1.0.3
אל תאפשרו את התרחישים הבאים כשפורסים את PodDisruptionBudgets או משאבים שמטמיעים את משאב המשנה replica (לדוגמה, Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. פריסה של PodDisruptionBudgets עם .spec.maxUnavailable == 0 2. פריסה של PodDisruptionBudgets עם .spec.minAvailable == .spec.replicas של המשאב עם משאב המשנה replica. כך אפשר למנוע מ-PodDisruptionBudgets לחסום שיבושים מרצון, כמו ניקוי של צומת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "policy"
version: "v1"
kind: "PodDisruptionBudget"
דוגמאות
pod-distruption-budget
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: pod-distruption-budget spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - apiGroups: - policy kinds: - PodDisruptionBudget - apiGroups: - "" kinds: - ReplicationController
מותר
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-allowed namespace: default spec: maxUnavailable: 1 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-1 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-1 template: metadata: labels: app: nginx example: allowed-deployment-1 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-1 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx example: allowed-deployment-1
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-2 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-2 template: metadata: labels: app: nginx example: allowed-deployment-2 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-2 namespace: default spec: maxUnavailable: 1 selector: matchLabels: app: nginx example: allowed-deployment-2
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-3 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-3 template: metadata: labels: app: nginx example: allowed-deployment-3 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx
apiVersion: apps/v1 kind: Deployment metadata: labels: app: non-matching-nginx name: nginx-deployment-allowed-4 namespace: default spec: replicas: 1 selector: matchLabels: app: non-matching-nginx example: allowed-deployment-4 template: metadata: labels: app: non-matching-nginx example: allowed-deployment-4 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-mongo-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: mongo example: non-matching-deployment-3
לא חוקי
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-disallowed namespace: default spec: maxUnavailable: 0 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-disallowed namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: disallowed-deployment template: metadata: labels: app: nginx example: disallowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-disallowed namespace: default spec: minAvailable: 3 selector: matchLabels: app: nginx example: disallowed-deployment
K8sPodResourcesBestPractices
נדרש שהקונטיינרים לא יהיו מסוג Best-effort ושהם יפעלו בהתאם לשיטות המומלצות לשימוש ב-Burstable v1.0.5
הדרישה היא שהקונטיינרים לא יהיו מסוג best-effort (על ידי הגדרת בקשות לשימוש במעבד ובזיכרון) ושהם יפעלו לפי השיטות המומלצות לשימוש בזיכרון (הבקשה לשימוש בזיכרון חייבת להיות שווה בדיוק למגבלה). אפשר גם להגדיר מקשי הערות כדי לאפשר דילוג על האימותים השונים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
# skipBestEffortValidationAnnotationKey <string>: Optional annotation key
# to skip best-effort container validation.
skipBestEffortValidationAnnotationKey: <string>
# skipBurstableValidationAnnotationKey <string>: Optional annotation key to
# skip burstable container validation.
skipBurstableValidationAnnotationKey: <string>
# skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
# annotation key to skip both best-effort and burstable validation.
skipResourcesBestPracticesValidationAnnotationKey: <string>
דוגמאות
gke-pod-resources-best-practices
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: gke-pod-resources-best-practices spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: skipBestEffortValidationAnnotationKey: skip_besteffort_validation skipBurstableValidationAnnotationKey: skip_burstable_validation skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
מותר
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-limits-only spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: annotations: skip_besteffort_validation: "true" skip_burstable_validation: "true" skip_resources_best_practices_validation: "false" name: pod-skip-validation spec: containers: - image: nginx name: nginx
לא חוקי
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-cpu-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-requests spec: containers: - image: nginx name: nginx restartPolicy: OnFailure
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-not-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-memory-requests-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 30m requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-requests spec: containers: - image: nginx name: nginx resources: requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu spec: containers: - image: nginx name: nginx resources: limits: cpu: 500m requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 250Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-requests spec: containers: - image: nginx name: nginx resources: requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: memory: 100Mi
K8sPodsRequireSecurityContext
Pods Require Security Context v1.1.1
כל ה-Pods צריכים להגדיר securityContext. כל המאגרים שמוגדרים ב-Pods צריכים להגדיר SecurityContext ברמת ה-Pod או ברמת המאגר.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
דוגמאות
pods-require-security-context-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context-sample spec: enforcementAction: dryrun parameters: exemptImages: - nginix-exempt - alpine*
מותר
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: nginx name: nginx securityContext: runAsUser: 2000
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage spec: containers: - image: nginix-exempt name: nginx
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage-wildcard spec: containers: - image: alpine17 name: alpine
לא חוקי
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - image: nginx name: nginx
K8sProhibitRoleWildcardAccess
Prohibit Role Wildcard Access v1.0.5
התפקידים והתפקידים ברמת האשכול לא יכולים להגדיר גישה למשאבים לערך של תו כללי '""', אלא אם מדובר בתפקידים ובתפקידים ברמת האשכול שמוחרגים. לא מגביל גישה של תווים כלליים למשאבי משנה, כמו '"/status"'.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression
# based match on the name.
regexMatch: <boolean>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
דוגמאות
prohibit-role-wildcard-access-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-wildcard-except-exempted-cluster-role spec: enforcementAction: dryrun parameters: exemptions: clusterRoles: - name: cluster-role-allowed-example roles: - name: role-allowed-example namespace: role-ns-allowed-example
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
מגבלות על עותקים v1.0.2
נדרש שאובייקטים עם השדה spec.replicas (Deployments, ReplicaSets וכו') יציינו מספר רפליקות בטווחים מוגדרים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
דוגמאות
replica-limits
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: replica-limits spec: match: kinds: - apiGroups: - apps kinds: - Deployment parameters: ranges: - max_replicas: 50 min_replicas: 3
מותר
apiVersion: apps/v1 kind: Deployment metadata: name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
לא חוקי
apiVersion: apps/v1 kind: Deployment metadata: name: disallowed-deployment spec: replicas: 100 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sRequireAdmissionController
דרישה של בקר אישור בקשות v1.0.0
נדרש Pod Security Admission או מערכת חיצונית לשליטה במדיניות
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# permittedValidatingWebhooks <array>: List of permitted validating
# webhooks which are valid external policy control systems
permittedValidatingWebhooks:
- <string>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "admissionregistration.k8s.io"
version: "v1" OR "v1beta1"
kind: "ValidatingWebhookConfiguration"
דוגמאות
require-admission-controller
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata: name: require-admission-controller spec: match: kinds: - apiGroups: - "" kinds: - Namespace
מותר
apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/enforce-version: v1.28 name: allowed-namespace
לא חוקי
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequireBinAuthZ
נדרשת גרסה Binary Authorization v1.0.2
נדרש Binary Authorization Validating Admission Webhook. אילוצים שמשתמשים ב-ConstraintTemplate יהיו לביקורת בלבד, ללא קשר לערך של enforcementAction.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "admissionregistration.k8s.io"
version: "v1" OR "v1beta1"
kind: "ValidatingWebhookConfiguration"
דוגמאות
require-binauthz
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: require-binauthz spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace
מותר
apiVersion: v1 kind: Namespace metadata: name: default --- # Referential Data apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: binauthz-admission-controller webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview name: imagepolicywebhook.image-policy.k8s.io rules: - operations: - CREATE - UPDATE - apiVersion: - v1 sideEffects: None
לא חוקי
apiVersion: v1 kind: Namespace metadata: name: default
K8sRequireCosNodeImage
דרישה לתמונת צומת COS גרסה 1.1.1
אוכפת את השימוש במערכת הפעלה שמותאמת לקונטיינרים מבית Google בצמתים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptOsImages <array>: A list of exempt OS Images.
exemptOsImages:
- <string>
דוגמאות
nodes-have-consistent-time
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: nodes-have-consistent-time spec: enforcementAction: dryrun parameters: exemptOsImages: - Debian - Ubuntu*
מותר
apiVersion: v1 kind: Node metadata: name: allowed-example status: nodeInfo: osImage: Container-Optimized OS from Google
apiVersion: v1 kind: Node metadata: name: example-exempt status: nodeInfo: osImage: Debian
apiVersion: v1 kind: Node metadata: name: example-exempt-wildcard status: nodeInfo: osImage: Ubuntu 18.04.5 LTS
לא חוקי
apiVersion: v1 kind: Node metadata: name: disallowed-example status: nodeInfo: osImage: Debian GNUv1.0
K8sRequireDaemonsets
Daemonsets נדרשים בגרסה 1.1.2
נדרשת נוכחות של רשימת ה-daemonsets שצוינה.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# requiredDaemonsets <array>: A list of names and namespaces of the
# required daemonsets.
requiredDaemonsets:
- # name <string>: The name of the required daemonset.
name: <string>
# namespace <string>: The namespace for the required daemonset.
namespace: <string>
# restrictNodeSelector <boolean>: The daemonsets cannot include
# `NodeSelector`.
restrictNodeSelector: <boolean>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "DaemonSet"
OR
- group: "apps"
version: "v1beta2" OR "v1"
kind: "DaemonSet"
דוגמאות
require-daemonset
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: require-daemonset spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace parameters: requiredDaemonsets: - name: clamav namespace: pci-dss-av restrictNodeSelector: true
מותר
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: clamav-host-scanner name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: metadata: labels: name: clamav spec: containers: - image: us.gcr.io/{your-project-id}/clamav:latest livenessProbe: exec: command: - /health.sh initialDelaySeconds: 60 periodSeconds: 30 name: clamav-scanner resources: limits: memory: 3Gi requests: cpu: 500m memory: 2Gi volumeMounts: - mountPath: /data name: data-vol - mountPath: /host-fs name: host-fs readOnly: true - mountPath: /logs name: logs terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master volumes: - emptyDir: {} name: data-vol - hostPath: path: / name: host-fs - hostPath: path: /var/log/clamav name: logs
לא חוקי
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: clamav nodeSelector: cloud.google.com/gke-spot: "true"
K8sRequireDefaultDenyEgressPolicy
נדרשת מדיניות ברירת מחדל לדחיית תעבורה יוצאת גרסה 1.0.3
הדרישה היא שלכל מרחב שמות שמוגדר באשכול תהיה מדיניות NetworkPolicy של דחייה כברירת מחדל לתעבורת נתונים יוצאת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
דוגמאות
require-default-deny-network-policies
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
מותר
apiVersion: v1 kind: Namespace metadata: name: example-namespace --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
לא חוקי
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1 kind: Namespace metadata: name: example-namespace2 --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
K8sRequireNamespaceNetworkPolicies
Require Namespace Network Policies v1.0.6
הדרישה היא שלכל מרחב שמות שמוגדר באשכול תהיה מדיניות NetworkPolicy.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
דוגמאות
require-namespace-network-policies-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
מותר
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
לא חוקי
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Require Valid Ranges for Networks v1.0.2
ההגדרה קובעת אילו בלוקים של CIDR מותרים לתעבורת נתונים נכנסת (ingress) וליציאת נתונים (egress) ברשת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for egress.
allowedEgress:
- <string>
# allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for ingress.
allowedIngress:
- <string>
דוגמאות
require-valid-network-ranges
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: require-valid-network-ranges spec: enforcementAction: dryrun parameters: allowedEgress: - 10.0.0.0/32 allowedIngress: - 10.0.0.0/24
מותר
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 10.0.0.0/32 ingress: - from: - ipBlock: cidr: 10.0.0.0/29 - ipBlock: cidr: 10.0.0.100/29 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
לא חוקי
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy-disallowed namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 1.1.2.0/31 ingress: - from: - ipBlock: cidr: 1.1.2.0/24 - ipBlock: cidr: 2.1.2.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
K8sRequiredAnnotations
Required Annotations v1.0.1
הכלל דורש שהמשאבים יכילו הערות שצוינו, עם ערכים שתואמים לביטויים רגולריים שסופקו.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
דוגמאות
all-must-have-certain-set-of-annotations
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: annotations: - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ key: a8r.io/owner - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$ key: a8r.io/runbook message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
מותר
apiVersion: v1 kind: Service metadata: annotations: a8r.io/owner: dev-team-alfa@contoso.com a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks name: allowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
לא חוקי
apiVersion: v1 kind: Service metadata: name: disallowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
K8sRequiredLabels
תוויות חובה גרסה 1.0.1
הכלל דורש שהמשאבים יכילו תוויות שצוינו, עם ערכים שתואמים לביטויים רגולריים שסופקו.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
דוגמאות
all-must-have-owner
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username
מותר
apiVersion: v1 kind: Namespace metadata: labels: owner: user.agilebank.demo name: allowed-namespace
לא חוקי
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Required Probes v1.0.1
נדרש שיהיו ל-Pods בדיקות מוכנות ו/או בדיקות פעילות.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# probeTypes <array>: The probe must define a field listed in `probeType`
# in order to satisfy the constraint (ex. `tcpSocket` satisfies
# `['tcpSocket', 'exec']`)
probeTypes:
- <string>
# probes <array>: A list of probes that are required (ex: `readinessProbe`)
probes:
- <string>
דוגמאות
must-have-probes
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: probeTypes: - tcpSocket - httpGet - exec probes: - readinessProbe - livenessProbe
מותר
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: tomcat livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
לא חוקי
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: nginx:1.7.9 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
apiVersion: v1 kind: Pod metadata: name: test-pod2 spec: containers: - image: nginx:1.7.9 livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
K8sRequiredResources
Required Resources v1.0.1
נדרש להגדיר משאבים עבור קונטיינרים. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# limits <array>: A list of limits that should be enforced (`cpu`,
# `memory`, or both).
limits:
# Allowed Values: cpu, memory
- <string>
# requests <array>: A list of requests that should be enforced (`cpu`,
# `memory`, or both).
requests:
# Allowed Values: cpu, memory
- <string>
דוגמאות
container-must-have-limits-and-requests
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - cpu - memory requests: - cpu - memory
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-cpu-requests-memory-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - memory requests: - cpu - memory
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m memory: 2Gi
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
no-enforcements
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: no-enforcements spec: match: kinds: - apiGroups: - "" kinds: - Pod
מותר
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
K8sRestrictAdmissionController
הגבלת בקרת הכניסה v1.0.0
הגבלת בקרי קבלה דינמיים לאלה שמותרים
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# permittedMutatingWebhooks <array>: List of permitted mutating webhooks
# (mutating admission controllers)
permittedMutatingWebhooks:
- <string>
# permittedValidatingWebhooks <array>: List of permitted validating
# webhooks (validating admission controllers)
permittedValidatingWebhooks:
- <string>
דוגמאות
restrict-admission-controller
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata: name: restrict-admission-controller spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration parameters: permittedMutatingWebhooks: - allowed-mutating-webhook permittedValidatingWebhooks: - allowed-validating-webhook
מותר
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: allowed-validating-webhook
לא חוקי
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: disallowed-validating-webhook
K8sRestrictAutomountServiceAccountTokens
הגבלת טוקנים של חשבון שירות גרסה 1.0.1
מגביל את השימוש בטוקנים של חשבונות שירות.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
restrict-serviceaccounttokens
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: restrict-serviceaccounttokens spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod - ServiceAccount
מותר
apiVersion: v1 kind: Pod metadata: name: allowed-example-pod spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: ServiceAccount metadata: name: disallowed-example-serviceaccount
לא חוקי
apiVersion: v1 kind: Pod metadata: name: disallowed-example-pod spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: name: allowed-example-serviceaccount
K8sRestrictLabels
Restrict Labels v1.0.2
הכלל אוסר על משאבים להכיל תוויות שצוינו, אלא אם יש חריג למשאב הספציפי.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
דוגמאות
restrict-label-example
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: exceptions: - group: "" kind: Pod name: allowed-example namespace: default restrictedLabels: - label-example
מותר
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNamespaces
הגבלת מרחבי שמות גרסה 1.0.1
הגבלת השימוש במרחבי שמות שמפורטים בפרמטר restrictedNamespaces.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
דוגמאות
restrict-default-namespace-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: restrict-default-namespace-sample spec: enforcementAction: dryrun parameters: restrictedNamespaces: - default
מותר
apiVersion: v1 kind: Pod metadata: name: allowed-example namespace: test-namespace spec: containers: - image: nginx name: nginx
לא חוקי
apiVersion: v1 kind: Pod metadata: name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNfsUrls
הגבלת כתובות URL של NFS גרסה 1.0.1
ההגדרה הזו אוסרת על משאבים להכיל כתובות URL של NFS, אלא אם צוין אחרת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedNfsUrls <array>: A list of allowed NFS URLs
allowedNfsUrls:
- <string>
דוגמאות
restrict-label-example
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: allowedNfsUrls: - my-nfs-server.example.com/my-nfs-volume - my-nfs-server.example.com/my-wildcard-nfs-volume/*
מותר
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume server: my-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs-wildcard namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path server: my-nfs-server.example.com
לא חוקי
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs-mixed namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume-allowed nfs: path: /my-nfs-volume server: my-nfs-server.example.com - name: test-volume-disallowed nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
K8sRestrictRbacSubjects
הגבלת נושאי RBAC גרסה 1.0.3
מגביל את השימוש בשמות בנושאי RBAC לערכים מותרים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of names permitted in RBAC subjects.
allowedSubjects:
- # name <string>: The exact-name or the pattern of the allowed subject
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
דוגמאות
restrict-rbac-subjects
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: restrict-rbac-subjects spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding - ClusterRoleBinding parameters: allowedSubjects: - name: system:masters - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$ regexMatch: true - name: ^.+@system.gserviceaccount.com$ regexMatch: true - name: ^.+@google.com$ regexMatch: true
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user@google.com - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters - apiGroup: rbac.authorization.k8s.io kind: User name: service-1234567890@gcp-sa-ktd-control.iam.gserviceaccount.com
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1@example.com - apiGroup: rbac.authorization.k8s.io kind: User name: user2@example.com
K8sRestrictRoleBindings
Restrict Role Bindings v1.0.3
מגביל את הנושאים שצוינו ב-ClusterRoleBindings וב-RoleBindings לרשימה של נושאים מותרים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
דוגמאות
restrict-clusteradmin-rolebindings-sample
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-sample spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-regex spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$ regexMatch: true restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sRestrictRoleRules
הגבלת כללי תפקידים ו-ClusterRole. גרסה 1.0.4
מגביל את הכללים שאפשר להגדיר באובייקטים של Role ו-ClusterRole.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRules <array>: AllowedRules is the list of rules that are allowed
# on Role or ClusterRole objects. If set, any item off this list will be
# rejected.
allowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be allowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# disallowedRules <array>: DisallowedRules is the list of rules that are
# NOT allowed on Role or ClusterRole objects. If set, any item on this list
# will be rejected.
disallowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be disallowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
# names that are allowed to violate this policy.
exemptions:
clusterRoles:
- # name <string>: Name is the name or a pattern of the ClusterRole
# to be exempted.
name: <string>
# regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
# regex match of the ClusterRole name.
regexMatch: <boolean>
roles:
- # name <string>: Name is the name of the Role to be exempted.
name: <string>
# namespace <string>: Namespace is the namespace of the Role to be
# exempted.
namespace: <string>
דוגמאות
restrict-pods-exec
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: restrict-pods-exec spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - Role - ClusterRole parameters: disallowedRules: - apiGroups: - "" resources: - pods/exec verbs: - create
מותר
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allowed-role-example rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
לא חוקי
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: disallowed-cluster-role-example rules: - apiGroups: - "" resources: - pods/exec verbs: - '*'
K8sStorageClass
Storage Class v1.1.2
נדרש לציין סוגי אחסון (storage classes) כשמשתמשים בו. יש תמיכה רק ב-Gatekeeper בגרסה 3.9 ומעלה ובמאגרים לא ארעיים.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedStorageClasses <array>: An optional allow-list of storage classes.
# If specified, any storage class not in the `allowedStorageClasses`
# parameter is disallowed.
allowedStorageClasses:
- <string>
includeStorageClassesInMessage: <boolean>
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "storage.k8s.io"
version: "v1"
kind: "StorageClass"
דוגמאות
storageclass
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: includeStorageClassesInMessage: true
מותר
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ok spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: somestorageclass volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
apiVersion: apps/v1 kind: StatefulSet metadata: name: volumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: volumeclaimstorageclass serviceName: volumeclaimstorageclass template: metadata: labels: app: volumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: somestorageclass --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
לא חוקי
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: badstorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: badstorageclass volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: badvolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: badvolumeclaimstorageclass serviceName: badvolumeclaimstorageclass template: metadata: labels: app: badvolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: badstorageclass
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nostorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: novolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: novolumeclaimstorageclass serviceName: novolumeclaimstorageclass template: metadata: labels: app: novolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi
allowed-storageclass
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: allowed-storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: allowedStorageClasses: - allowed-storage-class includeStorageClassesInMessage: true
מותר
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: allowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: allowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
לא חוקי
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disallowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: disallowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
K8sUniqueIngressHost
Unique Ingress Host v1.0.4
כל המארחים בכללי Ingress צריכים להיות ייחודיים. אין תמיכה בתווים כלליים לחיפוש בשמות מארחים: https://kubernetes.io/docs/concepts/services-networking/ingress/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "Ingress"
OR
- group: "networking.k8s.io"
version: "v1beta1" OR "v1"
kind: "Ingress"
דוגמאות
unique-ingress-host
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: unique-ingress-host spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
מותר
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-allowed namespace: default spec: rules: - host: example-allowed-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-allowed-host1.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix
לא חוקי
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-host3.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sUniqueServiceSelector
Unique Service Selector v1.0.2
נדרש שלשירותים יהיו סלקטורים ייחודיים במרחב שמות. שני סלקטורים נחשבים זהים אם יש להם מפתחות וערכים זהים. יכול להיות שסלקטורים ישתפו צמד מפתח/ערך, כל עוד יש לפחות צמד מפתח/ערך אחד שונה ביניהם. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Referential Constraint
המגבלה הזו היא מגבלה הפניה. לפני השימוש, עליך להפעיל אילוצי הפניה וליצור קובץ הגדרה שמציין ל-Policy Controller אילו סיווגים של אובייקטים צריך לעקוב אחריהם.
ב-Policy Controller Config יידרש רשומה syncOnly שדומה לזו:
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Service"
דוגמאות
unique-service-selector
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: labels: owner: admin.agilebank.demo name: unique-service-selector
מותר
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: other-value
לא חוקי
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: value --- # Referential Data apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-example namespace: default spec: ports: - port: 443 selector: key: value
NoUpdateServiceAccount
חסימת העדכון של חשבון השירות v1.0.1
חסימת העדכון של חשבון השירות במשאבים שמבצעים הפשטה של Pods. המערכת מתעלמת מהמדיניות הזו במצב ביקורת.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedGroups <array>: Groups that should be allowed to bypass the
# policy.
allowedGroups:
- <string>
# allowedUsers <array>: Users that should be allowed to bypass the policy.
allowedUsers:
- <string>
דוגמאות
no-update-kube-system-service-account
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: no-update-kube-system-service-account spec: match: kinds: - apiGroups: - "" kinds: - ReplicationController - apiGroups: - apps kinds: - ReplicaSet - Deployment - StatefulSet - DaemonSet - apiGroups: - batch kinds: - CronJob namespaces: - kube-system parameters: allowedGroups: [] allowedUsers: []
מותר
apiVersion: apps/v1 kind: Deployment metadata: labels: app: policy-test name: policy-test namespace: kube-system spec: replicas: 1 selector: matchLabels: app: policy-test-deploy template: metadata: labels: app: policy-test-deploy spec: containers: - command: - /bin/bash - -c - sleep 99999 image: ubuntu name: policy-test serviceAccountName: policy-test-sa-1
PolicyStrictOnly
דרישה למדיניות mTLS מחמירה של Istio גרסה 1.0.4
ההגדרה מחייבת לציין תמיד את STRICT Istio mutual TLS כשמשתמשים ב-PeerAuthentication. ההגבלה הזו גם מבטיחה שמשאבי המדיניות ו-MeshPolicy שהוצאו משימוש יאכפו TLS דו-צדדי של STRICT. למידע נוסף: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
peerauthentication-strict-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: peerauthentication-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication namespaces: - default
מותר
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict namespace: default spec: mtls: mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-level namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-unset namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: UNSET
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: empty-mtls namespace: default spec: mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-null namespace: default spec: mtls: mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-permissive namespace: default spec: mtls: mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE "8081": mode: STRICT
deprecated-policy-strict-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: deprecated-policy-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - authentication.istio.io kinds: - Policy namespaces: - default
מותר
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mode-strict namespace: default spec: peers: - mtls: mode: STRICT
לא חוקי
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-empty namespace: default spec: peers: - mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-permissive namespace: default spec: peers: - mtls: mode: PERMISSIVE
RestrictNetworkExclusions
הגבלת החרגות מהרשת v1.0.2
המדיניות קובעת אילו יציאות נכנסות, יציאות יוצאות וטווחים של כתובות IP יוצאות אפשר להחריג מאיסוף הנתונים ברשת של Istio. יציאות וטווחים של כתובות IP שעוקפים את לכידת הרשת של Istio לא מטופלים על ידי ה-proxy של Istio ולא חלים עליהם אימות mTLS של Istio, מדיניות הרשאות ותכונות אחרות של Istio. אפשר להשתמש באילוץ הזה כדי להחיל הגבלות על השימוש בהערות הבאות:
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
פרטים נוספים זמינים בכתובת https://istio.io/latest/docs/reference/config/annotations/.
כשמגבילים טווחי כתובות IP יוצאות, ההגבלה מחשבת אם טווחי כתובות IP מוחרגים תואמים או מהווים קבוצת משנה של ההחרגות המותרות של טווח כתובות ה-IP.
כשמשתמשים באילוץ הזה, תמיד צריך לכלול את כל היציאות הנכנסות, היציאות היוצאות וטווחי כתובות ה-IP היוצאות. כדי לעשות את זה, צריך להגדיר את הערך "*" בהערות המתאימות של include או להשאיר אותן ללא הגדרה. אסור להגדיר את אחת מההערות הבאות לערך שונה מ-"*":
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
ההגבלה הזו תמיד מאפשרת להחריג את יציאה 15020, כי מנגנון הזרקת ה-sidecar של Istio תמיד מוסיף אותה להערה traffic.sidecar.istio.io/excludeInboundPorts כדי שאפשר יהיה להשתמש בה לבדיקת תקינות.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedInboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
allowedInboundPortExclusions:
- <string>
# allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
# constraint calculates whether excluded IP ranges match or are a subset of
# the ranges in this list.
allowedOutboundIPRangeExclusions:
- <string>
# allowedOutboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
allowedOutboundPortExclusions:
- <string>
דוגמאות
restrict-network-exclusions
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: restrict-network-exclusions spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedInboundPortExclusions: - "80" allowedOutboundIPRangeExclusions: - 169.254.169.254/32 allowedOutboundPortExclusions: - "8888"
מותר
apiVersion: v1 kind: Pod metadata: labels: app: nginx name: nothing-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "80" traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/excludeOutboundPorts: "8888" labels: app: nginx name: allowed-port-and-ip-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundIPRanges: '*' labels: app: nginx name: all-ip-ranges-included-with-one-allowed-ip-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: '*' traffic.sidecar.istio.io/includeOutboundIPRanges: '*' traffic.sidecar.istio.io/includeOutboundPorts: '*' labels: app: nginx name: everything-included-with-no-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
לא חוקי
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24 labels: app: nginx name: disallowed-ip-range-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24 labels: app: nginx name: one-disallowed-ip-exclusion-and-one-allowed-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: 80,443 traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundPorts: "8888" labels: app: nginx name: disallowed-specific-port-and-ip-inclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
SourceNotAllAuthz
נדרש מקור של Istio AuthorizationPolicy לא כל v1.0.1
הדרישה היא שכללי Istio AuthorizationPolicy יכללו חשבונות משתמשים של מקור שהוגדרו לערך שונה מ-"*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
דוגמאות
sourcenotall-authz-constraint
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: sourcenotall-authz-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
מותר
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
לא חוקי
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-dne namespace: foo spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-all namespace: foo spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-someall namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
VerifyDeprecatedAPI
אימות ממשקי API שהוצאו משימוש v1.0.0
בודק ממשקי API של Kubernetes שהוצאו משימוש כדי לוודא שכל גרסאות ה-API עדכניות. התבנית הזו לא רלוונטית לביקורת, כי הביקורת בודקת את המשאבים שכבר קיימים באשכול עם גרסאות API שלא הוצאו משימוש.
סכימת מגבלות
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# k8sVersion <number>: kubernetes version
k8sVersion: <number>
# kvs <array>: Deprecated api versions and corresponding kinds
kvs:
- # deprecatedAPI <string>: deprecated api
deprecatedAPI: <string>
# kinds <array>: impacted list of kinds
kinds:
- <string>
# targetAPI <string>: target api
targetAPI: <string>
דוגמאות
verify-1.16
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.16 spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - DaemonSet - apiGroups: - extensions kinds: - PodSecurityPolicy - ReplicaSet - Deployment - DaemonSet - NetworkPolicy parameters: k8sVersion: 1.16 kvs: - deprecatedAPI: apps/v1beta1 kinds: - Deployment - ReplicaSet - StatefulSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - ReplicaSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - PodSecurityPolicy targetAPI: policy/v1beta1 - deprecatedAPI: apps/v1beta2 kinds: - ReplicaSet - StatefulSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - NetworkPolicy targetAPI: networking.k8s.io/v1
מותר
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
לא חוקי
apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: nginx name: disallowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
verify-1.22
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.22 spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration - apiGroups: - apiextensions.k8s.io kinds: - CustomResourceDefinition - apiGroups: - apiregistration.k8s.io kinds: - APIService - apiGroups: - authentication.k8s.io kinds: - TokenReview - apiGroups: - authorization.k8s.io kinds: - SubjectAccessReview - apiGroups: - certificates.k8s.io kinds: - CertificateSigningRequest - apiGroups: - coordination.k8s.io kinds: - Lease - apiGroups: - extensions - networking.k8s.io kinds: - Ingress - apiGroups: - networking.k8s.io kinds: - IngressClass - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding - apiGroups: - scheduling.k8s.io kinds: - PriorityClass - apiGroups: - storage.k8s.io kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment parameters: k8sVersion: 1.22 kvs: - deprecatedAPI: admissionregistration.k8s.io/v1beta1 kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration targetAPI: admissionregistration.k8s.io/v1 - deprecatedAPI: apiextensions.k8s.io/v1beta1 kinds: - CustomResourceDefinition targetAPI: apiextensions.k8s.io/v1 - deprecatedAPI: apiregistration.k8s.io/v1beta1 kinds: - APIService targetAPI: apiregistration.k8s.io/v1 - deprecatedAPI: authentication.k8s.io/v1beta1 kinds: - TokenReview targetAPI: authentication.k8s.io/v1 - deprecatedAPI: authorization.k8s.io/v1beta1 kinds: - SubjectAccessReview targetAPI: authorization.k8s.io/v1 - deprecatedAPI: certificates.k8s.io/v1beta1 kinds: - CertificateSigningRequest targetAPI: certificates.k8s.io/v1 - deprecatedAPI: coordination.k8s.io/v1beta1 kinds: - Lease targetAPI: coordination.k8s.io/v1 - deprecatedAPI: extensions/v1beta1 kinds: - Ingress targetAPI: networking.k8s.io/v1 - deprecatedAPI: networking.k8s.io/v1beta1 kinds: - Ingress - IngressClass targetAPI: networking.k8s.io/v1 - deprecatedAPI: rbac.authorization.k8s.io/v1beta1 kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding targetAPI: rbac.authorization.k8s.io/v1 - deprecatedAPI: scheduling.k8s.io/v1beta1 kinds: - PriorityClass targetAPI: scheduling.k8s.io/v1 - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment targetAPI: storage.k8s.io/v1
מותר
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: allowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
לא חוקי
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: disallowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
verify-1.25
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.25 spec: match: kinds: - apiGroups: - batch kinds: - CronJob - apiGroups: - discovery.k8s.io kinds: - EndpointSlice - apiGroups: - events.k8s.io kinds: - Event - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler - apiGroups: - policy kinds: - PodDisruptionBudget - PodSecurityPolicy - apiGroups: - node.k8s.io kinds: - RuntimeClass parameters: k8sVersion: 1.25 kvs: - deprecatedAPI: batch/v1beta1 kinds: - CronJob targetAPI: batch/v1 - deprecatedAPI: discovery.k8s.io/v1beta1 kinds: - EndpointSlice targetAPI: discovery.k8s.io/v1 - deprecatedAPI: events.k8s.io/v1beta1 kinds: - Event targetAPI: events.k8s.io/v1 - deprecatedAPI: autoscaling/v2beta1 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2 - deprecatedAPI: policy/v1beta1 kinds: - PodDisruptionBudget targetAPI: policy/v1 - deprecatedAPI: policy/v1beta1 kinds: - PodSecurityPolicy targetAPI: None - deprecatedAPI: node.k8s.io/v1beta1 kinds: - RuntimeClass targetAPI: node.k8s.io/v1
מותר
apiVersion: batch/v1 kind: CronJob metadata: name: allowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
לא חוקי
apiVersion: batch/v1beta1 kind: CronJob metadata: name: disallowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
verify-1.26
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.26 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: k8sVersion: 1.26 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3 - deprecatedAPI: autoscaling/v2beta2 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2
מותר
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
לא חוקי
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
verify-1.27
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.27 spec: match: kinds: - apiGroups: - storage.k8s.io kinds: - CSIStorageCapacity parameters: k8sVersion: 1.27 kvs: - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIStorageCapacity targetAPI: storage.k8s.io/v1
מותר
apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity storageClassName: standard
לא חוקי
apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity namespace: default storageClassName: standard
verify-1.29
מגבלה
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.29 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration parameters: k8sVersion: 1.29 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
מותר
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
לא חוקי
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
המאמרים הבאים
- מידע נוסף על Policy Controller
- התקנת Policy Controller
- איך משתמשים במגבלות במקום ב-PodSecurityPolicies
- אפשר לראות את ספריית הקוד הפתוח של תבניות האילוצים במאגר gatekeeper-library