文档

容器安全策略规则库说明

更新时间:

容器服务ACK策略管理功能提供了种类丰富的内置规则库。本文主要说明当前阿里云容器服务ACK容器安全策略规则库中的各个规则模板。

背景信息

当前容器服务ACK容器安全策略规则库包含以下四类规则模板:

  • CIS-K8s:基于CIS Kubernetes Benchmark等合规规范定制化的安全规则。

  • Infra:用于增强和保护云基础设施层资源安全。

  • K8s-general:用于约束和规范K8s集群内敏感资源配置,增强K8s集群内应用安全。

  • PSP:用于替换K8s PSP的相关策略,使用该类策略可以实现等同于原ACK策略管理中PSP提供的安全约束能力。

策略规则库说明

当前阿里云容器服务ACK内置如下类型的策略规则库,策略分类和简要说明如下:

Category

Policy

Description

Severity

CIS-K8s

ACKNoEnvVarSecrets

限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中。

medium

ACKPodsRequireSecurityContext

限制Pod中所有容器必须配置securitycontext字段。

low

ACKRestrictNamespaces

限制资源部署在集群指定的命名空间中。

low

ACKRestrictRoleBindings

限制指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。

high

ACKNamespacesDeleteProtection

限制指定的Namespace被误删除。

medium

Infra

ACKBlockProcessNamespaceSharing

限制在集群指定范围部署的应用中使用shareProcessNamespace

high

ACKEmptyDirHasSizeLimit

要求emptyDir类型的Volume必须指定sizelimit

low

ACKLocalStorageRequireSafeToEvict

限制部署在集群指定范围内的Pod必须具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注释标签。默认情况下autoscaler在集群自动伸缩时不会驱逐使用HostPath或EmptyDir卷的Pod。为了允许驱逐这些Pod,必须在Pod上添加该注释标签。

low

ACKOSSStorageLocationConstraint

限制指定Namespaces下的部署只能使用指定Region中的阿里云OSS存储卷

low

K8s-general

ACKAllowedRepos

限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。

high

ACKBlockAutoinjectServiceEnv

要求在应用中配置enableServiceLinks: false防止在Pod环境变量中透出服务IP。

low

ACKBlockAutomountToken

要求在应用中设置automountServiceAccountToken: false字段防止自动挂载serviceaccount

high

ACKBlockEphemeralContainer

限制在集群指定范围的应用Pod中启动临时容器。

medium

ACKBlockLoadBalancer

限制在集群指定范围内部署LoadBalancer类型的Service。

high

ACKBlockNodePort

限制在集群指定范围内使用NodePort类型的Service。

high

ACKContainerLimits

要求集群指定范围的应用Pod配置资源limits

low

ACKExternalIPs

限制在集群指定范围内的Services实例使用白名单范围之外的externalIPs。

high

ACKImageDigests

限制在集群指定范围内部署不符合digest格式的镜像。

low

ACKRequiredLabels

限制在集群指定范围内部署没有指定范式label标签的应用。

low

ACKRequiredProbes

限制在集群指定范围内部署的Pod配置指定类型的readinessProbe和livenessProbe。

medium

ACKCheckNginxPath

限制在Ingress实例的spec.rules[].http.paths[].path字段中使用危险配置。Ingress-nginx 1.2.1以下版本建议开启该策略。

high

ACKCheckNginxAnnotation

限制在Ingress实例的metadata.annotations字段中使用危险配置。Ingress-nginx 1.2.1以下版本建议开启该策略。

high

ACKBlockInternetLoadBalancer

限制创建公网类型的LoadBalancer Service。

high

PSP

ACKPSPAllowPrivilegeEscalationContainer

限制在集群指定范围内部署的Pod配置allowPrivilegeEscalation参数。

medium

ACKPSPAllowedUsers

限制在集群指定范围内部署的Pod中的启动usergroupsupplementalGroups以及fsGroup

medium

ACKPSPAppArmor

限制在集群指定范围内部署的Pod配置AppArmor。

low

ACKPSPCapabilities

限制在集群指定范围内部署的Pod配置Linux Capabilities能力。

high

ACKPSPFSGroup

限制在集群指定范围内部署的Pod配置 fsGroup。

medium

ACKPSPFlexVolumes

限制在集群指定范围内部署Pod的FlexVolume驱动配置。

medium

ACKPSPForbiddenSysctls

限制在集群指定范围内部署Pod的禁止的Sysctl范围。

high

ACKPSPHostFilesystem

限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。

high

ACKPSPHostNamespace

限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。

high

ACKPSPHostNetworkingPorts

限制在集群指定范围内部署的Pod使用主机网络和指定端口。

high

ACKPSPPrivilegedContainer

限制在集群指定范围内部署的Pod中启动特权容器。

high

ACKPSPProcMount

限制在集群指定范围内部署的Pod允许挂载的Proc类型。

low

ACKPSPReadOnlyRootFilesystem

限制在集群指定范围内部署的Pod使用只读的根文件系统。

medium

ACKPSPSELinuxV2

制在集群指定范围内部署的Pod必须使用AllowedSELinuxOptions参数中规定的Selinux配置

low

ACKPSPSeccomp

限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。

low

ACKPSPVolumeTypes

限制在集群指定范围内部署的Pod使用指定的Volume挂载类型。

medium

CIS-K8s

  • ACKNoEnvVarSecrets

    规则说明:限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中使用。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKNoEnvVarSecrets
    metadata:
      name: no-env-var-secrets
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: mypod
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mypod
        image: redis
        volumeMounts:
        - name: foo
          mountPath: "/etc/foo"
      volumes:
      - name: foo
        secret:
          secretName: mysecret
          items:
          - key: username
            path: my-group/my-username

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
        env:
          - name: SECRET_USERNAME
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: username
          - name: SECRET_PASSWORD
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: password
      restartPolicy: Never
  • ACKPodsRequireSecurityContext

    规则说明:限制Pod中所有容器必须配置securitycontext字段。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPodsRequireSecurityContext
    metadata:
      name: pods-require-security-context
      annotations:
        # This constraint is not certified by CIS.
        description: "Requires that Pods must have a `securityContext` defined."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: test-gatekeeper
    spec:
      securityContext:
        runAsNonRoot: false
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test2
      - image: test
        name: test
        resources: {}
        securityContext:
          runAsNonRoot: false
  • ACKRestrictNamespaces

    规则说明:限制资源部署在集群指定的命名空间中。

    重要等级:low。

    参数说明:

    参数名称

    参数类型

    参数说明

    restrictedNamespaces

    array

    禁止资源部署在该参数声明的列表中。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictNamespaces
    metadata:
      name: restrict-default-namespace
      annotations:
        # This constraint is not certified by CIS .
        description: "Restricts resources from using the restricted namespace."
    spec:
      match:
        kinds:
          - apiGroups: ['']
            kinds: ['Pod']
      parameters:
        restrictedNamespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      restartPolicy: Never
  • ACKRestrictRoleBindings

    规则说明:限制在指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    restrictedRole

    object

    限制使用的Clusterrole或Role。

    allowedSubjects

    array

    允许挂载的Subjects白名单列表。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictRoleBindings
    metadata:
      name: restrict-clusteradmin-rolebindings
      annotations:
        # This constraint is not certified by CIS.
        description: "Restricts use of sensitive role in specific rolebinding."
    spec:
      match:
        kinds:
          - apiGroups: ["rbac.authorization.k8s.io"]
            kinds: ["RoleBinding"]
      parameters:
        restrictedRole:
          apiGroup: "rbac.authorization.k8s.io"
          kind: "ClusterRole"
          name: "cluster-admin"
        allowedSubjects:
          - apiGroup: "rbac.authorization.k8s.io"
            kind: "Group"
            name: "system:masters"

    Allowed:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: good-2
      namespace: test-gatekeeper
    subjects:
      - kind: Group
        name: 'system:masters'
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io

    Disallowed:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    subjects:
      - kind: ServiceAccount
        name: policy-template-controller
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
  • ACKNamespacesDeleteProtection

    规则说明:限制指定的Namespcace被误删除。可以通过protectionNamespaces参数配置受保护命名空间的Name,也可以通过protectionAnnotation参数配置受保护命名空间的Annotation键。当被删除的Namespace匹配任一参数中指定的配置值时,即可触发拦截或审计。

    使用前提:需确保gatekeeper组件已升级至v3.10.0.130-g0e79597d-aliyun或以上版本。关于gatekeeper组件版本信息,请参见gatekeeper

    重要等级:medium。

    参数说明:

    参数名称

    参数类型

    参数说明

    protectionNamespaces

    array

    受保护namespace的名称列表。

    protectionAnnotation

    array

    受保护Namespaces的指定Annotation Key列表。

    示例:

    Constraint:

      apiVersion: constraints.gatekeeper.sh/v1beta1
      kind: ACKNamespacesDeleteProtection
      metadata:
        name: namespace-delete-protection
      spec:
        match:
          kinds:
            - apiGroups: ['']
              kinds: ['Namespace']
        parameters:
          protectionNamespaces:
            - test-gatekeeper
          protectionAnnotation:
            - policy.alibabacloud.com/ns-protection

    Allowed:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: will-delete

    Disallowed:

    apiVersion: v1
    kind: Namespace
    metadata:
      name: test
      annotations:
        policy.alibabacloud.com/ns-protection: "enable"

Infra基础设施

  • ACKBlockProcessNamespaceSharing

    规则说明:限制在集群指定范围部署的应用中使用shareProcessNamespace

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockProcessNamespaceSharing
    ACKCheckNginxPathmetadata:
      name: block-share-process-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test-3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKEmptyDirHasSizeLimit

    规则说明:要求emptyDir类型的Volume必须指定sizelimit

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKEmptyDirHasSizeLimit
    metadata:
      name: empty-dir-has-sizelimit
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir:
          sizeLimit: "10Mi"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKLocalStorageRequireSafeToEvict

    规则说明:限制部署在集群指定范围内的Pod必须具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注释标签。集群自动伸缩时不会删除没有此注释标签的Pod。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKLocalStorageRequireSafeToEvict
    metadata:
      name: local-storage-require-safe-to-evict
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
      annotations:
        'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /data
          # this field is optional
          type: Directory

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKOSSStorageLocationConstraint

    规则说明:限制指定命名空间下的部署只能使用指定地域中的阿里云OSS存储卷。

    重要等级:low。

    参数说明:

    参数名称

    参数类型

    参数说明

    mode

    string

    是否采用白名单模式,默认值allowlist为白名单模式,其他值为黑名单模式。

    regions

    array

    指定的阿里云Region ID列表。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKOSSStorageLocationConstraint
    metadata:
      name: restrict-oss-location
      annotations:
        description: "Restricts location of oss storage in cluster."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["PersistentVolume", "Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        mode: "allowlist"
        regions:
          - "cn-beijing"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi-good
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-beijing.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeHandle: pv-oss
            nodePublishSecretRef:
              name: oss-secret
              namespace: default
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-hangzhou.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"

K8s-general

  • ACKAllowedRepos

    规则说明:限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    repos

    array

    合法的镜像仓库白名单。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKAllowedRepos
    metadata:
      name: allowed-repos
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        repos:
          - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
          - "registry.cn-hangzhou.aliyuncs.com/acs/"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-01
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container-1
      initContainers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container-3
  • ACKBlockAutoinjectServiceEnv

    规则说明:要求在应用中配置enableServiceLinks: false防止在Pod环境变量中透出服务IP。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutoinjectServiceEnv
    metadata:
      name: block-auto-inject-service-env
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      enableServiceLinks: false
      containers:
      - image: openpolicyagent/test-webserver:1.0
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockAutomountToken

    规则说明:要求在应用中设置automountServiceAccountToken: false字段防止自动挂载serviceaccount

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutomountToken
    metadata:
      name: block-auto-mount-service-account-token
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      automountServiceAccountToken: false
      containers:
      - image: openpolicyagent/test-webserver:v1.0
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockEphemeralContainer

    规则说明:限制在集群指定范围的应用Pod中启动临时容器。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockEphemeralContainer
    metadata:
      name: block-ephemeral-container
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: good-1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      ephemeralContainers:
        - name: test
          image: test
  • ACKBlockLoadBalancer

    规则说明:限制在指定集群范围内部署LoadBalancer类型的Service。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    restrictedNamespaces

    array

    禁止资源部署在该参数声明的列表中。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockLoadBalancer
    metadata:
      name: block-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKBlockNodePort

    规则说明:限制在集群指定范围内使用NodePort类型的Service。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockNodePort
    metadata:
      name: block-node-port
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: NodePort
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKContainerLimits

    规则说明:要求集群指定范围的应用Pod配置资源limits

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKContainerLimits
    metadata:
      name: container-must-have-limits
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        cpu: "1000m"
        memory: "1Gi"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Mi"
            cpu: "500m"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Gi"
            cpu: "2000m"
  • ACKExternalIPs

    规则说明:限制在集群指定范围内的Services实例使用白名单范围之外的externalIPs

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    allowedIPs

    array

    externalIPs白名单列表。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKExternalIPs
    metadata:
      name: external-ips
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedIPs:
          - "192.168.0.5"

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-3
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      externalIPs:
        - 80.11.XX.XX
  • ACKImageDigests

    规则说明:限制在集群指定范围内部署不符合digest格式的镜像。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKImageDigests
    metadata:
      name: container-image-must-have-digest
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
        name: test-container

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container2
  • ACKRequiredLabels

    规则说明:限制在集群指定范围内部署的Pod必须包含allowedRegex参数中定义的label

    重要等级:low。

    参数说明:

    参数名称

    参数类型

    参数说明

    allowedRegex

    string

    label白名单的正则表达式。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredLabels
    metadata:
      name: must-have-label-test
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
    #            message: ''
        labels:
          - key: test
            # value
            allowedRegex: "^test.*$"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: test
      namespace: test-gatekeeper
      labels:
        'test': 'test_233'
    spec:
      containers:
      - name: mycontainer
        image: redis

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: bad2
      namespace: test-gatekeeper
      labels:
        'test': '233'
    spec:
      containers:
      - name: mycontainer
        image: redis
  • ACKRequiredProbes

    规则说明:限制在集群指定范围内部署的Pod配置指定类型的readinessProbelivenessProbe

    重要等级:medium。

    参数说明:

    参数名称

    参数类型

    参数说明

    probes

    array

    Pod中需要配置的Probe。例如,readinessProbelivenessProbe

    probeTypes

    array

    Pod中需要配置的Probe类型。例如,tcpSockethttpGetexec类型。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredProbes
    metadata:
      name: must-have-probes
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        probes: ["readinessProbe", "livenessProbe"]
        probeTypes: ["tcpSocket", "httpGet", "exec"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: p4
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
        readinessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5
        livenessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: p1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
  • ACKCheckNginxPath

    限制在Ingress实例spec.rules[].http.paths[].path字段中使用危险配置,Ingress-nginx 1.2.1以下版本建议开启该策略。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxPath
    metadata:
      name: block-nginx-path
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-paths
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80

    Disallowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: bad-path-secrets
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /var/run/secrets
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
  • ACKCheckNginxAnnotation

    限制在Ingress实例metadata.annotations字段中使用危险配置,Ingress-nginx 1.2.1以下版本建议开启该策略。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxAnnotation
    metadata:
      name: block-nginx-annotation
    spec:
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-annotations
      namespace: test-gatekeeper
      annotations:
        nginx.org/good: "value"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80

    Disallowed:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: var-run-secrets
      namespace: test-gatekeeper
      annotations:
        nginx.org/bad: "/var/run/secrets"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80
  • ACKBlockInternetLoadBalancer

    规则说明:限制创建公网类型的LoadBalancer Service。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockInternetLoadBalancer
    metadata:
      name: block-internet-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces: ["test-gatekeeper"]

    Allowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: non-test-gatekeeper
      annotations:
        'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      type: LoadBalancer

    Disallowed:

    apiVersion: v1
    kind: Service
    metadata:
      name: bad-service-2
      namespace: test-gatekeeper
      annotations:
        'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376

PSP

  • ACKPSPAllowedUsers

    规则说明:限制在集群指定范围内部署的Pod中的启动usergroupsupplementalGroups以及fsGroup

    重要等级:medium。

    参数说明:

    参数名称

    参数类型

    参数说明

    runAsUser

    object

    关于该参数的具体说明,请参见原PSP规则中对User的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups

    runAsGroup

    object

    关于该参数的具体说明,请参见原PSP规则中对Group的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups

    supplementalGroups

    object

    关于该参数的具体说明,请参见原PSP规则中对SupplementalGroups的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups

    fsGroup

    object

    关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowedUsers
    metadata:
      name: psp-pods-allowed-user-ranges
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        runAsUser:
          rule: MustRunAs # MustRunAsNonRoot # RunAsAny
          ranges:
            - min: 100
              max: 200
        runAsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        supplementalGroups:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        fsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good2
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 150
        supplementalGroups:
          - 150
      containers:
      - image: test
        name: test
        securityContext:
          runAsUser: 150
          runAsGroup: 150

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAllowPrivilegeEscalationContainer

    规则说明:限制在集群指定范围内部署的Pod配置allowPrivilegeEscalation参数。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowPrivilegeEscalationContainer
    metadata:
      name: psp-allow-privilege-escalation-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          allowPrivilegeEscalation: false
      initContainers:
        - image: test
          name: test2
          securityContext:
            allowPrivilegeEscalation: false

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAppArmor

    规则说明:限制在集群指定范围内部署的Pod配置AppArmor。

    重要等级:low。

    参数说明:

    参数名称

    参数类型

    参数说明

    probes

    array

    Pod中需要配置的Probe。例如,readinessProbelivenessProbe

    probeTypes

    array

    Pod中需要配置的Probe类型。例如,tcpSockethttpGetexec类型。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAppArmor
    metadata:
      name: psp-apparmor
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfiles:
          - runtime/default

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
      annotations:
        'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
        'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
    spec:
      containers:
      - image: test
        name: test
      initContainers:
      - image: test
        name: test2

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPCapabilities

    规则说明:限制在集群指定范围内部署的Pod配置Linux Capabilities能力。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    allowedCapabilities

    array

    允许的capabilities白名单。

    requiredDropCapabilities

    array

    需要强制Drop的capabilities

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPCapabilities
    metadata:
      name: psp-capabilities
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedCapabilities: ["CHOWN"]
        requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-4
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          capabilities:
            add:
              - CHOWN
            drop:
             - "NET_ADMIN"
             - "SYS_ADMIN"
             - "NET_RAW"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPFlexVolumes

    规则说明:限制在集群指定范围内部署Pod的FlexVolume驱动配置。

    重要等级:medium。

    参数说明:

    参数名称

    参数类型

    参数说明

    allowedFlexVolumes

    array

    允许配置的FlexVolume驱动列表。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFlexVolumes
    metadata:
      name: psp-flexvolume-drivers
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod", "PersistentVolume"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedFlexVolumes: #[]
          - driver: "alicloud/disk"
          - driver: "alicloud/nas"
          - driver: "alicloud/oss"
          - driver: "alicloud/cpfs"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-nas
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/nas"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss-flexvolume
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/ossxx"
  • ACKPSPForbiddenSysctls

    规则说明:限制在集群指定范围内部署的Pod禁止的Sysctl范围。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    forbiddenSysctls

    array

    Pod中禁止的Sysctl列表。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPForbiddenSysctls
    metadata:
      name: psp-forbidden-sysctls
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        forbiddenSysctls:
          # - "*" # * may be used to forbid all sysctls
          - "kernel.*"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-2
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'net.ipv4.tcp_syncookies'
            value: "65536"
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'kernel.shm_rmid_forced'
            value: '1024'
      containers:
      - image: test
        name: test
  • ACKPSPFSGroup

    规则说明:限制在集群指定范围内部署的Pod的fsGroup配置。

    重要等级:medium。

    参数说明:

    参数名称

    参数类型

    参数说明

    rule

    string

    关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持MustRunAsMayRunAsRunAsAny。更多信息,请参见Volumes and file systems

    ranges

    object

    包含以下取值。

    • min:fsGroup id的最小值。

    • max:fsGroup id的最大值。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFSGroup
    metadata:
      name: psp-fsgroup
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
        ranges:
          - min: 1
            max: 1000

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 100
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      securityContext:
        fsGroup: 0
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
  • ACKPSPHostFilesystem

    规则说明:限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    allowedHostPaths

    object

    主机路径白名单配置。

    readOnly

    boolean

    是否只读。

    pathPrefix

    string

    路径前缀。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostFilesystem
    metadata:
      name: psp-host-filesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedHostPaths:
          - readOnly: true
            pathPrefix: "/foo"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        volumeMounts:
          - name: test-volume
            mountPath: "/projected-volume"
            readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          path: /foo

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data
          type: File
  • ACKPSPHostNamespace

    规则说明:限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNamespace
    metadata:
      name: psp-host-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      hostPID: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKPSPHostNetworkingPorts

    规则说明:限制在集群指定范围内部署的Pod使用主机网络和指定端口。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    hostNetwork

    boolean

    是否允许Pod共享使用主机网络。

    min

    int

    最小使用的hostPort值。

    max

    int

    最大使用的hostPort值。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNetworkingPorts
    metadata:
      name: psp-host-network-ports
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        hostNetwork: true
        min: 80
        max: 9000

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: good-2
      namespace: test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 80
            containerPort: 80
      initContainers:
        - image: k8s.gcr.io/test-webserver
          name: test-container2
          ports:
            - hostPort: 8080
              containerPort: 8080

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 22
            containerPort: 22
  • ACKPSPPrivilegedContainer

    规则说明:限制在集群指定范围内部署的Pod中启动特权容器。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPPrivilegedContainer
    metadata:
      name: psp-privileged-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          privileged: true
      dnsPolicy: ClusterFirst
      restartPolicy: Never
  • ACKPSPProcMount

    规则说明:限制在集群指定范围内部署的Pod允许挂载的proc类型。

    重要等级:high。

    参数说明:

    参数名称

    参数类型

    参数说明

    procMount

    string

    proc挂载类型,允许配置如下类型:

    • Default:默认屏蔽挂载/proc目录。

    • Unmasked:不屏蔽挂载/proc

    关于参数配置的具体说明,请参见AllowedProcMountTypes

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPProcMount
    metadata:
      name: psp-proc-mount
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        procMount: Default  # Default or Unmasked

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Default"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Unmasked"
      initContainers:
      - image: test
        name: test2
  • ACKPSPReadOnlyRootFilesystem

    规则说明:限制在集群指定范围内部署的Pod使用只读的根文件系统。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPReadOnlyRootFilesystem
    metadata:
      name: psp-readonlyrootfilesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: true

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: false
      initContainers:
      - image: test
        name: test2
  • ACKPSPSeccomp

    规则说明:限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。

    重要等级:low。

    参数说明:

    参数名称

    参数类型

    参数说明

    allowedProfileTypes

    array

    允许的Seccomp profile类型白名单。

    allowedProfiles

    array

    允许的Seccomp profile。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSeccomp
    metadata:
      name: psp-seccomp
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfileTypes:
          # - Unconfined
          - RuntimeDefault
          - Localhost
        allowedProfiles:
          - runtime/default
          - docker/default
          - localhost/profiles/audit.json

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json
      initContainers:
      - image: test
        name: test2
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
        echo-k8s-webhook-enabled: 'true'
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPSELinuxV2

    规则说明:限制在集群指定范围内部署的Pod必须使用allowedSELinuxOptions参数中规定的SELinux配置。

    重要等级:low。

    参数说明:

    参数名称

    参数类型

    参数说明

    allowedSELinuxOptios

    object

    允许的SELinux配置白名单。更多信息,请参见SELinuxOptions v1 core

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSELinuxV2
    metadata:
      name: psp-selinux-v2
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedSELinuxOptions:
          - level: s0:c123,c456
            role: object_r
            type: svirt_sandbox_file_t
            user: system_u

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        seLinuxOptions:
          level: "s0:c123,c456"
      containers:
      - image: test
        name: test

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seLinuxOptions:
            level: "s0:c123,c455"
  • ACKPSPVolumeTypes

    规则说明:限制在集群指定范围内部署的Pod使用指定Volume挂载类型。

    重要等级:low。

    参数说明:

    参数名称

    参数类型

    参数说明

    volumes

    object

    允许的挂载卷类型。

    示例:

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPVolumeTypes
    metadata:
      name: psp-volume-types
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        volumes:
          # - "*" # * may be used to allow all volume types
          - configMap
          # - emptyDir
          - projected
          - secret
          - downwardAPI
          - persistentVolumeClaim
          # - hostPath #required for allowedHostPaths
          - flexVolume #required for allowedFlexVolumes

    Allowed:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/oss"

    Disallowed:

    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data
  • 本页导读 (1)
文档反馈