您可以为Pod配置安全策略,验证Pod部署和更新的请求是否安全。ACK集群策略管理功能提供了四类内置规则库,包括Compliance、Infra、K8s-general和PSP。
规则介绍
当前容器服务ACK容器安全策略规则库包含以下四类规则模板:
Compliance:基于阿里云K8s加固等合规规范定制化的安全规则。
Infra:用于增强和保护云基础设施层资源安全。
K8s-general:用于约束和规范K8s集群内敏感资源配置,增强K8s集群内应用安全。
PSP:用于替换K8s PSP的相关策略,使用该类策略可以实现等同于原ACK策略管理中PSP提供的安全约束能力。
策略规则库说明
当前阿里云容器服务ACK内置如下类型的策略规则库,策略分类和简要说明如下:
Category | Policy | Description | Severity |
Compliance |
| 限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中。 | medium |
| 限制Pod中所有容器必须配置 | low | |
| 限制资源部署在集群指定的命名空间中。 | low | |
| 限制指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。 | high | |
| 限制指定的Namespace被误删除。 | medium | |
| 防止Namespace中的Service实例被误删除。 | medium | |
| 防止绑定状态的持久化存储卷(PV)被删除。 | high | |
| 防止带有自定义标签的节点(Node)被删除。 | high | |
| 防止带有自定义标签的多种资源(包括Service、Namespace、Ingress等)被删除。 | high | |
| 防止kube-system命名空间中CoreDNS相关资源被删除。 | high | |
Infra |
| 限制在集群指定范围部署的应用中使用shareProcessNamespace。 | high |
| 要求emptyDir类型的Volume必须指定 | low | |
| 限制部署在集群指定范围内的Pod必须具有 | low | |
| 限制指定Namespaces下的部署只能使用指定Region中的阿里云OSS存储卷 | low | |
| 限制集群中创建的PV实例中能够申请的最大磁盘容量。 | medium | |
| 限制能够部署PVC实例的命名空间白名单列表以及限制PVC实例中能够申请的最大磁盘容量。 | medium | |
| 限制在集群指定范围内部署的Pod禁止使用的Volume挂载类型。 | medium | |
| 限制Pod必须注入ASM Sidecar。 | high | |
K8s-general |
| 限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。 | high |
| 要求在应用中配置 | low | |
| 要求在应用中设置 | high | |
| 限制在集群指定范围的应用Pod中启动临时容器。 | medium | |
| 限制在集群指定范围内部署LoadBalancer类型的Service。 | high | |
| 限制在集群指定范围内使用NodePort类型的Service。 | high | |
| 要求集群指定范围的应用Pod配置资源 | low | |
| 限制在集群指定范围内的Service实例使用白名单范围之外的externalIPs。 | high | |
| 限制在集群指定范围内部署不符合digest格式的镜像。 | low | |
| 限制在集群指定范围内部署没有指定范式label标签的应用。 | low | |
| 限制在集群指定范围内部署的Pod配置指定类型的readinessProbe和livenessProbe。 | medium | |
| 限制在Ingress实例的 | high | |
| 限制在Ingress实例的 | high | |
| 限制创建公网类型的LoadBalancer Service。 | high | |
| 您在集群中安装应用市场组件Ratify后,可以验证在集群指定范围内部署的Pod镜像中的签名或SBOM等安全元数据。 | high | |
PSP |
| 限制在集群指定范围内部署的Pod配置 | medium |
| 限制在集群指定范围内部署的Pod中的启动 | medium | |
| 限制在集群指定范围内部署的Pod配置AppArmor。 | low | |
| 限制在集群指定范围内部署的Pod配置Linux Capabilities能力。 | high | |
| 限制在集群指定范围内部署的Pod配置 fsGroup。 | medium | |
| 限制在集群指定范围内部署Pod的FlexVolume驱动配置。 | medium | |
| 限制在集群指定范围内部署Pod的禁止的Sysctl范围。 | high | |
| 限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。 | high | |
| 限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。 | high | |
| 限制在集群指定范围内部署的Pod使用主机网络和指定端口。 | high | |
| 限制在集群指定范围内部署的Pod中启动特权容器。 | high | |
| 限制在集群指定范围内部署的Pod允许挂载的Proc类型。 | low | |
| 限制在集群指定范围内部署的Pod使用只读的根文件系统。 | medium | |
| 限制在集群指定范围内部署的Pod必须使用AllowedSELinuxOptions参数中规定的Selinux配置。 | low | |
| 限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。 | low | |
| 限制在集群指定范围内部署的Pod使用指定的Volume挂载类型。 | medium |
Compliance
ACKNoEnvVarSecrets
规则说明:限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中使用。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
name: no-env-var-secrets
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: test-gatekeeper
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-usernameDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: NeverACKPodsRequireSecurityContext
规则说明:限制Pod中所有容器必须配置securitycontext字段。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
name: pods-require-security-context
annotations:
description: "Requires that Pods must have a `securityContext` defined."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: test-gatekeeper
spec:
securityContext:
runAsNonRoot: false
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test2
- image: test
name: test
resources: {}
securityContext:
runAsNonRoot: falseACKRestrictNamespaces
规则说明:限制资源部署在集群指定的命名空间中。
重要等级:low。
参数说明:
参数名称 | 参数类型 | 参数说明 |
restrictedNamespaces | array | 禁止资源部署在该参数声明的列表中。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
name: restrict-default-namespace
annotations:
description: "Restricts resources from using the restricted namespace."
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Pod']
parameters:
restrictedNamespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
restartPolicy: NeverACKRestrictRoleBindings
规则说明:限制在指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
restrictedRole | object | 限制使用的Clusterrole或Role。 |
allowedSubjects | array | 允许挂载的Subjects白名单列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings
annotations:
description: "Restricts use of sensitive role in specific rolebinding."
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["RoleBinding"]
parameters:
restrictedRole:
apiGroup: "rbac.authorization.k8s.io"
kind: "ClusterRole"
name: "cluster-admin"
allowedSubjects:
- apiGroup: "rbac.authorization.k8s.io"
kind: "Group"
name: "system:masters"Allowed:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: good-2
namespace: test-gatekeeper
subjects:
- kind: Group
name: 'system:masters'
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioDisallowed:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bad-1
namespace: test-gatekeeper
subjects:
- kind: ServiceAccount
name: policy-template-controller
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
规则说明:限制指定的Namespcace被误删除。可以通过protectionNamespaces参数配置受保护命名空间的Name。
使用前提:需确保gatekeeper组件已升级至v3.10.0.130-g0e79597d-aliyun或以上版本。关于gatekeeper组件版本信息,请参见gatekeeper。
重要等级:medium。
参数说明:
参数名称 | 参数类型 | 参数说明 |
| array | 受保护Namespace的名称列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
name: namespace-delete-protection
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Namespace']
parameters:
protectionNamespaces:
- test-gatekeeperAllowed:
apiVersion: v1
kind: Namespace
metadata:
name: will-deleteDisallowed:
apiVersion: v1
kind: Namespace
metadata:
name: test-gatekeeperACKServicesDeleteProtection
规则说明:限制指定Namespace中的Service实例被误删除,可以通过protectionServices参数配置受保护的Service实例名称。
重要等级:medium。
参数说明:
参数名称 | 参数类型 | 参数说明 |
protectionServices | array | 指定命名空间下受保护的Service实例名称列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
name: service-delete-protection
annotations:
description: "Protect to delete specific service."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ['']
kinds: ['Service']
namespaces: ["test-gatekeeper"]
parameters:
protectionServices:
- test-svcAllowed:
apiVersion: v1
kind: Service
metadata:
name: good
namespace: test-gatekeeperDisallowed:
apiVersion: v1
kind: Service
metadata:
name: test-svcACKProtectBoundingPV
规则说明:防止集群中绑定到持久化存储卷声明(PVC)的持久化存储卷(PV)被删除。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectBoundingPV
metadata:
name: protect-pv-deletion
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeAllowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
status:
phase: ReleasedDisallowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
status:
phase: BoundACKBlockNodeDelete
规则说明:防止集群中带有自定义标签的节点(Node)被删除。可定义多组键值对,节点只要满足其中任意一对即可受到保护。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
| array | 自定义标签,用于识别需要被保护的节点。 |
| string | 自定义标签的键。 |
| string | 自定义标签的值。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodeDelete
metadata:
name: block-node-delete
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Node"]
parameters:
protectedLabels:
- labelName: policy.alibabacloud.vpc.com/node-delete-protection
labelValue: "true"
- labelName: policy.alibabacloud.com/node-delete-protection
labelValue: "true"Allowed:
apiVersion: v1
kind: Node
metadata:
name: cn-hangzhou-1Disallowed:
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-1
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-2
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.com/node-delete-protection: "true"
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-3ACKResourceDeletionProtection
规则说明:防止集群中带有自定义标签的资源被删除。支持Service、Namespace、Ingress、Deployment、StatefulSet、DaemonSet、Job、CronJob等资源类型。可定义多组键值对,资源只要满足其中任意一对即可受到保护。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
| array | 自定义标签,用于识别需要被保护的节点。 |
| string | 自定义标签的键。 |
| string | 自定义标签的。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKResourceDeletionProtection
metadata:
name: resource-deletion-protection
annotations:
description: "Protect resources from being accidentally deleted."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
- Namespace
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
- apiGroups:
- apps
kinds:
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- Job
- CronJob
parameters:
labels:
- labelName: policy.alibabacloud.com/delete-protection
labelValue: "true"Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80Disallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
labels:
policy.alibabacloud.com/delete-protection: "true"
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80ACKProtectCoreDNS
规则说明:防止kube-system命名空间中CoreDNS相关资源被删除,包括其使用的Deployment、Service和ConfigMap。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
| int | 定义 CoreDNS Deployment期望的最小副本数量。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectCoreDNS
metadata:
name: coredns-protect-rule
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Deployment", "Service", "Scale", "ConfigMap" ]
scope: "Namespaced"
namespaces: ["kube-system"]
parameters:
min_replicas: 2Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 3
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresentDisallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresent
---
apiVersion: v1
data:
Corefile: ""
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: KubeDNS
name: kube-dns
namespace: kube-systemInfra
ACKBlockProcessNamespaceSharing
规则说明:限制在集群指定范围部署的应用中使用shareProcessNamespace。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
ACKCheckNginxPathmetadata:
name: block-share-process-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test-3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
shareProcessNamespace: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKEmptyDirHasSizeLimit
规则说明:要求emptyDir类型的Volume必须指定sizelimit。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-sizelimit
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir:
sizeLimit: "10Mi"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKLocalStorageRequireSafeToEvict
规则说明:限制部署在集群指定范围内的Pod必须具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注释标签。集群自动伸缩时不会删除没有此注释标签的Pod。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
annotations:
'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /data
# this field is optional
type: DirectoryDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKOSSStorageLocationConstraint
规则说明:限制指定命名空间下的部署只能使用指定地域中的阿里云OSS存储卷。
重要等级:low。
参数说明:
参数名称 | 参数类型 | 参数说明 |
mode | string | 是否采用白名单模式,默认值 |
regions | array | 指定的阿里云Region ID列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
name: restrict-oss-location
annotations:
description: "Restricts location of oss storage in cluster."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolume", "Pod"]
namespaces:
- "test-gatekeeper"
parameters:
mode: "allowlist"
regions:
- "cn-beijing"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi-good
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVSizeConstraint
规则说明:限制集群中创建的PV实例中能够申请的最大磁盘容量。
重要等级:medium。
参数说明:
参数名称 | 参数类型 | 参数说明 |
maxSize | string | PV实例中能申请的最大磁盘容量,默认为50 GiB。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
name: limit-pv-size
annotations:
description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "PersistentVolume" ]
parameters:
maxSize: "50Gi"Allowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 25Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi-bad
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 500Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVCConstraint
规则说明:限制能够部署PVC实例的命名空间白名单列表以及限制PVC实例中能够申请的最大磁盘容量。
重要等级:medium
参数说明:
参数名称 | 参数类型 | 参数说明 |
maxSize | string | PV实例中能申请的最大磁盘容量,默认为50 GiB。 |
allowNamespaces | array | 能够部署PVC实例的命名空间白名单列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
name: limit-pvc-size-and-ns
annotations:
description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "PersistentVolumeClaim" ]
parameters:
maxSize: "50Gi"
allowNamespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20GiDisallowed:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-namespace-pvc
namespace: test-gatekeeper-bad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi ACKBlockVolumeTypes
规则说明:限制在集群指定范围内部署的Pod禁止使用的Volume挂载类型。
重要等级:medium
参数说明:
参数名称 | 参数类型 | 参数说明 |
volumes | array | 禁止使用的Volume挂载类型列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
name: block-volume-types
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]
parameters:
volumes:
- "gitRepo"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: use-empty-dir
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: emptydir-volume
emptyDir: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: use-git-repo
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: git-volume
gitRepo:
repository: "git@***:***/my-git-repository.git"
revision: "22f1d8406d464b0c08***"ASMSidecarInjectionEnforced
规则说明:限制Pod必须注入ASM Sidecar。
重要等级:high
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ASMSidecarInjectionEnforced
metadata:
name: asm-sidecar-injectionen-forced
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
- name: istio-proxy
image: xxx/proxyv2:xxx
Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: testK8s-general
ACKAllowedRepos
规则说明:限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
repos | array | 合法的镜像仓库白名单。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
name: allowed-repos
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
repos:
- "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
- "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-01
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-container-1
initContainers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container-3ACKBlockAutoinjectServiceEnv
规则说明:要求在应用中配置enableServiceLinks: false防止在Pod环境变量中透出服务IP。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
name: block-auto-inject-service-env
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
enableServiceLinks: false
containers:
- image: openpolicyagent/test-webserver:1.0
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockAutomountToken
规则说明:要求在应用中设置automountServiceAccountToken: false字段防止自动挂载serviceaccount。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
name: block-auto-mount-service-account-token
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
automountServiceAccountToken: false
containers:
- image: openpolicyagent/test-webserver:v1.0
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockEphemeralContainer
规则说明:限制在集群指定范围的应用Pod中启动临时容器。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
name: block-ephemeral-container
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: good-1
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redisDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
ephemeralContainers:
- name: test
image: testACKBlockLoadBalancer
规则说明:限制在指定集群范围内部署LoadBalancer类型的Service。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
restrictedNamespaces | array | 禁止资源部署在该参数声明的列表中。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKBlockNodePort
规则说明:限制在集群指定范围内使用NodePort类型的Service。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: NodePort
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKContainerLimits
规则说明:要求集群指定范围的应用Pod配置资源limits。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Mi"
cpu: "500m"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-2
namespace: non-test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Gi"
cpu: "2000m"ACKExternalIPs
规则说明:限制在集群指定范围内的Service实例使用白名单范围之外的externalIPs。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
allowedIPs | array |
|
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"
parameters:
allowedIPs:
- "192.168.0.5"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-3
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
externalIPs:
- 80.11.XX.XXACKImageDigests
规则说明:限制在集群指定范围内部署不符合digest格式的镜像。
重要等级:low。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2ACKRequiredLabels
规则说明:限制在集群指定范围内部署的Pod必须包含allowedRegex参数中定义的label。
重要等级:low。
参数说明:
参数名称 | 参数类型 | 参数说明 |
allowedRegex | string | Label白名单的正则表达式。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
name: must-have-label-test
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
# message: ''
labels:
- key: test
# value
allowedRegex: "^test.*$"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: test
namespace: test-gatekeeper
labels:
'test': 'test_233'
spec:
containers:
- name: mycontainer
image: redisDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: bad2
namespace: test-gatekeeper
labels:
'test': '233'
spec:
containers:
- name: mycontainer
image: redisACKRequiredProbes
规则说明:限制在集群指定范围内部署的Pod配置指定类型的readinessProbe和livenessProbe。
重要等级:medium。
参数说明:
参数名称 | 参数类型 | 参数说明 |
probes | array | Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。 |
probeTypes | array | Pod中需要配置的Probe类型。例如,tcpSocket,httpGet和exec类型。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
probes: ["readinessProbe", "livenessProbe"]
probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: p4
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busybox
readinessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: p1
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busyboxACKCheckNginxPath
限制在Ingress实例spec.rules[].http.paths[].path字段中使用危险配置,Ingress-nginx 1.2.1以下版本建议开启该策略。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
name: block-nginx-path
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-paths
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bad-path-secrets
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /var/run/secrets
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80ACKCheckNginxAnnotation
限制在Ingress实例metadata.annotations字段中使用危险配置,Ingress-nginx 1.2.1以下版本建议开启该策略。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
name: block-nginx-annotation
spec:
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-annotations
namespace: test-gatekeeper
annotations:
nginx.org/good: "value"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: var-run-secrets
namespace: test-gatekeeper
annotations:
nginx.org/bad: "/var/run/secrets"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80ACKBlockInternetLoadBalancer
规则说明:限制创建公网类型的LoadBalancer Service。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
name: block-internet-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: non-test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancerDisallowed:
apiVersion: v1
kind: Service
metadata:
name: bad-service-2
namespace: test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376RatifyVerification
规则说明:您在集群中安装应用市场组件Ratify后,可以验证在集群指定范围内部署的Pod镜像中的签名或SBOM等安全元数据。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
name: ratify-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["default"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/signed # 部署合法签名的镜像。
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # 部署不满足Ratify签名校验的非法镜像。
name: test-containerPSP
ACKPSPAllowedUsers
规则说明:限制在集群指定范围内部署的Pod中的启动user、group、supplementalGroups以及fsGroup。
重要等级:medium。
参数说明:
参数名称 | 参数类型 | 参数说明 |
runAsUser | object | 关于该参数的具体说明,请参见原PSP规则中对User的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。 |
runAsGroup | object | 关于该参数的具体说明,请参见原PSP规则中对Group的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。 |
supplementalGroups | object | 关于该参数的具体说明,请参见原PSP规则中对SupplementalGroups的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。 |
fsGroup | object | 关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
runAsUser:
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good2
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 150
supplementalGroups:
- 150
containers:
- image: test
name: test
securityContext:
runAsUser: 150
runAsGroup: 150Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAllowPrivilegeEscalationContainer
规则说明:限制在集群指定范围内部署的Pod配置allowPrivilegeEscalation参数。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: allowPrivilegeEscalation: false initContainers: - image: test name: test2 securityContext: allowPrivilegeEscalation: falseDisallowed:
apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test
ACKPSPAppArmor
规则说明:限制在集群指定范围内部署的Pod配置AppArmor。
重要等级:low。
参数说明:
参数名称 | 参数类型 | 参数说明 |
probes | array | Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。 |
probeTypes | array | Pod中需要配置的Probe类型。例如,tcpSocket、httpGet和exec类型。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfiles:
- runtime/defaultAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
annotations:
'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
containers:
- image: test
name: test
initContainers:
- image: test
name: test2Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPCapabilities
规则说明:限制在集群指定范围内部署的Pod配置Linux Capabilities能力。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
allowedCapabilities | array | 允许的capabilities白名单。 |
requiredDropCapabilities | array | 需要强制Drop的capabilities。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
name: psp-capabilities
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedCapabilities: ["CHOWN"]
requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-4
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
capabilities:
add:
- CHOWN
drop:
- "NET_ADMIN"
- "SYS_ADMIN"
- "NET_RAW"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPFlexVolumes
规则说明:限制在集群指定范围内部署Pod的FlexVolume驱动配置。
重要等级:medium。
参数说明:
参数名称 | 参数类型 | 参数说明 |
allowedFlexVolumes | array | 允许配置的FlexVolume驱动列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod", "PersistentVolume"]
namespaces:
- "test-gatekeeper"
parameters:
allowedFlexVolumes: #[]
- driver: "alicloud/disk"
- driver: "alicloud/nas"
- driver: "alicloud/oss"
- driver: "alicloud/cpfs"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-nas
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/nas"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss-flexvolume
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
规则说明:限制在集群指定范围内部署的Pod禁止的Sysctl范围。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
forbiddenSysctls | array | Pod中禁止的sysctl列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- "kernel.*"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-2
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'net.ipv4.tcp_syncookies'
value: "65536"
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'kernel.shm_rmid_forced'
value: '1024'
containers:
- image: test
name: testACKPSPFSGroup
规则说明:限制在集群指定范围内部署的Pod的fsGroup配置。
重要等级:medium。
参数说明:
参数名称 | 参数类型 | 参数说明 |
rule | string | 关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持MustRunAs、MayRunAs、RunAsAny。更多信息,请参见Volumes and file systems。 |
ranges | object | 包含以下取值。
|
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
ranges:
- min: 1
max: 1000Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 100
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: non-test-gatekeeper
spec:
securityContext:
fsGroup: 0
shareProcessNamespace: true
containers:
- image: test
name: testACKPSPHostFilesystem
规则说明:限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
allowedHostPaths | object | 主机路径白名单配置。 |
readOnly | boolean | 是否只读。 |
pathPrefix | string | 路径前缀。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedHostPaths:
- readOnly: true
pathPrefix: "/foo"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumeMounts:
- name: test-volume
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: test-volume
hostPath:
path: /fooDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /data
type: FileACKPSPHostNamespace
规则说明:限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
hostPID: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKPSPHostNetworkingPorts
规则说明:限制在集群指定范围内部署的Pod使用主机网络和指定端口。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
hostNetwork | boolean | 是否允许Pod共享使用主机网络。 |
min | int | 最小使用的hostPort值。 |
max | int | 最大使用的hostPort值。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
hostNetwork: true
min: 80
max: 9000Allowed:
apiVersion: v1
kind: Pod
metadata:
name: good-2
namespace: test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 80
containerPort: 80
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2
ports:
- hostPort: 8080
containerPort: 8080Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 22
containerPort: 22ACKPSPPrivilegedContainer
规则说明:限制在集群指定范围内部署的Pod中启动特权容器。
重要等级:high。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
privileged: true
dnsPolicy: ClusterFirst
restartPolicy: NeverACKPSPProcMount
规则说明:限制在集群指定范围内部署的Pod允许挂载的proc类型。
重要等级:high。
参数说明:
参数名称 | 参数类型 | 参数说明 |
procMount | string | proc挂载类型,允许配置如下类型:
关于参数配置的具体说明,请参见AllowedProcMountTypes。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
procMount: Default # Default or UnmaskedAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Default"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Unmasked"
initContainers:
- image: test
name: test2ACKPSPReadOnlyRootFilesystem
规则说明:限制在集群指定范围内部署的Pod使用只读的根文件系统。
重要等级:medium。
参数说明:无。
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: trueDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad2
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: false
initContainers:
- image: test
name: test2ACKPSPSeccomp
规则说明:限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。
重要等级:low。
参数说明:
参数名称 | 参数类型 | 参数说明 |
allowedProfileTypes | array | 允许的Seccomp profile类型白名单。 |
allowedProfiles | array | 允许的Seccomp profile。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfileTypes:
# - Unconfined
- RuntimeDefault
- Localhost
allowedProfiles:
- runtime/default
- docker/default
- localhost/profiles/audit.jsonAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
initContainers:
- image: test
name: test2
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.jsonDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
echo-k8s-webhook-enabled: 'true'
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPSELinuxV2
规则说明:限制在集群指定范围内部署的Pod必须使用allowedSELinuxOptions参数中规定的SELinux配置。
重要等级:low。
参数说明:
参数名称 | 参数类型 | 参数说明 |
allowedSELinuxOptions | object | 允许的SELinux配置白名单。更多信息,请参见SELinuxOptions v1 core。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_uAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seLinuxOptions:
level: "s0:c123,c455"ACKPSPVolumeTypes
规则说明:限制在集群指定范围内部署的Pod使用指定Volume挂载类型。
重要等级:low。
参数说明:
参数名称 | 参数类型 | 参数说明 |
volumes | array | 允许使用的Volume挂载类型列表。 |
示例:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
volumes:
# - "*" # * may be used to allow all volume types
- configMap
# - emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
# - hostPath #required for allowedHostPaths
- flexVolume #required for allowedFlexVolumesAllowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/oss"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /data