Libreria di modelli del vincolo

I modelli di vincolo consentono di definire il funzionamento di un vincolo, ma delegano la definizione le specifiche del vincolo per un individuo o un gruppo oggetto dell'oggetto competenza. Oltre a separare i problemi, viene separata anche la logica del vincolo dalla sua definizione.

Tutti i vincoli contengono una sezione match, che definisce gli oggetti a cui si applica un vincolo. Per informazioni dettagliate su come configurare questa sezione, consulta la sezione sulla corrispondenza dei vincoli.

Non tutti i modelli di vincoli sono disponibili per tutte le versioni di Policy Controller e i modelli possono variare da una versione all'altra. Utilizza i seguenti link per confrontare i vincoli delle versioni supportate:

Link alle versioni supportate di questa pagina

Per assicurarti di ricevere l'assistenza completa, ti consigliamo di utilizzare un vincolo modelli da un versione supportata di Policy Controller.

Per aiutarti a vedere come funzionano i modelli di vincolo, ogni modello include un vincolo di esempio e una risorsa che lo viola.

Modelli di vincoli disponibili

Modello di vincolo Descrizione Referenziale
AllowedServicePortName Richiede che i nomi delle porte dei servizi abbiano un prefisso di un elenco specificato. No
AsmAuthzPolicyDefaultDeny Applica il criterio AuthorizationPolicy di rifiuto predefinito a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
AsmAuthzPolicyDisallowedPrefix Richiede che le entità e gli spazi dei nomi nelle regole "AuthorizationPolicy" di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
AsmAuthzPolicyEnforceSourcePrincipals Richiede che Istio AuthorizationPolicy "from" se definito, ha principi di origine, che devono essere impostati su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
AsmAuthzPolicyNormalization Applica la normalizzazione di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/reference/config/security/normalization/. No
AsmAuthzPolicySafePattern Applica i pattern sicuri di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. No
AsmIngressgatewayLabel Applica l'utilizzo dell'etichetta istio ingressgateway solo ai pod ingressgateway. No
AsmPeerAuthnMeshStrictMtls Applica la verifica dell'autenticazione peer mTLS restrittiva a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
AsmPeerAuthnStrictMtls L'applicazione di tutte le autenticazioni peer non può sovrascrivere mTLS restrittivo. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. No
AsmRequestAuthnProhibitedOutputHeaders In RequestAuthentication, applica il campo "jwtRules.outPayloadToHeader" in modo che non contenga intestazioni di richieste HTTP ben note o intestazioni personalizzate non consentite. Riferimento a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. No
AsmSidecarInjection L'applicazione forzata del sidecar del proxy Istio è sempre stato inserito nei pod dei carichi di lavoro. No
DestinationRuleTLSEnabled Vieta la disattivazione di TLS per tutti gli host e i sottoinsiemi di host in Istio DestinationRules. No
DisallowedAuthzPrefix Richiede che le entità e gli spazi dei nomi nelle regole "AuthorizationPolicy" di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
GCPStorageLocationConstraintV1 Limita i "locations" consentiti per le risorse del connettore di configurazione StorageBucket all'elenco di località fornito nel vincolo. I nomi dei bucket nell'elenco "esenzioni" sono esenti. No
GkeSpotVMTerminationGrace Richiede che i pod e i modelli di pod con "nodeSelector" o "nodeAfffinty" di "gke-spot" abbiano un valore "terminationGracePeriodSeconds" di massimo 15 secondi.
K8sAllowedRepos Richiede che le immagini container inizino con una stringa dell'elenco specificato. No
K8sAvoidUseOfSystemMastersGroup Non consente l'uso di "system:masters" gruppo. Non ha alcun effetto durante l'audit. No
K8sBlockAllIngress Non consente la creazione di oggetti Ingress (tipi "Ingress", "Gateway" e "Service" di "NodePort" e "LoadBalancer"). No
K8sBlockCreationWithDefaultServiceAccount Non consente la creazione di risorse utilizzando un account di servizio predefinito. Non ha alcun effetto durante il controllo. No
K8sBlockEndpointEditDefaultRole Molte installazioni di Kubernetes per impostazione predefinita hanno un sistema system:aggregate-to-edit ClusterRole che non limita correttamente l'accesso alla modifica degli endpoint. Questo modello di vincolo impedisce al ruolo ClusterRole system:aggregate-to-edit di concedere l'autorizzazione per creare/eseguire patch/aggiornare gli endpoint. ClusterRole/system:aggregate-to-edit non deve consentire le autorizzazioni di modifica degli endpoint a causa di CVE-2021-25740, Endpoint & Le autorizzazioni EndpointSlice consentono l'inoltro cross-Namespace, https://github.com/kubernetes/kubernetes/issues/103675 No
K8sBlockLoadBalancer Non sono consentiti tutti i servizi di tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer No
K8sBlockNodePort Non sono consentiti tutti i servizi di tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport No
K8sBlockObjectsOfType Non sono consentiti oggetti di tipi vietati. No
K8sBlockProcessNamespaceSharing Proibisce le specifiche dei pod con "shareProcessNamespace" impostato su "true". Questo evita scenari in cui tutti i container in un pod condividono uno spazio dei nomi PID e possono accedere reciprocamente al file system e alla memoria degli altri. No
K8sBlockWildcardIngress Gli utenti non devono essere in grado di creare ingressi con un nome host vuoto o jolly (*), in quanto ciò consentirebbe loro di intercettare il traffico per altri servizi nel cluster, anche se non hanno accesso a questi servizi. No
K8sContainerEphemeralStorageLimit Richiede che per i container sia impostato un limite di spazio di archiviazione temporaneo e limita il limite ai valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sContainerLimits Richiede che i container abbiano limiti di memoria e CPU impostati e limita i limiti in modo che rientrino nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sContainerRatios Imposta un rapporto massimo per i limiti delle risorse dei container rispetto alle richieste. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sContainerRequests Richiede che i container abbiano richieste di memoria e CPU impostate e limita le richieste a rientrare nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sDisallowAnonymous Non consente l'associazione di risorse ClusterRole e Role a system:anonymous user e system:unauthenticated group. No
K8sDisallowedRepos Repository di contenitori non consentiti che iniziano con una stringa dell'elenco specificato. No
K8sDisallowedRoleBindingSubjects Vieta RoleBinding o ClusterRoleBindings con soggetti corrispondenti a qualsiasi "disallowedSubjects" passato come parametro. No
K8sDisallowedTags Richiede che le immagini container abbiano un tag immagine diverso da quelli nell'elenco specificato. https://kubernetes.io/docs/concepts/containers/images/#image-names No
K8sEmptyDirHasSizeLimit Richiede che tutti i volumi "emptyDir" specifichino un "sizeLimit". Facoltativamente, nel vincolo è possibile specificare un parametro "maxSizeLimit" per specificare un limite di dimensioni massimo consentito. No
K8sEnforceCloudArmorBackendConfig Applica la configurazione di Cloud Armor sulle risorse BackendConfig No
K8sEnforceConfigManagement Richiede la presenza e il funzionamento di Config Management. I vincoli che utilizzano questo "ConstraintTemplate" saranno solo di controllo, indipendentemente dal valore di "enforcementAction".
K8sExternalIP Limita gli IP esterni del servizio a un elenco consentito di indirizzi IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips No
K8sHorizontalPodAutoscaler Non consentire i seguenti scenari durante il deployment di "HorizontalPodAutoscalers" 1. Deployment di HorizontalPodAutoscaler con ".spec.minReplicas" o ".spec.maxReplicas" al di fuori degli intervalli definiti nel vincolo 2. Deployment di HorizontalPodAutoscaler in cui la differenza tra ".spec.minReplicas" e ".spec.maxReplicas" è inferiore al valore configurato "minimumReplicaSpread" 3. Deployment di HorizontalPodAutoscaler che non fanno riferimento a un "scaleTargetRef" valido (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet).
K8sHttpsOnly Richiede che le risorse Ingress siano solo HTTPS. Le risorse Ingress devono includere l'annotazione "kubernetes.io/ingress.allow-http", impostata su "false". Per impostazione predefinita è richiesta una configurazione TLS {} valida, che può essere resa facoltativa impostando il parametro "tlsOptional" su "true". https://kubernetes.io/docs/concepts/services-networking/ingress/#tls No
K8sImageDigests Richiede che le immagini container contengano un digest. https://kubernetes.io/docs/concepts/containers/images/ No
K8sLocalStorageRequireSafeToEvict Richiede che i pod che utilizzano lo spazio di archiviazione locale ("emptyDir" o "hostPath") abbiano l'annotazione ""cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Il gestore della scalabilità automatica del cluster non eliminerà i pod senza questa annotazione. No
K8sMemoryRequestEqualsLimit Promuove la stabilità dei pod richiedendo che tutti i container la memoria richiesta equivale esattamente al limite di memoria, per cui i pod non si trovano mai in uno stato in cui l'utilizzo della memoria supera la quantità richiesta. In caso contrario, Kubernetes può terminare i pod che richiedono memoria aggiuntiva se questa è necessaria sul nodo. No
K8sNoEnvVarSecrets Vieta l'utilizzo dei secret come variabili di ambiente nelle definizioni dei container del pod. Utilizza invece i file secret montati nei volumi di dati: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod No
K8sNoExternalServices Vieta la creazione di risorse note che espongono i carichi di lavoro a IP esterni. Sono incluse le risorse Istio Gateway e le risorse Kubernetes Ingress. Inoltre, i servizi Kubernetes non sono consentiti, a meno che non soddisfino i seguenti criteri: Qualsiasi servizio di tipo "LoadBalancer" in Google Cloud deve avere un'annotazione "cloud.google.com/load-balancer-type": "Internal". Qualsiasi servizio di tipo "LoadBalancer" in AWS deve avere un'annotazione "service.beta.kubernetes.io/aws-load-balancer-internal: "true". Tutti gli "IP esterni" (esterni al cluster) associati al servizio devono essere membri di un intervallo di CIDR interni come specificato nella limitazione. No
K8sPSPAllowPrivilegeEscalationContainer Controlli che limitano l'escalation ai privilegi root. Corrisponde al campo "allowPrivilegeEscalation" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation No
K8sPSPAllowedUsers Consente di controllare gli ID utente e gruppo del container e alcuni volumi. Corrisponde ai campi "runAsUser", "runAsGroup", "supplementalGroups" e "fsGroup" in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups No
K8sPSPAppArmor Configura una lista consentita di profili AppArmor da utilizzare per i container. Corrisponde ad annotazioni specifiche applicate a un PodSecurityPolicy. Per informazioni su AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/ No
K8sPSPAutomountServiceAccountTokenPod Controlla la possibilità di qualsiasi pod di attivare automountServiceAccountToken. No
K8sPSPCapabilities Controlla le funzionalità Linux sui container. Corrisponde ai campi "allowedCapabilities" e "requiredDropCapabilities" in un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities No
K8sPSPFSGroup Controlla l'allocazione di un gruppo FS che possiede i volumi del pod. Corrisponde al campo "fsGroup" in un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPFlexVolumes Controlla la lista consentita dei driver FlexVolume. Corrisponde al campo "allowedFlexVolumes" in PodSecurityPolicy. Per saperne di più, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers No
K8sPSPForbiddenSysctls Controlla il profilo "sysctl" utilizzato dai container. Corrisponde ai campi "allowedUnsafeSysctls" e "forbiddenSysctls" in un PodSecurityPolicy. Se specificato, qualsiasi sysctl non presente nel parametro "allowedSysctls" è considerato vietato. Il parametro "forbiddenSysctls" ha la precedenza sul parametro "allowedSysctls". Per ulteriori informazioni, vedi https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ No
K8sPSPHostFilesystem Consente di controllare l'utilizzo del file system host. Corrisponde al campo "allowedHostPaths" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPHostNamespace Non consente la condivisione degli spazi dei nomi PID e IPC dell'host da parte dei container di pod. Corrisponde ai campi "hostPID" e "hostIPC" in un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces No
K8sPSPHostNetworkingPorts Controlla l'utilizzo dello spazio dei nomi della rete host da parte dei container di pod. È necessario specificare porte specifiche. Corrisponde ai campi "hostNetwork" e "hostPorts" in un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces No
K8sPSPPrivilegedContainer Controlla la capacità di qualsiasi contenitore di attivare la modalità con privilegi. Corrisponde al campo "privileged" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged No
K8sPSPProcMount Controlla i tipi di "procMount" consentiti per il contenitore. Corrisponde al campo "allowedProcMountTypes" in un PodSecurityPolicy. Per ulteriori informazioni, consulta la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes No
K8sPSPReadOnlyRootFilesystem Richiede l'utilizzo di un file system radice di sola lettura da parte dei container di pod. Corrisponde al campo "readOnlyRootFilesystem" in un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPSELinuxV2 Definisce una lista consentita di configurazioni seLinuxOptions per i container di pod. Corrisponde a un PodSecurityPolicy che richiede configurazioni SELinux. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux No
K8sPSPSeccomp Controlla il profilo seccomp utilizzato dai container. Corrisponde all'annotazione "seccomp.security.alpha.kubernetes.io/allowedProfileNames" su un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp No
K8sPSPVolumeTypes Limita i tipi di volumi montabili a quelli specificati dall'utente. Corrisponde al campo "volumes" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPProcesso dell'host Windows Limita l'esecuzione di container/pod HostProcess Windows. Vedi https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ per ulteriori informazioni. No
K8sPodDisruptionBudget Non consentire i seguenti scenari durante il deployment di PodDisruptionBudget o risorse che implementano la risorsa secondaria di replica (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment di PodDisruptionBudget con .spec.maxUnavailable == 0 2. Deployment di PodDisruptionBudget con .spec.minAvailable == .spec.replicas della risorsa con la risorsa secondaria di replica. Ciò impedirà ai PodDisruptionBudget di bloccare interruzioni volontarie come lo svuotamento dei nodi. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
K8sPodResourcesBestPractices Richiede che i container non siano best effort (impostando le richieste di CPU e memoria) e che seguano le best practice per le risorse burstable (la richiesta di memoria deve essere esattamente uguale al limite). Facoltativamente, è possibile configurare le chiavi di annotazione per consentire di saltare le varie convalide. No
K8sPodsRequireSecurityContext Richiede tutti i pod per definire securityContext. Richiede che tutti i container definiti nei pod abbiano un SecurityContext definito a livello di pod o container. No
K8sProhibitRoleWildcardAccess Richiede che Role e ClusterRoles non impostino l'accesso alle risorse su un carattere jolly ""*"' valore ad eccezione dei ruoli Role e ClusterRole esenti forniti come esenzioni. Non limita l'accesso con caratteri jolly alle risorse secondarie, ad esempio "*/status". No
K8sReplicaLimits Richiede che gli oggetti con il campo "spec.replicas" (Deployment, ReplicaSet e così via) specifichino un numero di repliche all'interno di intervalli definiti. No
K8sRequireBinAuthZ Richiede l'webhook di ammissione con convalida di Autorizzazione binaria. I vincoli che utilizzano questo "ConstraintTemplate" verranno sottoposti a controllo solo indipendentemente dal valore di "enforcementAction".
K8sRequireCosNodeImage Impone l'utilizzo di Container-Optimized OS di Google sui nodi. No
K8sRequireDaemonsets Richiede la presenza dell'elenco di daemonset specificati.
K8sRequireDefaultDenyEgressPolicy Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy predefinito per il traffico in uscita.
K8sRequireNamespaceNetworkPolicies Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy.
K8sRequireValidRangesForNetworks Applica i blocchi CIDR consentiti per il traffico in entrata e in uscita dalla rete. No
K8sRequiredAnnotations Richiede che le risorse contengano annotazioni specificate, con valori corrispondenti alle espressioni regolari fornite. No
K8sRequiredLabels Richiede che le risorse contengano etichette specificate, con valori corrispondenti alle espressioni regolari fornite. No
K8sRequiredProbes Richiede che i pod dispongano di probe di idoneità e/o di attività. No
K8sRequiredResources Richiede un set di risorse definite per i container. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sRestrictAutomountServiceAccountTokens Limita l'utilizzo dei token degli account di servizio. No
K8sRestrictLabels Non consente alle risorse di contenere etichette specificate, a meno che non esista un'eccezione per la risorsa specifica. No
K8sRestrictNamespaces Impedisce alle risorse di utilizzare gli spazi dei nomi elencati sotto il parametro restrictedNamespaces. No
K8sRestrictNfsUrls Non consente alle risorse di contenere URL NFS, a meno che non sia specificato. No
K8sRestrictRbacSubjects Limita l'uso dei nomi nei soggetti RBAC ai valori consentiti. No
K8sRestrictRoleBindings Limita i soggetti specificati in ClusterRoleBindings e RoleBinding a un elenco di soggetti consentiti. No
K8sRestrictRoleRules Limita le regole che possono essere impostate sugli oggetti Role e ClusterRole. No
K8sStorageClass Richiede la specifica delle classi di archiviazione quando viene utilizzato. È supportato solo Gatekeeper 3.9 e versioni successive.
K8sUniqueIngressHost Richiede che tutti gli host delle regole Ingress siano univoci. Non gestisce i caratteri jolly per i nomi host: https://kubernetes.io/docs/concepts/services-networking/ingress/
K8sUniqueServiceSelector Richiede che i servizi abbiano selettori univoci all'interno di uno spazio dei nomi. I selettori sono considerati uguali se hanno chiavi e valori identici. I selettori possono condividere una coppia chiave-valore, purché ci sia almeno una coppia chiave-valore distinta tra loro. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
NoUpdateServiceAccount Blocca l'aggiornamento dell'account di servizio nelle risorse che eseguono l'astrazione dei pod. Questo criterio viene ignorato in modalità di controllo. No
PolicyStrictOnly Richiede che TLS reciproco Istio "STRICT" sia sempre specificato quando si utilizza [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). Questo vincolo garantisce inoltre che le risorse [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) e MeshPolicy deprecate applichino TLS reciproco "STRICT". Vedi: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh No
RestrictNetworkExclusions Controlla quali porte in entrata, porte in uscita e intervalli IP in uscita possono essere esclusi dalla cattura della rete Istio. Porte e intervalli IP che ignorano Istio le acquisizioni di rete non sono gestite dal proxy Istio e non sono soggette alle Autenticazione, criterio di autorizzazione e altre funzionalità di Istio mTLS. Questo vincolo può essere utilizzato per applicare limitazioni all'utilizzo delle seguenti annotazioni: * `traffic.sidecar.istio.io/excludeInboundPorts` * `traffic.sidecar.istio.io/excludeOutboundPorts` * `traffic.sidecar.istio.io/excludeOutboundIPRanges` Visita la pagina https://istio.io/latest/docs/reference/config/annotations/. Quando limiti gli intervalli IP in uscita, il vincolo calcola se è stato escluso Gli intervalli IP corrispondono o sono un sottoinsieme delle esclusioni di intervalli IP consentite. Quando utilizzi questo vincolo, tutte le porte in entrata, le porte in uscita e gli intervalli IP in uscita devono essere sempre inclusi impostando le annotazioni "include" corrispondenti su "*" o lasciandole non impostate. L'impostazione di una delle seguenti opzioni annotazioni a elementi diversi da ""*"" non sono consentite: * `traffic.sidecar.istio.io/includeInputPorts` * `traffic.sidecar.istio.io/includeOutboundPorts` * `traffic.sidecar.istio.io/includeOutboundIPRanges` Questo vincolo consente sempre di escludere la porta 15020 perché il file collaterale Istio l'injector lo aggiunge sempre a "traffic.sidecar.istio.io/excludedEntryPorts" in modo che possa essere utilizzata per il controllo di integrità. No
SourceNotAllAuthz Richiede che le regole Istio AuthorizationPolicy abbiano entità di origine impostate su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
VerifyDeprecatedAPI Verifica le API Kubernetes deprecate per garantire che tutte le versioni dell'API siano aggiornate. Questo modello non si applica ai controlli perché l'audit esamina le risorse già presenti nel cluster con versioni API non deprecate. No

AllowedServicePortName

Nomi porte di servizio consentiti v1.0.1

Richiede che i nomi delle porte dei servizi abbiano un prefisso di un elenco specificato.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # prefixes <array>: Prefixes of allowed service port names.
    prefixes:
      - <string>

Esempi

port-name-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: port-name-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    prefixes:
    - http-
    - http2-
    - grpc-
    - mongo-
    - redis-
    - tcp-
Consentito
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-http
spec:
  ports:
  - name: http-helloport
    port: 5000
  selector:
    app: helloworld
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-tcp
spec:
  ports:
  - name: foo-helloport
    port: 5000
  selector:
    app: helloworld
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-bad
spec:
  ports:
  - name: helloport
    port: 5000
  selector:
    app: helloworld

AsmAuthzPolicyDefaultDeny

ASM AuthorizationPolicy Default Deny v1.0.4

Applica il criterio di negazione predefinito a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "AuthorizationPolicy"

Esempi

asm-authz-policy-default-deny-with-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST
asm-authz-policy-default-deny-no-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST

AsmAuthzPolicyDisallowedPrefix

Prefissi non consentiti di AuthorizationPolicy di ASM v1.0.2

Richiede che i principali e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
    disallowedNamespacePrefixes:
      - <string>
    # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
    disallowedPrincipalPrefixes:
      - <string>

Esempi

asm-authz-policy-disallowed-prefix-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: asm-authz-policy-disallowed-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedNamespacePrefixes:
    - bad-ns-prefix
    - worse-ns-prefix
    disallowedPrincipalPrefixes:
    - bad-principal-prefix
    - worse-principal-prefix
Consentito
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/worse-principal-prefix-sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - bad-ns-prefix-test
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyEnforceSourcePrincipals

Entità dell'applicazione di AuthorizationPolicy ASM v1.0.2

Richiede che Istio AuthorizationPolicy "from" se definito, ha principi di origine, che devono essere impostati su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

asm-authz-policy-enforce-source-principals-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: asm-authz-policy-enforce-source-principals-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
Consentito
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: no-source-principals
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-contains-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyNormalization

Normalizzazione di AuthorizationPolicy ASM v1.0.2

Applica la normalizzazione di AuthorizationPolicy. Riferimento a https://istio.io/latest/docs/reference/config/security/normalization/.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

asm-authz-policy-normalization-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: asm-authz-policy-normalization-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
Consentito
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-method-lowercase
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - get
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-request-header-whitespace
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Ag ent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: path-unnormalized
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test\/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicySafePattern

Pattern sicuri di ASM AuthorizationPolicy v1.0.3

Applica i pattern sicuri di AuthorizationPolicy. Riferimento a https://istio.io/latest/docs/ops/best-practices/security/#safer-permissions-policy-patterns.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Esempi

asm-authz-policy-safe-pattern-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: asm-authz-policy-safe-pattern-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    strictnessLevel: High
Consentito
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-istio-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-asm-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      asm: ingressgateway
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: hosts-on-noningress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: invalid-hosts
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-negative-match
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        notMethods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-positive-match
spec:
  action: DENY
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway

AsmIngressgatewayLabel

Etichetta gateway di ingresso ASM v1.0.3

Applica l'utilizzo dell'etichetta istio ingressgateway solo ai pod ingressgateway.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

asm-ingressgateway-label-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: asm-ingressgateway-label-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: istio
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: istio-ingressgateway
    istio: ingressgateway
  name: istio-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: asm-ingressgateway
    asm: ingressgateway
  name: asm-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    asm: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

AsmPeerAuthnMeshStrictMtls

ASM Peer Authentication Mesh Strict mTLS v1.0.4

Applica la verifica dell'autenticazione peer mTLS restrittiva a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'uso, devi abilitare i vincoli referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "PeerAuthentication"

Esempi

asm-peer-authn-mesh-strict-mtls-with-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: asm-root
spec:
  mtls:
    mode: STRICT
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: asm-root
spec:
  mtls:
    mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: istio-system
spec:
  mtls:
    mode: PERMISSIVE

AsmPeerAuthnStrictMtls

Autenticazione peer ASM mTLS restrittiva v1.0.3

L'applicazione forzata di tutte le PeerAuthentications non può sovrascrivere i file mtl rigorosi. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Esempi

asm-peer-authn-strict-mtls-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: asm-peer-authn-strict-mtls-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
  parameters:
    strictnessLevel: High
Consentito
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: valid-strict-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-permissive-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-port-disable-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: DISABLE
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar

AsmRequestAuthnProhibitedOutputHeaders

Intestazioni di output vietate per l'autenticazione della richiesta ASM v1.0.2

In RequestAuthentication, assicurati che il campo jwtRules.outPayloadToHeader non contenga intestazioni di richiesta HTTP ben note o intestazioni vietate personalizzate. Fai riferimento a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # prohibitedHeaders <array>: User predefined prohibited headers.
    prohibitedHeaders:
      - <string>

Esempi

asm-request-authn-prohibited-output-headers-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: asm-request-authn-prohibited-output-headers-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - RequestAuthentication
  parameters:
    prohibitedHeaders:
    - Bad-Header
    - X-Bad-Header
Consentito
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: valid-request-authn
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Good-Header
  selector:
    matchLabels:
      app: istio-ingressgateway
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Host
  selector:
    matchLabels:
      app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: X-Bad-Header
  selector:
    matchLabels:
      app: istio-ingressgateway

AsmSidecarInjection

Iniezione sidecar ASM versione 1.0.2

L'applicazione forzata del sidecar del proxy Istio è sempre stato inserito nei pod dei carichi di lavoro.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of sidecar injection strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Esempi

asm-sidecar-injection-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: asm-sidecar-injection-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    strictnessLevel: High
Consentito
apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "true"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  annotations:
    "false": "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep

DestinationRuleTLSEnabled

Regola di destinazione TLS abilitata v1.0.1

Non è consentito disabilitare TLS per tutti gli host e i sottoinsiemi di host in destinationRules di Istio.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

dr-tls-enabled
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: dr-tls-enabled
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - networking.istio.io
      kinds:
      - DestinationRule
Operazione non consentita
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-subset-tls-disable
  namespace: default
spec:
  host: myservice
  subsets:
  - name: v1
    trafficPolicy:
      tls:
        mode: DISABLE
  - name: v2
    trafficPolicy:
      tls:
        mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-traffic-tls-disable
  namespace: default
spec:
  host: myservice
  trafficPolicy:
    tls:
      mode: DISABLE

DisallowedAuthzPrefix

Disallow Istio AuthorizationPolicy Prefixes v1.0.2

Richiede che i principali e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedprefixes <array>: Disallowed prefixes of principals and
    # namespaces.
    disallowedprefixes:
      - <string>

Esempi

disallowed-authz-prefix-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: disallowed-authz-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedprefixes:
    - badprefix
    - reallybadprefix
Consentito
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/badprefix-sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - badprefix-test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

GCPStorageLocationConstraintV1

Vincolo di località di archiviazione Google Cloud v1.0.2

Limita i valori locations consentiti per le risorse del connettore di configurazione StorageBucket all'elenco di posizioni fornito nel vincolo. I nomi dei bucket nell'elenco exemptions sono esenti.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <array>: A list of bucket names that are exempt from this
    # constraint.
    exemptions:
      - <string>
    # locations <array>: A list of locations that a bucket is permitted to
    # have.
    locations:
      - <string>

Esempi

singapore-and-jakarta-only
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: singapore-and-jakarta-only
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - storage.cnrm.cloud.google.com
      kinds:
      - StorageBucket
  parameters:
    exemptions:
    - my_project_id_cloudbuild
    locations:
    - asia-southeast1
    - asia-southeast2
Consentito
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-permitted-location
spec:
  location: asia-southeast1
Operazione non consentita
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-disallowed-location
spec:
  location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-without-specific-location
spec: null

GkeSpotVMTerminationGrace

Limita la terminazioneGracePeriodSeconds per le VM spot GKE v1.1.2

Richiede i pod e i modelli di pod con nodeSelector o nodeAfffinty di gke-spot per avere un valore terminationGracePeriodSeconds di 15 o inferiore.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
    # of 15s or less for all `Pod` on a `gke-spot` Node.
    includePodOnSpotNodes: <boolean>

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Node"

Esempi

spotvm-termination-grace
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: spotvm-termination-grace
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    includePodOnSpotNodes: true
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default
apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default
apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default

K8sAllowedRepos

Allowed Repositories v1.0.0

Richiede che le immagini container inizino con una stringa dell'elenco specificato.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

Esempi

repo-is-openpolicyagent
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: repo-is-openpolicyagent
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    repos:
    - openpolicyagent/
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  ephemeralContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

K8sAvoidUseOfSystemMastersGroup

Non consentire l'uso di "system:masters" gruppo v1.0.0

Non consente l'uso di "system:masters" gruppo. Non ha alcun effetto durante il controllo.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowlistedUsernames <array>: allowlistedUsernames is the list of
    # usernames that are allowed to use system:masters group.
    allowlistedUsernames:
      - <string>

Esempi

avoid-use-of-system-masters-group
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: avoid-use-of-system-masters-group
Consentito
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockAllIngress

Block all Ingress v1.0.2

Non consente la creazione di oggetti Ingress (tipi Ingress, Gateway e Service di NodePort e LoadBalancer).

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowList <array>: A list of regular expressions for the Ingress object
    # names that are exempt from the constraint.
    allowList:
      - <string>

Esempi

block-all-ingress
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: block-all-ingress
spec:
  enforcementAction: dryrun
  parameters:
    allowList:
    - name1
    - name2
    - name3
    - my-*
Consentito
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
  name: allowed-clusterip-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: ClusterIP
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer

K8sBlockCreationWithDefaultServiceAccount

Blocca la creazione con l'account di servizio predefinito v1.0.2

Non consente la creazione di risorse utilizzando un account di servizio predefinito. Non ha alcun effetto durante il controllo.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

block-creation-with-default-serviceaccount
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: block-creation-with-default-serviceaccount
spec:
  enforcementAction: dryrun
Consentito
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockEndpointEditDefaultRole

Ruolo predefinito per la modifica degli endpoint di blocco v1.0.0

Molte installazioni di Kubernetes hanno per impostazione predefinita un ruolo ClusterRole system:aggregate-to-edit che non limita correttamente l'accesso alla modifica degli endpoint. Questo ConstraintTemplate impedisce a system:aggregate-to-edit ClusterRole di concedere l'autorizzazione per creare/patch/aggiornare endpoint. ClusterRole/system:aggregate-to-edit non deve consentire le autorizzazioni di modifica degli endpoint a causa di CVE-2021-25740, Endpoint & Le autorizzazioni EndpointSlice consentono l'inoltro cross-Namespace, https://github.com/kubernetes/kubernetes/issues/103675

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

block-endpoint-edit-default-role
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - endpoints
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

K8sBlockLoadBalancer

Blocca servizi con tipo LoadBalancer v1.0.0

Non consente tutti i servizi di tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

block-load-balancer
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: block-load-balancer
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
Consentito
apiVersion: v1
kind: Service
metadata:
  name: my-service-allowed
spec:
  ports:
  - port: 80
    targetPort: 80
  type: ClusterIP
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: LoadBalancer

K8sBlockNodePort

Block NodePort v1.0.0

Non consente tutti i servizi di tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

porta-nodo-blocco
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: NodePort

K8sBlockObjectsOfType

Blocca oggetti di tipo v1.0.1

Non sono consentiti oggetti di tipi vietati.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    forbiddenTypes:
      - <string>

Esempi

block-secrets-of-type-basic-auth
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: block-secrets-of-type-basic-auth
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Secret
  parameters:
    forbiddenTypes:
    - kubernetes.io/basic-auth
Consentito
apiVersion: v1
data:
  password: ZHVtbXlwYXNz
  username: ZHVtbXl1c2Vy
kind: Secret
metadata:
  name: credentials
  namespace: default
type: Opaque
Operazione non consentita
apiVersion: v1
data:
  password: YmFzaWMtcGFzc3dvcmQ=
  username: YmFzaWMtdXNlcm5hbWU=
kind: Secret
metadata:
  name: secret-basic-auth
  namespace: default
type: kubernetes.io/basic-auth

K8sBlockProcessNamespaceSharing

Blocca condivisione spazio dei nomi processo v1.0.1

Vieta le specifiche dei pod con shareProcessNamespace impostato su true. In questo modo si evitano scenari in cui tutti i container di un pod condividono uno spazio dei nomi PID e possono accedere al file system e alla memoria l'uno dell'altro.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

block-process-namespace-sharing
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: block-process-namespace-sharing
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  shareProcessNamespace: true

K8sBlockWildcardIngress

Blocca Ingress con caratteri jolly v1.0.1

Gli utenti non devono essere in grado di creare ingressi con un nome host vuoto o jolly (*), in quanto ciò consentirebbe loro di intercettare il traffico per altri servizi nel cluster, anche se non hanno accesso a questi servizi.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

block-wildcard-ingress
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: block-wildcard-ingress
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Consentito
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: non-wildcard-ingress
spec:
  rules:
  - host: myservice.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: ""
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: valid.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

K8sContainerEphemeralStorageLimit

Limite di archiviazione temporanea dei container v1.0.1

Richiede che per i container sia impostato un limite di spazio di archiviazione temporaneo e limita il limite ai valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # ephemeral-storage <string>: The maximum allowed ephemeral storage limit
    # on a Pod, exclusive.
    ephemeral-storage: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

container-ephemeral-storage-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: container-ephemeral-storage-limit
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ephemeral-storage: 500Mi
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi

K8sContainerLimits

Container Limits v1.0.0

Richiede l'impostazione di limiti di memoria e CPU per i container e vincola i limiti in modo che rientrino nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory limit on a Pod, exclusive.
    memory: <string>

Esempi

container-must-have-limits
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi

K8sContainerRatios

Rapporti container v1.0.0

Imposta un rapporto massimo per i limiti delle risorse dei container rispetto alle richieste. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
    # `resources.requests.cpu` on a container. If not specified, equal to
    # `ratio`.
    cpuRatio: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # ratio <string>: The maximum allowed ratio of `resources.limits` to
    # `resources.requests` on a container.
    ratio: <string>

Esempi

container-must-meet-ratio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ratio: "2"
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 200m
        memory: 200Mi
      requests:
        cpu: 100m
        memory: 100Mi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 800m
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 100Mi
container-must-meet-memory-and-cpu-ratio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-memory-and-cpu-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpuRatio: "10"
    ratio: "1"
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: "1"
        memory: 2Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi

K8sContainerRequests

Container Requests v1.0.0

Richiede che i container abbiano richieste di memoria e CPU impostate e limita le richieste a rientrare nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory request on a Pod, exclusive.
    memory: <string>

Esempi

container-must-have-requests
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: container-must-have-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi

K8sDisallowAnonymous

Disallow Anonymous Access v1.0.0

Non consente l'associazione di risorse ClusterRole e Role all'utente system:anonymous e al gruppo system:unauthenticated.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRoles <array>: The list of ClusterRoles and Roles that may be
    # associated with the `system:unauthenticated` group and `system:anonymous`
    # user.
    allowedRoles:
      - <string>

Esempi

non anonimo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: no-anonymous
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRoleBinding
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
  parameters:
    allowedRoles:
    - cluster-role-1
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-1
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-2
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowedRepos

Repository non consentiti versione 1.0.0

Repository di contenitori non consentiti che iniziano con una stringa dell'elenco specificato.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is not allowed to
    # have.
    repos:
      - <string>

Esempi

repo-must-not-be-k8s-gcr-io
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: repo-must-not-be-k8s-gcr-io
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    repos:
    - k8s.gcr.io/
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-allowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  ephemeralContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize

K8sDisallowedRoleBindingSubjects

Oggetti di associazione di ruoli non consentiti v1.0.1

Vieta RoleBindings o ClusterRoleBinding con oggetti corrispondenti a qualsiasi disallowedSubjects passato come parametri.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedSubjects <array>: A list of subjects that cannot appear in a
    # RoleBinding.
    disallowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the disallowed role
        # binding subject. Currently ignored.
        apiGroup: <string>
        # kind <string>: The kind of the disallowed role binding subject.
        kind: <string>
        # name <string>: The name of the disallowed role binding subject.
        name: <string>

Esempi

soggetti-associazione-ruolo-non-consentiti
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: disallowed-rolebinding-subjects
spec:
  parameters:
    disallowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:unauthenticated
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowedTags

Disallow tags v1.0.0

Richiede che le immagini container abbiano un tag immagine diverso da quelli nell'elenco specificato. https://kubernetes.io/docs/concepts/containers/images/#image-names

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # tags <array>: Disallowed container image tags.
    tags:
      - <string>

Esempi

container-image-must-not-have-latest-tag
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: container-image-must-not-have-latest-tag
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    exemptImages:
    - openpolicyagent/opa-exp:latest
    - openpolicyagent/opa-exp2:latest
    tags:
    - latest
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-exempt-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa-exp
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:v1
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-2
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-ephemeral
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-3
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:latest
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/monitor:latest
    name: opa-monitor

K8sEmptyDirHasSizeLimit

La directory vuota ha un limite di dimensioni v1.0.3

Richiede che tutti i volumi emptyDir specifichino un sizeLimit. Facoltativamente, è possibile fornire un parametro maxSizeLimit nel vincolo per specificare un limite di dimensioni massimo consentito.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptVolumesRegex <array>: Exempt Volume names as regex match.
    exemptVolumesRegex:
      - <string>
    # maxSizeLimit <string>: When set, the declared size limit for each volume
    # must be less than `maxSizeLimit`.
    maxSizeLimit: <string>

Esempi

empty-dir-has-size-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-size-limit
spec:
  match:
    excludedNamespaces:
    - istio-system
    - kube-system
    - gatekeeper-system
  parameters:
    exemptVolumesRegex:
    - ^istio-[a-z]+$
    maxSizeLimit: 4Gi
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir:
      sizeLimit: 2Gi
    name: good-pod-volume
apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: istio-envoy
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: bad-pod-volume

K8sEnforceCloudArmorBackendConfig

Applica Cloud Armor sulle risorse BackendConfig v1.0.2

Applica la configurazione di Cloud Armor alle risorse BackendConfig

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

enforce-cloudarmor-backendconfig
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: enforce-cloudarmor-backendconfig
spec:
  enforcementAction: dryrun
Consentito
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: example-security-policy
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: second-backendconfig
spec:
  securityPolicy:
    name: my-security-policy
Operazione non consentita
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: null
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: ""
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
spec:
  logging:
    enable: true
    sampleRate: 0.5

K8sEnforceConfigManagement

Enforce Config Management versione 1.1.4

Richiede la presenza e il funzionamento di Config Management. I vincoli che utilizzano questo valore ConstraintTemplate verranno controllati solo indipendentemente dal valore di enforcementAction.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # requireDriftPrevention <boolean>: Require Config Sync drift prevention to
    # prevent config drift.
    requireDriftPrevention: <boolean>
    # requireRootSync <boolean>: Require a Config Sync `RootSync` object for
    # cluster config management.
    requireRootSync: <boolean>

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "configsync.gke.io"
        version: "v1beta1"
        kind: "RootSync"

Esempi

enforce-config-management
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: enforce-config-management
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - configmanagement.gke.io
      kinds:
      - ConfigManagement
Consentito
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    proxy: {}
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2
  healthy: true
Operazione non consentita
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2

K8sExternalIPs

Indirizzi IP esterni v1.0.0

Limita gli indirizzi IP esterni del servizio a un elenco consentito di indirizzi IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedIPs <array>: An allow-list of external IP addresses.
    allowedIPs:
      - <string>

Esempi

external-ips
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    allowedIPs:
    - 203.0.113.0
Consentito
apiVersion: v1
kind: Service
metadata:
  name: allowed-external-ip
spec:
  externalIPs:
  - 203.0.113.0
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  name: disallowed-external-ip
spec:
  externalIPs:
  - 1.1.1.1
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp

K8sHorizontalPodAutoscaler

Horizontal Pod Autoscaler versione 1.0.1

Non consentire i seguenti scenari durante il deployment di HorizontalPodAutoscalers 1. Deployment di HorizontalPodAutoscaler con .spec.minReplicas o .spec.maxReplicas al di fuori degli intervalli definiti nel vincolo 2. Deployment di HorizontalPodAutoscaler in cui la differenza tra .spec.minReplicas e .spec.maxReplicas è inferiore al valore minimumReplicaSpread 3 configurato. Deployment di HorizontalPodAutoscaler che non fanno riferimento a un valore scaleTargetRef valido (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet).

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # enforceScaleTargetRef <boolean>: If set to true it validates the HPA
    # scaleTargetRef exists
    enforceScaleTargetRef: <boolean>
    # minimumReplicaSpread <integer>: If configured it enforces the minReplicas
    # and maxReplicas in an HPA must have a spread of at least this many
    # replicas
    minimumReplicaSpread: <integer>
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'uso, devi abilitare i vincoli referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "apps"
        version: "v1"
        kind: "Deployment"
      OR
      - group: "apps"
        version: "v1"
        kind: "StatefulSet"

Esempi

horizontal-pod-autoscaler
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: horizontal-pod-autoscaler
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    enforceScaleTargetRef: true
    minimumReplicaSpread: 1
    ranges:
    - max_replicas: 6
      min_replicas: 3
Consentito
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-allowed
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
Operazione non consentita
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicas
  namespace: default
spec:
  maxReplicas: 7
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 2
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicaspread
  namespace: default
spec:
  maxReplicas: 4
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 4
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-scaletarget
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment-missing
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sHttpsOnly

Solo HTTPS v1.0.1

Richiede che le risorse Ingress siano solo HTTPS. Le risorse in entrata devono includere l'annotazione kubernetes.io/ingress.allow-http, impostata su false. Per impostazione predefinita è richiesta una configurazione TLS {} valida, che può essere resa facoltativa impostando il parametro tlsOptional su true. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # tlsOptional <boolean>: When set to `true` the TLS {} is optional,
    # defaults to false.
    tlsOptional: <boolean>

Esempi

Solo https in entrata
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Consentito
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - {}
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
ingress-https-only-tls-optional
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only-tls-optional
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
  parameters:
    tlsOptional: true
Consentito
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sImageDigests

Digest di immagini v1.0.0

Richiede che le immagini container contengano un digest. https://kubernetes.io/docs/concepts/containers/images/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

container-image-must-have-digest
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
    name: opa
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit

K8sLocalStorageRequireSafeToEvict

Lo spazio di archiviazione locale richiede Safe to Evict 1.0.1

Richiede che i pod che utilizzano lo spazio di archiviazione locale (emptyDir o hostPath) abbiano l'annotazione "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Il gestore della scalabilità automatica del cluster non eliminerà i pod senza questa annotazione.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

local-storage-require-safe-to-evict
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
spec:
  match:
    excludedNamespaces:
    - kube-system
    - istio-system
    - gatekeeper-system
Consentito
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  name: good-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage

K8sMemoryRequestEqualsLimit

Richiesta di memoria uguale al limite v1.0.3

Promuove la stabilità dei pod richiedendo che tutti i container la memoria richiesta equivale esattamente al limite di memoria, per cui i pod non si trovano mai in uno stato in cui l'utilizzo della memoria supera la quantità richiesta. Altrimenti, Kubernetes può terminare i pod che richiedono memoria aggiuntiva se è necessaria memoria sul nodo.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptContainersRegex <array>: Exempt Container names as regex match.
    exemptContainersRegex:
      - <string>

Esempi

container-must-request-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: container-must-request-limit
spec:
  match:
    excludedNamespaces:
    - kube-system
    - resource-group-system
    - asm-system
    - istio-system
    - config-management-system
    - config-management-monitoring
  parameters:
    exemptContainersRegex:
    - ^istio-[a-z]+$
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 4Gi
apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: auto
    name: istio-proxy
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi

K8sNoEnvVarSecrets

No Environment Variable Secrets v1.0.1

Vieta l'utilizzo dei secret come variabili di ambiente nelle definizioni dei container del pod. Utilizza invece i file secret montati nei volumi di dati: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

no-secrets-as-env-vars-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: no-secrets-as-env-vars-sample
spec:
  enforcementAction: dryrun
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: redis
    name: test
    volumeMounts:
    - mountPath: /etc/test
      name: test
      readOnly: true
  volumes:
  - name: test
    secret:
      secretName: mysecret
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - env:
    - name: MY_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: mysecret
    image: redis
    name: test

K8sNoExternalServices

Nessun servizio esterno v1.0.1

Proibisce la creazione di risorse note che espongono i carichi di lavoro a IP esterni. Sono incluse le risorse Istio Gateway e Kubernetes Ingress. Inoltre, i servizi Kubernetes non sono consentiti, a meno che non soddisfino i seguenti criteri: Qualsiasi servizio di tipo LoadBalancer in Google Cloud deve avere un'annotazione "cloud.google.com/load-balancer-type": "Internal". Qualsiasi servizio di tipo LoadBalancer in AWS deve avere un'annotazione service.beta.kubernetes.io/aws-load-balancer-internal: "true. Tutti gli "IP esterni" (esterni al cluster) associati al servizio devono essere membri di un intervallo di CIDR interni come specificato nella limitazione.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
    # are supported currently.
    cloudPlatform: <string>
    # internalCIDRs <array>: A list of CIDRs that are only accessible
    # internally, for example: `10.3.27.0/24`. Which IP ranges are
    # internal-only is determined by the underlying network infrastructure.
    internalCIDRs:
      - <string>

Esempi

no-external
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external
spec:
  parameters:
    internalCIDRs:
    - 10.0.0.1/32
Consentito
apiVersion: v1
kind: Service
metadata:
  name: good-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.1
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  name: bad-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.2
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
no-external-aws
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external-aws
spec:
  parameters:
    cloudPlatform: AWS
Consentito
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
  name: good-aws-service
  namespace: default
spec:
  type: LoadBalancer
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/load-balancer-type: Internal
  name: bad-aws-service
  namespace: default
spec:
  type: LoadBalancer

K8sPSPAllowPrivilegeEscalationContainer

Consenti l'escalation dei privilegi nel contenitore v1.0.1

Controlli che limitano l'escalation ai privilegi root. Corrisponde al campo allowPrivilegeEscalation in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

psp-allow-privilege-escalation-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

K8sPSPAllowedUsers

Utenti consentiti v1.0.1

Controlla gli ID utente e gruppo del contenitore e di alcuni volumi. Corrisponde ai campi runAsUser, runAsGroup, supplementalGroups e fsGroup in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
    # or container-level SecurityContext.
    fsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the fsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsGroup <object>: Controls which group ID values are allowed in a Pod
    # or container-level SecurityContext.
    runAsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsUser <object>: Controls which user ID values are allowed in a Pod or
    # container-level SecurityContext.
    runAsUser:
      # ranges <array>: A list of user ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of user IDs affected by the rule.
        - # max <integer>: The maximum user ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum user ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsUser restriction.
      # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
      rule: <string>
    # supplementalGroups <object>: Controls the supplementalGroups values that
    # are allowed in a Pod or container-level SecurityContext.
    supplementalGroups:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the supplementalGroups
      # restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>

Esempi

psp-pods-allowed-user-ranges
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    fsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsUser:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    supplementalGroups:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 199
      runAsUser: 199
  securityContext:
    fsGroup: 199
    supplementalGroups:
    - 199
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250

K8sPSPAppArmor

App Armor v1.0.0

Configura una lista consentita di profili AppArmor da utilizzare per i container. Corrisponde ad annotazioni specifiche applicate a un PodSecurityPolicy. Per informazioni su AppArmor, vedi https://kubernetes.io/docs/tutorials/clusters/apparmor/

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of AppArmor profiles. Examples:
    # `runtime/default`, `unconfined`.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

psp-apparmor
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
Consentito
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-allowed
spec:
  containers:
  - image: nginx
    name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPAutomountServiceAccountTokenPod

Token dell'account di servizio con montaggio automatico per pod v1.0.1

Controlla la possibilità di qualsiasi pod di attivare automountServiceAccountToken.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

Esempi

psp-automount-serviceaccount-token-pod
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: psp-automount-serviceaccount-token-pod
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-not-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-allowed
spec:
  automountServiceAccountToken: false
  containers:
  - image: nginx
    name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-disallowed
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx

Funzionalità K8sPSP

Capabilities v1.0.1

Controlla le funzionalità di Linux nei contenitori. Corrisponde ai campi allowedCapabilities e requiredDropCapabilities in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedCapabilities <array>: A list of Linux capabilities that can be
    # added to a container.
    allowedCapabilities:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # requiredDropCapabilities <array>: A list of Linux capabilities that are
    # required to be dropped from a container.
    requiredDropCapabilities:
      - <string>

Esempi

capabilities-demo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: capabilities-demo
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    allowedCapabilities:
    - something
    requiredDropCapabilities:
    - must_drop
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - something
        drop:
        - must_drop
        - another_one
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability

K8sPSPFSGroup

Gruppo FS v1.0.1

Controlli che alloca un FSGroup proprietario dei volumi del pod. Corrisponde al campo fsGroup in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: GID ranges affected by the rule.
    ranges:
      - # max <integer>: The maximum GID in the range, inclusive.
        max: <integer>
        # min <integer>: The minimum GID in the range, inclusive.
        min: <integer>
    # rule <string>: An FSGroup rule name.
    # Allowed Values: MayRunAs, MustRunAs, RunAsAny
    rule: <string>

Esempi

psp-fsgroup
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ranges:
    - max: 1000
      min: 1
    rule: MayRunAs
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 500
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 2000
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol

K8sPSPFlexVolumes

FlexVolumes v1.0.1

Controlla la lista consentita dei driver FlexVolume. Corrisponde al campo allowedFlexVolumes in PodSecurityPolicy. Per saperne di più, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
    allowedFlexVolumes:
      - # driver <string>: The name of the FlexVolume driver.
        driver: <string>

Esempi

psp-flexvolume-drivers
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedFlexVolumes:
    - driver: example/lvm
    - driver: example/cifs
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/lvm
    name: test-volume
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/testdriver
    name: test-volume

K8sPSPForbiddenSysctls

Istruzioni sysctl vietate v1.1.2

Controlla il profilo sysctl utilizzato dai contenitori. Corrisponde ai campi allowedUnsafeSysctls e forbiddenSysctls in un PodSecurityPolicy. Se specificato, qualsiasi sysctl non incluso nel parametro allowedSysctls è considerato vietato. Il parametro forbiddenSysctls ha la precedenza sul parametro allowedSysctls. Per ulteriori informazioni, consulta https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
    # not listed in the `forbiddenSysctls` parameter.
    allowedSysctls:
      - <string>
    # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
    # sysctls.
    forbiddenSysctls:
      - <string>

Esempi

psp-forbidden-sysctls
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSysctls:
    - '*'
    forbiddenSysctls:
    - kernel.*
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: net.core.somaxconn
      value: "1024"
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: kernel.msgmax
      value: "65536"
    - name: net.core.somaxconn
      value: "1024"

K8sPSPFile system host

File system host v1.0.1

Controlla l'utilizzo del file system dell'host. Corrisponde al campo allowedHostPaths in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedHostPaths <array>: An array of hostpath objects, representing
    # paths and read/write configuration.
    allowedHostPaths:
      - # pathPrefix <string>: The path prefix that the host volume must
        # match.
        pathPrefix: <string>
        # readOnly <boolean>: when set to true, any container volumeMounts
        # matching the pathPrefix must include `readOnly: true`.
        readOnly: <boolean>

Esempi

psp-host-filesystem
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedHostPaths:
    - pathPrefix: /foo
      readOnly: true
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /foo/bar
    name: cache-volume
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume

K8sPSPHostNamespace

Host Namespace v1.0.1

Non consente la condivisione degli spazi dei nomi PID e IPC dell'host da parte dei contenitori dei pod. Corrisponde ai campi hostPID e hostIPC in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

Esempi

psp-host-namespace-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: psp-host-namespace-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: false
  hostPID: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: true
  hostPID: true

K8sPSPHostNetworkingPorts

Porte di rete host v1.0.1

Controlla l'utilizzo dello spazio dei nomi di rete dell'host da parte dei container dei pod. È necessario specificare porte specifiche. Corrisponde ai campi hostNetwork e hostPorts in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # hostNetwork <boolean>: Determines if the policy allows the use of
    # HostNetwork in the pod spec.
    hostNetwork: <boolean>
    # max <integer>: The end of the allowed port range, inclusive.
    max: <integer>
    # min <integer>: The start of the allowed port range, inclusive.
    min: <integer>

Esempi

psp-host-network-ports-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    hostNetwork: true
    max: 9000
    min: 80
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9000
      hostPort: 80
  hostNetwork: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true

K8sPSPPrivilegedContainer

Privileged Container v1.0.1

Consente di controllare la capacità di qualsiasi container di abilitare la modalità con privilegi. Corrisponde al campo privileged in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

psp-privileged-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: psp-privileged-container-sample
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true

PSPProcMount

Proc Mount v1.0.2

Controlla i tipi di procMount consentiti per il contenitore. Corrisponde al campo allowedProcMountTypes in un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # procMount <string>: Defines the strategy for the security exposure of
    # certain paths in `/proc` by the container runtime. Setting to `Default`
    # uses the runtime defaults, where `Unmasked` bypasses the default
    # behavior.
    # Allowed Values: Default, Unmasked
    procMount: <string>

Esempi

montaggio-proc-psp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    procMount: Default
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Default
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked

K8sPSPReadOnlyRootFilesystem

File system di root di sola lettura versione 1.0.1

Richiede l'utilizzo di un file system radice di sola lettura da parte dei container di pod. Corrisponde al campo readOnlyRootFilesystem in un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

psp-readonlyrootfilesystem
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: true
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false

K8sPSPSELinuxV2

SELinux V2 v1.0.1

Definisce una lista consentita di configurazioni seLinuxOptions per i container dei pod. Corrisponde a un PodSecurityPolicy che richiede configurazioni SELinux. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSELinuxOptions <array>: An allow-list of SELinux options
    # configurations.
    allowedSELinuxOptions:
      # <list item: object>: An allowed configuration of SELinux options for a
      # pod container.
      - # level <string>: An SELinux level.
        level: <string>
        # role <string>: An SELinux role.
        role: <string>
        # type <string>: An SELinux type.
        type: <string>
        # user <string>: An SELinux user.
        user: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

psp-selinux-v2
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSELinuxOptions:
    - level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

K8sPSPSeccomp

Seccomp versione 1.0.0

Controlla il profilo seccomp utilizzato dai container. Corrisponde all'annotazione seccomp.security.alpha.kubernetes.io/allowedProfileNames su un PodSecurityPolicy. Per ulteriori informazioni, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedLocalhostFiles <array>: When using securityContext naming scheme
    # for seccomp and including `Localhost` this array holds the allowed
    # profile JSON files. Putting a `*` in this array will allows all JSON
    # files to be used. This field is required to allow `Localhost` in
    # securityContext as with an empty list it will block.
    allowedLocalhostFiles:
      - <string>
    # allowedProfiles <array>: An array of allowed profile values for seccomp
    # on Pods/Containers. Can use the annotation naming scheme:
    # `runtime/default`, `docker/default`, `unconfined` and/or
    # `localhost/some-profile.json`. The item `localhost/*` will allow any
    # localhost based profile. Can also use the securityContext naming scheme:
    # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
    # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
    # allowed profile JSON files. The policy code will translate between the
    # two schemes so it is not necessary to use both. Putting a `*` in this
    # array allows all Profiles to be used. This field is required since with
    # an empty list this policy will block all workloads.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Esempi

psp-seccomp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
    - docker/default
Consentito
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed2
spec:
  containers:
  - image: nginx
    name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed2
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPVolumeTypes

Tipi di volume v1.0.1

Limita i tipi di volumi montabili a quelli specificati dall'utente. Corrisponde al campo volumes in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # volumes <array>: `volumes` is an array of volume types. All volume types
    # can be enabled using `*`.
    volumes:
      - <string>

Esempi

psp-volume-types
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    volumes:
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
    - flexVolume
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - emptyDir: {}
    name: cache-volume
  - emptyDir: {}
    name: demo-vol
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
  - emptyDir: {}
    name: demo-vol

K8sPSPWindowsHostProcess

Limita container / pod Windows HostProcess. v1.0.0

Limita l'esecuzione di container/pod HostProcess Windows. Per ulteriori informazioni, consulta la pagina https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

restrict-windows-hostprocess
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: restrict-windows-hostprocess
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-loop
  nodeSelector:
    kubernetes.io/os: windows
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-container
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
    securityContext:
      windowsOptions:
        hostProcess: true
        runAsUserName: NT AUTHORITY\SYSTEM
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-pod
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows
  securityContext:
    windowsOptions:
      hostProcess: true
      runAsUserName: NT AUTHORITY\SYSTEM

K8sPodDisruptionBudget

Budget di interruzione dei pod (PDB) v1.0.3

Non consentire i seguenti scenari durante il deployment di PodDisruptionBudget o risorse che implementano la risorsa secondaria di replica (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment di PodDisruptionBudget con .spec.maxUnavailable == 0 2. Deployment di PodDisruptionBudget con .spec.minAvailable == .spec.replicas della risorsa con risorsa secondaria replica. In questo modo, i PodDisruptionBudget non bloccheranno le interruzioni volontarie come lo svuotamento dei nodi. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:

spec:
  sync:
    syncOnly:
      - group: "policy"
        version: "v1"
        kind: "PodDisruptionBudget"

Esempi

pod-distruption-budget
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: pod-distruption-budget
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
    - apiGroups:
      - ""
      kinds:
      - ReplicationController
Consentito
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-allowed
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-1
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-1
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-1
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-2
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-2
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-2
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-3
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-3
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-3
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: non-matching-nginx
  name: nginx-deployment-allowed-4
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: non-matching-nginx
      example: allowed-deployment-4
  template:
    metadata:
      labels:
        app: non-matching-nginx
        example: allowed-deployment-4
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-mongo-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: mongo
      example: non-matching-deployment-3
Operazione non consentita
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-disallowed
  namespace: default
spec:
  maxUnavailable: 0
  selector:
    matchLabels:
      foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-disallowed
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: disallowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-disallowed
  namespace: default
spec:
  minAvailable: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment

K8sPodResourcesBestPractices

Richiede i container non secondo il criterio del "best effort" e seguendo le best practice di burstable v1.0.4

Richiede che i container non seguano il criterio del "best effort" (impostando le richieste di CPU e memoria) e seguano le best practice per la burstaggio (la richiesta di memoria deve essere esattamente uguale al limite). Facoltativamente, è possibile configurare le chiavi di annotazione per consentire di saltare le varie convalide.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>
    # skipBestEffortValidationAnnotationKey <string>: Optional annotation key
    # to skip best-effort container validation.
    skipBestEffortValidationAnnotationKey: <string>
    # skipBurstableValidationAnnotationKey <string>: Optional annotation key to
    # skip burstable container validation.
    skipBurstableValidationAnnotationKey: <string>
    # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
    # annotation key to skip both best-effort and burstable validation.
    skipResourcesBestPracticesValidationAnnotationKey: <string>

Esempi

gke-pod-resources-best-practices
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: gke-pod-resources-best-practices
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    skipBestEffortValidationAnnotationKey: skip_besteffort_validation
    skipBurstableValidationAnnotationKey: skip_burstable_validation
    skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-limits-only
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  annotations:
    skip_besteffort_validation: "true"
    skip_burstable_validation: "true"
    skip_resources_best_practices_validation: "false"
  name: pod-skip-validation
spec:
  containers:
  - image: nginx
    name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-cpu-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-requests
spec:
  containers:
  - image: nginx
    name: nginx
  restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-not-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-memory-requests-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 30m
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 500m
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 250Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        memory: 100Mi

K8sPodsRequireSecurityContext

I pod richiedono un contesto di sicurezza v1.1.1

Richiede tutti i pod per definire securityContext. Richiede che per tutti i container definiti nei pod sia definito un SecurityContext a livello di pod o container.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>

Esempi

pods-require-security-context-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: pods-require-security-context-sample
spec:
  enforcementAction: dryrun
  parameters:
    exemptImages:
    - nginix-exempt
    - alpine*
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsUser: 2000
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage
spec:
  containers:
  - image: nginix-exempt
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage-wildcard
spec:
  containers:
  - image: alpine17
    name: alpine
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - image: nginx
    name: nginx

K8sProhibitRoleWildcardAccess

Proibisci accesso ruolo jolly v1.0.4

Richiede che Role e ClusterRoles non impostino l'accesso alle risorse su un carattere jolly """" valore ad eccezione dei ruoli Role e ClusterRole esenti forniti come esenzioni. Non limita l'accesso con caratteri jolly alle risorse secondarie, ad esempio '"/status"'.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <object>: The list of exempted Roles and/or ClusterRoles name
    # that are allowed to set  resource access to a wildcard.
    exemptions:
      clusterRoles:
        - # name <string>: The name of the ClusterRole to be exempted.
          name: <string>
          # regexMatch <boolean>: The flag to allow a regular expression
          # based match on the name.
          regexMatch: <boolean>
      roles:
        - # name <string>: The name of the Role to be exempted.
          name: <string>
          # namespace <string>: The namespace of the Role to be exempted.
          namespace: <string>

Esempi

prohibit-role-wildcard-access-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-role-wildcard-access-sample
spec:
  enforcementAction: dryrun
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-bad-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
prohibit-wildcard-except-exempted-cluster-role
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-wildcard-except-exempted-cluster-role
spec:
  enforcementAction: dryrun
  parameters:
    exemptions:
      clusterRoles:
      - name: cluster-role-allowed-example
      roles:
      - name: role-allowed-example
        namespace: role-ns-allowed-example
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-allowed-example
  namespace: role-ns-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-not-allowed-example
  namespace: role-ns-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

K8sReplicaLimits

Replica Limits v1.0.1

Richiede che gli oggetti con il campo spec.replicas (Deployment, ReplicaSet e così via) specifichino un numero di repliche all'interno di intervalli definiti.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

Esempi

replica-limits
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: replica-limits
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
  parameters:
    ranges:
    - max_replicas: 50
      min_replicas: 3
Consentito
apiVersion: apps/v1
kind: Deployment
metadata:
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
Operazione non consentita
apiVersion: apps/v1
kind: Deployment
metadata:
  name: disallowed-deployment
spec:
  replicas: 100
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sRequireBinAuthZ

Richiede Autorizzazione binaria 1.0.2

Richiede l'webhook di ammissione con convalida di Autorizzazione binaria. I vincoli che utilizzano questo ConstraintTemplate verranno sottoposti a controllo indipendentemente dal valore di enforcementAction.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "admissionregistration.k8s.io"
        version: "v1" OR "v1beta1"
        kind: "ValidatingWebhookConfiguration"

Esempi

require-binauthz
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: require-binauthz
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
Consentito
apiVersion: v1
kind: Namespace
metadata:
  name: default
---
# Referential Data
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: binauthz-admission-controller
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview
  name: imagepolicywebhook.image-policy.k8s.io
  rules:
  - operations:
    - CREATE
    - UPDATE
  - apiVersion:
    - v1
  sideEffects: None
Operazione non consentita
apiVersion: v1
kind: Namespace
metadata:
  name: default

K8sRequireCosNodeImage

Richiedi l'immagine del nodo COS 1.1.1

Applica sui nodi l'utilizzo di Container-Optimized OS da Google.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptOsImages <array>: A list of exempt OS Images.
    exemptOsImages:
      - <string>

Esempi

nodes-have-consistent-time
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: nodes-have-consistent-time
spec:
  enforcementAction: dryrun
  parameters:
    exemptOsImages:
    - Debian
    - Ubuntu*
Consentito
apiVersion: v1
kind: Node
metadata:
  name: allowed-example
status:
  nodeInfo:
    osImage: Container-Optimized OS from Google
apiVersion: v1
kind: Node
metadata:
  name: example-exempt
status:
  nodeInfo:
    osImage: Debian
apiVersion: v1
kind: Node
metadata:
  name: example-exempt-wildcard
status:
  nodeInfo:
    osImage: Ubuntu 18.04.5 LTS
Operazione non consentita
apiVersion: v1
kind: Node
metadata:
  name: disallowed-example
status:
  nodeInfo:
    osImage: Debian GNUv1.0

K8sRequireDaemonsets

Daemonset obbligatori v1.1.1

Richiede la presenza dell'elenco dei daemonset specificati.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # requiredDaemonsets <array>: A list of names and namespaces of the
    # required daemonsets.
    requiredDaemonsets:
      - # name <string>: The name of the required daemonset.
        name: <string>
        # namespace <string>: The namespace for the required daemonset.
        namespace: <string>
    # restrictNodeSelector <boolean>: The daemonsets cannot include
    # `NodeSelector`.
    restrictNodeSelector: <boolean>

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'uso, devi abilitare i vincoli referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "DaemonSet"
      OR
      - group: "apps"
        version: "v1beta2" OR "v1"
        kind: "DaemonSet"

Esempi

require-daemonset
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: require-daemonset
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    requiredDaemonsets:
    - name: clamav
      namespace: pci-dss-av
    restrictNodeSelector: true
Consentito
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: clamav-host-scanner
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    metadata:
      labels:
        name: clamav
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/clamav:latest
        livenessProbe:
          exec:
            command:
            - /health.sh
          initialDelaySeconds: 60
          periodSeconds: 30
        name: clamav-scanner
        resources:
          limits:
            memory: 3Gi
          requests:
            cpu: 500m
            memory: 2Gi
        volumeMounts:
        - mountPath: /data
          name: data-vol
        - mountPath: /host-fs
          name: host-fs
          readOnly: true
        - mountPath: /logs
          name: logs
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
      - emptyDir: {}
        name: data-vol
      - hostPath:
          path: /
        name: host-fs
      - hostPath:
          path: /var/log/clamav
        name: logs
Operazione non consentita
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: clamav
      nodeSelector:
        cloud.google.com/gke-spot: "true"

K8sRequireDefaultDenyEgressPolicy

Richiedi criterio di negazione predefinito in uscita v1.0.3

Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy predefinito per il traffico in uscita.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

Esempi

require-default-deny-network-policies
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: require-default-deny-network-policies
spec:
  enforcementAction: dryrun
Consentito
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress
Operazione non consentita
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace2
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress

K8sRequireNamespaceNetworkPolicies

Richiedi criteri di rete dello spazio dei nomi 1.0.4

Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'uso, devi abilitare i vincoli referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

Esempi

require-namespace-network-policies-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: require-namespace-network-policies-sample
spec:
  enforcementAction: dryrun
Consentito
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: require-namespace-network-policies-example
Operazione non consentita
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example

K8sRequireValidRangesForNetworks

Richiedi intervalli validi per le reti v1.0.2

Applica i blocchi CIDR consentiti per il traffico in entrata e in uscita dalla rete.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for egress.
    allowedEgress:
      - <string>
    # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for ingress.
    allowedIngress:
      - <string>

Esempi

require-valid-network-ranges
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: require-valid-network-ranges
spec:
  enforcementAction: dryrun
  parameters:
    allowedEgress:
    - 10.0.0.0/32
    allowedIngress:
    - 10.0.0.0/24
Consentito
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.0.0/32
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/29
    - ipBlock:
        cidr: 10.0.0.100/29
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy-disallowed
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 1.1.2.0/31
  ingress:
  - from:
    - ipBlock:
        cidr: 1.1.2.0/24
    - ipBlock:
        cidr: 2.1.2.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress

K8sRequiredAnnotations

Annotazioni obbligatorie v1.0.0

Richiede che le risorse contengano annotazioni specificate, con valori corrispondenti alle espressioni regolari fornite.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # annotations <array>: A list of annotations and values the object must
    # specify.
    annotations:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required annotation.
        key: <string>
    message: <string>

Esempi

all-must-have-certain-set-of-annotations
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: all-must-have-certain-set-of-annotations
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    annotations:
    - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
      key: a8r.io/owner
    - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
      key: a8r.io/runbook
    message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Consentito
apiVersion: v1
kind: Service
metadata:
  annotations:
    a8r.io/owner: dev-team-alfa@contoso.com
    a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
  name: allowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo

K8sRequiredLabels

Etichette obbligatorie v1.0.0

Richiede che le risorse contengano etichette specificate, con valori corrispondenti alle espressioni regolari fornite.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # labels <array>: A list of labels and values the object must specify.
    labels:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required label.
        key: <string>
    message: <string>

Esempi

all-must-have-owner
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: all-must-have-owner
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    labels:
    - allowedRegex: ^[a-zA-Z]+.agilebank.demo$
      key: owner
    message: All namespaces must have an `owner` label that points to your company
      username
Consentito
apiVersion: v1
kind: Namespace
metadata:
  labels:
    owner: user.agilebank.demo
  name: allowed-namespace
Operazione non consentita
apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequiredProbes

Required Probes v1.0.1

Richiede che i pod dispongano di probe di idoneità e/o di attività.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # probeTypes <array>: The probe must define a field listed in `probeType`
    # in order to satisfy the constraint (ex. `tcpSocket` satisfies
    # `['tcpSocket', 'exec']`)
    probeTypes:
      - <string>
    # probes <array>: A list of probes that are required (ex: `readinessProbe`)
    probes:
      - <string>

Esempi

must-have-probes
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    probeTypes:
    - tcpSocket
    - httpGet
    - exec
    probes:
    - readinessProbe
    - livenessProbe
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: tomcat
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: nginx:1.7.9
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume
apiVersion: v1
kind: Pod
metadata:
  name: test-pod2
spec:
  containers:
  - image: nginx:1.7.9
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

K8sRequiredResources

Risorse richieste v1.0.1

Richiede un set di risorse definite per i container. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # limits <array>: A list of limits that should be enforced (`cpu`,
    # `memory`, or both).
    limits:
      # Allowed Values: cpu, memory
      - <string>
    # requests <array>: A list of requests that should be enforced (`cpu`,
    # `memory`, or both).
    requests:
      # Allowed Values: cpu, memory
      - <string>

Esempi

container-must-have-limits-and-requests
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - cpu
    - memory
    requests:
    - cpu
    - memory
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - memory
    requests:
    - cpu
    - memory
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}
no-enforcements
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: no-enforcements
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}

K8sRestrictAutomountServiceAccountTokens

Restrict Service Account Tokens v1.0.1

Limita l'utilizzo dei token degli account di servizio.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

restrict-serviceaccounttokens
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: restrict-serviceaccounttokens
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
      - ServiceAccount
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-pod
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: ServiceAccount
metadata:
  name: disallowed-example-serviceaccount
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example-pod
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  name: allowed-example-serviceaccount

K8sRestrictLabels

Limita etichette v1.0.2

Non consente alle risorse di contenere etichette specificate, a meno che non esista un'eccezione per la risorsa specifica.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exceptions <array>: Objects listed here are exempt from enforcement of
    # this constraint. All fields must be provided.
    exceptions:
      # <list item: object>: A single object's identification, based on group,
      # kind, namespace, and name.
      - # group <string>: The Kubernetes group of the exempt object.
        group: <string>
        # kind <string>: The Kubernetes kind of the exempt object.
        kind: <string>
        # name <string>: The name of the exempt object.
        name: <string>
        # namespace <string>: The namespace of the exempt object. For
        # cluster-scoped resources, use the empty string `""`.
        namespace: <string>
    # restrictedLabels <array>: A list of label keys strings.
    restrictedLabels:
      - <string>

Esempi

restrict-label-example
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    exceptions:
    - group: ""
      kind: Pod
      name: allowed-example
      namespace: default
    restrictedLabels:
    - label-example
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNamespaces

Restrict Namespaces v1.0.1

Impedisce alle risorse di utilizzare gli spazi dei nomi elencati sotto il parametro restrictedNamespaces.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # restrictedNamespaces <array>: A list of Namespaces to restrict.
    restrictedNamespaces:
      - <string>

Esempi

restrict-default-namespace-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: restrict-default-namespace-sample
spec:
  enforcementAction: dryrun
  parameters:
    restrictedNamespaces:
    - default
Consentito
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
  namespace: test-namespace
spec:
  containers:
  - image: nginx
    name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNfsUrls

Limita URL NFS versione 1.0.1

Non consente alle risorse di contenere URL NFS se non specificato.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedNfsUrls <array>: A list of allowed NFS URLs
    allowedNfsUrls:
      - <string>

Esempi

restrict-label-example
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    allowedNfsUrls:
    - my-nfs-server.example.com/my-nfs-volume
    - my-nfs-server.example.com/my-wildcard-nfs-volume/*
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs-wildcard
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path
      server: my-nfs-server.example.com
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs-mixed
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume-allowed
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com
  - name: test-volume-disallowed
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com

K8sRestrictRbacSubjects

Restrict RBAC Subjects v1.0.3

Limita l'utilizzo dei nomi negli oggetti RBAC ai valori consentiti.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of names permitted in RBAC subjects.
    allowedSubjects:
      - # name <string>: The exact-name or the pattern of the allowed subject
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>

Esempi

restrict-rbac-subjects
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: restrict-rbac-subjects
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
      - ClusterRoleBinding
  parameters:
    allowedSubjects:
    - name: system:masters
    - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@system.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@google.com$
      regexMatch: true
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user@google.com
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-1234567890@gcp-sa-ktd-control.iam.gserviceaccount.com
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user1@example.com
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user2@example.com

K8sRestrictRoleBindings

Limita associazioni ruoli v1.0.2

Limita i soggetti specificati in ClusterRoleBindings e RoleBindings a un elenco di soggetti consentiti.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of subjects that are allowed to bind to
    # the restricted role.
    allowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the subject.
        apiGroup: <string>
        # kind <string>: The Kubernetes kind of the subject.
        kind: <string>
        # name <string>: The name of the subject which is matched exactly as
        # provided as well as based on a regular expression.
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>
    # restrictedRole <object>: The role that cannot be bound to unless
    # expressly allowed.
    restrictedRole:
      # apiGroup <string>: The Kubernetes API group of the role.
      apiGroup: <string>
      # kind <string>: The Kubernetes kind of the role.
      kind: <string>
      # name <string>: The name of the role.
      name: <string>

Esempi

restrict-clusteradmin-rolebindings-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-sample
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:masters
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-regex
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
      regexMatch: true
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

K8sRestrictRoleRules

Limita le regole di Role e ClusterRole. v1.0.3

Limita le regole che possono essere impostate sugli oggetti Role e ClusterRole.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRules <array>: AllowedRules is the list of rules that are allowed
    # on Role or ClusterRole objects. If set, any item off this list will be
    # rejected.
    allowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be allowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # disallowedRules <array>: DisallowedRules is the list of rules that are
    # NOT allowed on Role or ClusterRole objects. If set, any item on this list
    # will be rejected.
    disallowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be disallowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
    # names that are allowed to violate this policy.
    exemptions:
      clusterRoles:
        - # name <string>: Name is the name or a pattern of the ClusterRole
          # to be exempted.
          name: <string>
          # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
          # regex match of the ClusterRole name.
          regexMatch: <boolean>
      roles:
        - # name <string>: Name is the name of the Role to be exempted.
          name: <string>
          # namespace <string>: Namespace is the namespace of the Role to be
          # exempted.
          namespace: <string>

Esempi

restrict-pods-exec
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: restrict-pods-exec
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - Role
      - ClusterRole
  parameters:
    disallowedRules:
    - apiGroups:
      - ""
      resources:
      - pods/exec
      verbs:
      - create
Consentito
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: allowed-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: disallowed-cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - '*'

K8sStorageClass

StorageClass v1.1.1

Richiede la specifica delle classi di archiviazione quando viene utilizzato. È supportato solo Gatekeeper 3.9 e versioni successive.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedStorageClasses <array>: An optional allow-list of storage classes.
    #  If specified, any storage class not in the `allowedStorageClasses`
    # parameter is disallowed.
    allowedStorageClasses:
      - <string>
    includeStorageClassesInMessage: <boolean>

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:

spec:
  sync:
    syncOnly:
      - group: "storage.k8s.io"
        version: "v1"
        kind: "StorageClass"

Esempi

storageclass
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    includeStorageClassesInMessage: true
Consentito
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ok
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: somestorageclass
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: volumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: volumeclaimstorageclass
  serviceName: volumeclaimstorageclass
  template:
    metadata:
      labels:
        app: volumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: somestorageclass
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo
Operazione non consentita
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: badstorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: badstorageclass
  volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: badvolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: badvolumeclaimstorageclass
  serviceName: badvolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: badvolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: badstorageclass
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nostorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: novolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: novolumeclaimstorageclass
  serviceName: novolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: novolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
allowed-storageclass
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: allowed-storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    allowedStorageClasses:
    - allowed-storage-class
    includeStorageClassesInMessage: true
Consentito
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: allowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: allowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo
Operazione non consentita
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disallowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: disallowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo

K8sUniqueIngressHost

Host univoco Ingress v1.0.3

Richiede che tutti gli host delle regole Ingress siano univoci. Non gestisce i caratteri jolly per i nomi host: https://kubernetes.io/docs/concepts/services-networking/ingress/

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'uso, devi abilitare i vincoli referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "Ingress"
      OR
      - group: "networking.k8s.io"
        version: "v1beta1" OR "v1"
        kind: "Ingress"

Esempi

host-in-ingresso-univoco
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: unique-ingress-host
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Consentito
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-allowed
  namespace: default
spec:
  rules:
  - host: example-allowed-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-allowed-host1.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-host3.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sUniqueServiceSelector

Selettore di servizi univoci 1.0.2

Richiede che i servizi abbiano selettori univoci all'interno di uno spazio dei nomi. I selettori sono considerati uguali se hanno chiavi e valori identici. I selettori possono condividere una coppia chiave/valore purché esista almeno una coppia chiave/valore distinta tra di loro. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Vincolo referenziale

Questo vincolo è referenziale. Prima dell'uso, devi abilitare i vincoli referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.

Il criterio Config di Policy Controller richiederà una voce syncOnly simile a:

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Service"

Esempi

unique-service-selector
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  labels:
    owner: admin.agilebank.demo
  name: unique-service-selector
Consentito
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: other-value
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-example
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value

NoUpdateServiceAccount

Blocca l'aggiornamento dell'account di servizio v1.0.0

Blocca l'aggiornamento dell'account di servizio nelle risorse che eseguono l'astrazione dei pod. Questo criterio viene ignorato in modalità di controllo.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedGroups <array>: Groups that should be allowed to bypass the
    # policy.
    allowedGroups:
      - <string>
    # allowedUsers <array>: Users that should be allowed to bypass the policy.
    allowedUsers:
      - <string>

Esempi

no-update-kube-system-service-account
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: no-update-kube-system-service-account
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - ReplicationController
    - apiGroups:
      - apps
      kinds:
      - ReplicaSet
      - Deployment
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - batch
      kinds:
      - CronJob
    namespaces:
    - kube-system
  parameters:
    allowedGroups: []
    allowedUsers: []
Consentito
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: policy-test
  name: policy-test
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: policy-test-deploy
  template:
    metadata:
      labels:
        app: policy-test-deploy
    spec:
      containers:
      - command:
        - /bin/bash
        - -c
        - sleep 99999
        image: ubuntu
        name: policy-test
      serviceAccountName: policy-test-sa-1

PolicyStrictOnly

Richiedi il criterio mTLS Istio STRICT v1.0.3

Richiede che il protocollo TLS reciproca di STRICT Istio sia sempre specificato quando si utilizza PeerAuthentication. Questo vincolo garantisce inoltre che le risorse Policy e MeshPolicy deprecate applichino il protocollo TLS reciproco STRICT. Vedi: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

peerauthentication-strict-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: peerauthentication-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
    namespaces:
    - default
Consentito
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict
  namespace: default
spec:
  mtls:
    mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-level
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-unset
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: UNSET
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: empty-mtls
  namespace: default
spec:
  mtls: {}
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: unspecified-mtls
  namespace: default
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-null
  namespace: default
spec:
  mtls:
    mode: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls-null
  namespace: default
spec:
  mtls: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-permissive
  namespace: default
spec:
  mtls:
    mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE
    "8081":
      mode: STRICT
deprecated-policy-strict-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: deprecated-policy-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - authentication.istio.io
      kinds:
      - Policy
    namespaces:
    - default
Consentito
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mode-strict
  namespace: default
spec:
  peers:
  - mtls:
      mode: STRICT
Operazione non consentita
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-empty
  namespace: default
spec:
  peers:
  - mtls: {}
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-null
  namespace: default
spec:
  peers:
  - mtls: null
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: peers-empty
  namespace: default
spec:
  peers: []
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-no-peers
  namespace: default
spec:
  targets:
  - name: httpbin
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-permissive
  namespace: default
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

RestrictNetworkExclusions

Limita le esclusioni di rete v1.0.2

Controlla quali porte in entrata, porte in uscita e intervalli IP in uscita possono essere escluso dall'acquisizione della rete Istio. Porte e intervalli IP che ignorano Istio le acquisizioni di rete non sono gestite dal proxy Istio e non sono soggette alle Autenticazione, criterio di autorizzazione e altre funzionalità di Istio mTLS. Questo vincolo può essere utilizzato per applicare limitazioni all'uso del le seguenti annotazioni:

  • traffic.sidecar.istio.io/excludeInboundPorts
  • traffic.sidecar.istio.io/excludeOutboundPorts
  • traffic.sidecar.istio.io/excludeOutboundIPRanges

Consulta la pagina https://istio.io/latest/docs/reference/config/annotations/.

Quando limiti gli intervalli IP in uscita, il vincolo calcola se è stato escluso Gli intervalli IP corrispondono o sono un sottoinsieme delle esclusioni di intervalli IP consentite.

Quando si utilizza questo vincolo, tutte le porte in entrata, le porte in uscita e gli IP in uscita devono essere sempre inclusi impostando il parametro "include" corrispondente annotazioni "*" o se non vengono impostate. L'impostazione di una delle seguenti opzioni annotazioni a elementi diversi da "*" non consentite:

  • traffic.sidecar.istio.io/includeInboundPorts
  • traffic.sidecar.istio.io/includeOutboundPorts
  • traffic.sidecar.istio.io/includeOutboundIPRanges

Questo vincolo consente sempre di escludere la porta 15020 perché l'iniettore sidecar Istio la aggiunge sempre all'annotazione traffic.sidecar.istio.io/excludeInboundPorts in modo che possa essere utilizzata per il controllo di integrità.

Schema del vincolo

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedInboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
    allowedInboundPortExclusions:
      - <string>
    # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
    # constraint calculates whether excluded IP ranges match or are a subset of
    # the ranges in this list.
    allowedOutboundIPRangeExclusions:
      - <string>
    # allowedOutboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
    allowedOutboundPortExclusions:
      - <string>

Esempi

restrict-network-exclusions
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: restrict-network-exclusions
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedInboundPortExclusions:
    - "80"
    allowedOutboundIPRangeExclusions:
    - 169.254.169.254/32
    allowedOutboundPortExclusions:
    - "8888"
Consentito
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx
  name: nothing-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeInboundPorts: "80"
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
  labels:
    app: nginx
  name: allowed-port-and-ip-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
  labels:
    app: nginx
  name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: '*'
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
    traffic.sidecar.istio.io/includeOutboundPorts: '*'
  labels:
    app: nginx
  name: everything-included-with-no-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
  labels:
    app: nginx
  name: disallowed-ip-range-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
  labels:
    app: nginx
  name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: 80,443
    traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundPorts: "8888"
  labels:
    app: nginx
  name: disallowed-specific-port-and-ip-inclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

SourceNotAllAuthz

Non sono richieste tutte le origini Istio AuthorizationPolicy v1.0.1

Richiede che le regole AuthorizationPolicy di Istio abbiano entità di origine impostate su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

Esempi

vincolo-authz-sourcenotall
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: sourcenotall-authz-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
Consentito
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-dne
  namespace: foo
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-all
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-someall
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

VerifyDeprecatedAPI

Verifica le API deprecate v1.0.0

Verifica le API Kubernetes deprecate per garantire che tutte le versioni dell'API siano aggiornate. Questo modello non si applica al controllo, in quanto quest'ultimo esamina le risorse già presenti nel cluster con versioni API non ritirate.

Schema dei vincoli

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Constraint match section of the
  # Anthos Config Management documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # k8sVersion <number>: kubernetes version
    k8sVersion: <number>
    # kvs <array>: Deprecated api versions and corresponding kinds
    kvs:
      - # deprecatedAPI <string>: deprecated api
        deprecatedAPI: <string>
        # kinds <array>: impacted list of kinds
        kinds:
          - <string>
        # targetAPI <string>: target api
        targetAPI: <string>

Esempi

verify-1.16
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.16
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - extensions
      kinds:
      - PodSecurityPolicy
      - ReplicaSet
      - Deployment
      - DaemonSet
      - NetworkPolicy
  parameters:
    k8sVersion: 1.16
    kvs:
    - deprecatedAPI: apps/v1beta1
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - ReplicaSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: policy/v1beta1
    - deprecatedAPI: apps/v1beta2
      kinds:
      - ReplicaSet
      - StatefulSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - NetworkPolicy
      targetAPI: networking.k8s.io/v1
Consentito
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
Operazione non consentita
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: disallowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
verify-1.22
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.22
spec:
  match:
    kinds:
    - apiGroups:
      - admissionregistration.k8s.io
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
    - apiGroups:
      - apiextensions.k8s.io
      kinds:
      - CustomResourceDefinition
    - apiGroups:
      - apiregistration.k8s.io
      kinds:
      - APIService
    - apiGroups:
      - authentication.k8s.io
      kinds:
      - TokenReview
    - apiGroups:
      - authorization.k8s.io
      kinds:
      - SubjectAccessReview
    - apiGroups:
      - certificates.k8s.io
      kinds:
      - CertificateSigningRequest
    - apiGroups:
      - coordination.k8s.io
      kinds:
      - Lease
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
    - apiGroups:
      - networking.k8s.io
      kinds:
      - IngressClass
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
    - apiGroups:
      - scheduling.k8s.io
      kinds:
      - PriorityClass
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
  parameters:
    k8sVersion: 1.22
    kvs:
    - deprecatedAPI: admissionregistration.k8s.io/v1beta1
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
      targetAPI: admissionregistration.k8s.io/v1
    - deprecatedAPI: apiextensions.k8s.io/v1beta1
      kinds:
      - CustomResourceDefinition
      targetAPI: apiextensions.k8s.io/v1
    - deprecatedAPI: apiregistration.k8s.io/v1beta1
      kinds:
      - APIService
      targetAPI: apiregistration.k8s.io/v1
    - deprecatedAPI: authentication.k8s.io/v1beta1
      kinds:
      - TokenReview
      targetAPI: authentication.k8s.io/v1
    - deprecatedAPI: authorization.k8s.io/v1beta1
      kinds:
      - SubjectAccessReview
      targetAPI: authorization.k8s.io/v1
    - deprecatedAPI: certificates.k8s.io/v1beta1
      kinds:
      - CertificateSigningRequest
      targetAPI: certificates.k8s.io/v1
    - deprecatedAPI: coordination.k8s.io/v1beta1
      kinds:
      - Lease
      targetAPI: coordination.k8s.io/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - Ingress
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: networking.k8s.io/v1beta1
      kinds:
      - Ingress
      - IngressClass
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: rbac.authorization.k8s.io/v1beta1
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
      targetAPI: rbac.authorization.k8s.io/v1
    - deprecatedAPI: scheduling.k8s.io/v1beta1
      kinds:
      - PriorityClass
      targetAPI: scheduling.k8s.io/v1
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
      targetAPI: storage.k8s.io/v1
Consentito
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: allowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: disallowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix
verify-1.25
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.25
spec:
  match:
    kinds:
    - apiGroups:
      - batch
      kinds:
      - CronJob
    - apiGroups:
      - discovery.k8s.io
      kinds:
      - EndpointSlice
    - apiGroups:
      - events.k8s.io
      kinds:
      - Event
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
      - PodSecurityPolicy
    - apiGroups:
      - node.k8s.io
      kinds:
      - RuntimeClass
  parameters:
    k8sVersion: 1.25
    kvs:
    - deprecatedAPI: batch/v1beta1
      kinds:
      - CronJob
      targetAPI: batch/v1
    - deprecatedAPI: discovery.k8s.io/v1beta1
      kinds:
      - EndpointSlice
      targetAPI: discovery.k8s.io/v1
    - deprecatedAPI: events.k8s.io/v1beta1
      kinds:
      - Event
      targetAPI: events.k8s.io/v1
    - deprecatedAPI: autoscaling/v2beta1
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodDisruptionBudget
      targetAPI: policy/v1
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: None
    - deprecatedAPI: node.k8s.io/v1beta1
      kinds:
      - RuntimeClass
      targetAPI: node.k8s.io/v1
Consentito
apiVersion: batch/v1
kind: CronJob
metadata:
  name: allowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'
Operazione non consentita
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: disallowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'
verify-1.26
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.26
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    k8sVersion: 1.26
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
    - deprecatedAPI: autoscaling/v2beta2
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2
Consentito
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
Operazione non consentita
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
verifica-1,27
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.27
spec:
  match:
    kinds:
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIStorageCapacity
  parameters:
    k8sVersion: 1.27
    kvs:
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIStorageCapacity
      targetAPI: storage.k8s.io/v1
Consentito
apiVersion: storage.k8s.io/v1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
storageClassName: standard
Operazione non consentita
apiVersion: storage.k8s.io/v1beta1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
  namespace: default
storageClassName: standard
verificare-1,29
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.29
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
  parameters:
    k8sVersion: 1.29
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
Consentito
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
Operazione non consentita
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group

Passaggi successivi