制約テンプレートを使用すると、制約がどのように機能するかを定義できますが、制約の詳細な定義は、制約に関する専門知識を持つ個人またはグループに委任できます。懸念事項を分離することに加え、このことは制約のロジックをその定義からも分離します。
すべての制約には match
セクションが含まれます。このセクションでは、制約が適用されるオブジェクトを定義します。このセクションの構成方法については、制約の match セクションをご覧ください。
すべての制約テンプレートが、Policy Controller のすべてのバージョンで利用できるわけではありません。テンプレートはバージョンによって異なる可能性があります。サポート対象バージョンの制約を比較するには、以下のリンクを使用します。
このページのサポート対象バージョンへのリンク
完全なサポートを確実に受けるためには、Policy Controller のサポート対象バージョンの制約テンプレートを使用することをおすすめします。
制約テンプレートの機能を示すため、各テンプレートには制約の例と、制約に違反するリソースが含まれています。
使用可能な制約テンプレート
制約テンプレート | 説明 | 参照 |
---|---|---|
AllowedServicePortName | サービスポート名には、指定されたリストの接頭辞が必要です。 | × |
AsmAuthzPolicyDefaultDeny | メッシュレベルのデフォルト拒否 AuthorizationPolicy を適用します。https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns をご覧ください。 | ○ |
AsmAuthzPolicyDisallowedPrefix | Istio AuthorizationPolicy ルールのプリンシパルと Namespace に、指定されたリストの接頭辞が含まれないようにします。 https://istio.io/latest/docs/reference/config/security/authorization-policy/ | × |
AsmAuthzPolicyEnforceSourcePrincipals | Istio AuthorizationPolicy の from フィールドが定義されている場合、参照元は * 以外に設定されている必要があります。 https://istio.io/latest/docs/reference/config/security/authorization-policy/ | × |
AsmAuthzPolicyNormalization | AuthorizationPolicy normalization を適用します。https://istio.io/latest/docs/reference/config/security/normalization/ をご覧ください。 | × |
AsmAuthzPolicySafePattern | AuthorizationPolicy の安全なパターンを適用します。https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns をご覧ください。 | × |
AsmIngressgatewayLabel | ingressgateway Pod にのみ Istio ingressgateway ラベルの使用を適用します。 | × |
AsmPeerAuthnMeshStrictMtls | メッシュレベルの厳格な mtls PeerAuthentication を適用します。https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls をご覧ください。 | ○ |
AsmPeerAuthnStrictMtls | すべての PeerAuthentication が厳格な mtls を上書きできないようにします。https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls をご覧ください。 | × |
AsmRequestAuthnProhibitedOutputHeaders | RequestAuthentication の jwtRules.outPayloadToHeader フィールドに、既知の HTTP リクエスト ヘッダーやカスタムの禁止ヘッダーが含まれないようにします。https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule をご覧ください。 | × |
AsmSidecarInjection | ワークロード Pod に常に Istio プロキシ サイドカーが挿入されるようにします。 | × |
DestinationRuleTLSEnabled | Istio DestinationRules 内のすべてのホストとホスト サブセットに対する TLS の無効化を禁止します。 | × |
DisallowedAuthzPrefix | Istio AuthorizationPolicy ルールのプリンシパルと Namespace に、指定されたリストの接頭辞が含まれないようにします。 https://istio.io/latest/docs/reference/config/security/authorization-policy/ | × |
GCPStorageLocationConstraintV1 | StorageBucket Config Connector リソースに許可される locations を、制約で指定されたロケーションのリストに制限します。exemptions リストにあるバケット名は対象外です。 | × |
GkeSpotVMTerminationGrace | gke-spot の nodeSelector または nodeAfffinty を持つ Pod と Pod テンプレートの terminationGracePeriodSeconds が 15 秒以下である必要があります。 | ○ |
K8sAllowedRepos | コンテナ イメージは、指定されたリストにある文字列で開始する必要があります。 | × |
K8sAvoidUseOfSystemMastersGroup | system:masters グループの使用を禁止します。監査中は無効です。 | × |
K8sBlockAllIngress | Ingress オブジェクト(Ingress、Gateway、Service タイプの NodePort と LoadBalancer)の作成を禁止します。 | × |
K8sBlockCreationWithDefaultServiceAccount | デフォルトのサービス アカウントを使用したリソースの作成を禁止します。監査中は無効です。 | × |
K8sBlockEndpointEditDefaultRole | Kubernetes インストール環境の多くは、デフォルトで system:aggregate-to-edit ClusterRole を使用しているため、Endpoints の編集アクセスが適切に制限されません。この ConstraintTemplate は、system:aggregate-to-edit ClusterRole が Endpoints の作成 / パッチ / 更新の権限を付与することを禁止しています。CVE-2021-25740 のため、ClusterRole/system:aggregate-to-edit で Endpoint 編集権限を許可してはなりません。Endpoint 権限と EndpointSlice 権限は、Namespace 間の転送を許可します(https://github.com/kubernetes/kubernetes/issues/103675)。 | × |
K8sBlockLoadBalancer | LoadBalancer タイプのすべての Service を禁止します。 https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | × |
K8sBlockNodePort | NodePort タイプを持つすべての Service を禁止します。https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | × |
K8sBlockObjectsOfType | 禁止されたタイプのオブジェクトを禁止します。 | × |
K8sBlockProcessNamespaceSharing | shareProcessNamespace が true に設定されている Pod 仕様を禁止します。これにより、Pod 内のすべてのコンテナが PID Namespace を共有し、互いのファイルシステムおよびメモリにアクセス可能な状況を回避できます。 | × |
K8sBlockWildcardIngress | ブランクまたはワイルドカード(*)のホスト名を使用して、Ingress を作成できないようにする必要があります。ホスト名は、クラスタ内の他のサービスにアクセスできない場合でも、クラスタ内の他のサービスのトラフィックをインターセプトできます。 | × |
K8sContainerEphemeralStorageLimit | コンテナにエフェメラル ストレージの上限を設定し、上限が指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | × |
K8sContainerLimits | コンテナにメモリと CPU の上限を設定し、指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | × |
K8sContainerRatios | コンテナ リソースの上限に対するリクエストの最大比率を設定します。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | × |
K8sContainerRequests | コンテナにメモリと CPU のリクエストを設定し、指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | × |
K8sDisallowAnonymous | ClusterRole リソースと Role リソースを system:anonymous ユーザーと system:unauthenticated グループに関連付けることはできません。 | × |
K8sDisallowedRepos | 指定されたリストの文字列で始まるコンテナ リポジトリは許可されません。 | × |
K8sDisallowedRoleBindingSubjects | パラメータとして渡された disallowedSubjects に一致するサブジェクトを持つ RoleBindings または ClusterRoleBindings を禁止します。 | × |
K8sDisallowedTags | コンテナ イメージには、指定されたリストとは異なるイメージタグが必要です。 https://kubernetes.io/docs/concepts/containers/images/#image-names | × |
K8sEmptyDirHasSizeLimit | emptyDir ボリュームで sizeLimit を指定する必要があります。必要に応じて、制約に maxSizeLimit パラメータを指定して、許容できるサイズ上限の最大値を指定できます。 | × |
K8sEnforceCloudArmorBackendConfig | BackendConfig リソースに Cloud Armor の構成を適用します | × |
K8sEnforceConfigManagement | 構成管理のプレゼンスとオペレーションを必須にします。この ConstraintTemplate を使用する制約については、enforcementAction 値に関係なく監査のみ実施されます。 | ○ |
K8sExternalIPs | Service の externalIPs を、許可された IP アドレスのリストに制限します。 https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | × |
K8sHorizontalPodAutoscaler | 「HorizontalPodAutoscalers」をデプロイするときに次のシナリオを禁止します。1. 制約で定義された範囲外の「.spec.minReplicas」または「.spec.maxReplicas」を使用した HorizontalPodAutoscaler のデプロイ。2. `.spec.minReplicas` と `.spec.maxReplicas` の差が構成された `minReplicaSpread` より小さい HorizontalPodAutoscalers のデプロイ。3. 有効な「scaleTargetRef」を参照しない HorizontalPodAutoscalers のデプロイ(Deployment、ReplicationController、ReplicaSet、StatefulSet など)。 | ○ |
K8sHttpsOnly | Ingress リソースは HTTPS のみにする必要があります。Ingress リソースには、false に設定された kubernetes.io/ingress.allow-http アノテーションが含まれている必要があります。デフォルトでは、有効な TLS {} 構成が必須ですが、tlsOptional パラメータを true に設定することで、これを省略できます。 https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | × |
K8sImageDigests | コンテナ イメージにダイジェストが含まれている必要があります。 https://kubernetes.io/docs/concepts/containers/images/ | × |
K8sLocalStorageRequireSafeToEvict | ローカル ストレージ(emptyDir または hostPath)を使用する Pod には、true に設定されたアノテーション cluster-autoscaler.kubernetes.io/safe-to-evict が必須です。このアノテーションのない Pod は、クラスタ オートスケーラーによって削除されることはありません。 | × |
K8sMemoryRequestEqualsLimit | すべてのコンテナがリクエストするメモリがメモリ制限に完全に一致することを要求することで Pod の安定性を高め、メモリ使用量がリクエストされた量を超える状態にならないようにします。そうでないと、ノードにメモリが必要なときに、Kubernetes は追加のメモリが必要な Pod を終了する可能性があります。 | × |
K8sNoEnvVarSecrets | Pod コンテナ定義で環境変数としての Secret を禁止します。代わりに、マウントされた Secrets ファイルをデータ ボリュームで使用します。https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod | × |
K8sNoExternalServices | ワークロードを外部 IP に公開する既知のリソースの作成を禁止します。これには、Istio Gateway リソースと Kubernetes Ingress リソースが含まれます。Kubernetes Service も、次の条件を満たす場合を除き禁止されます。条件: Google Cloud の LoadBalancer タイプの Service には、Internal に設定された cloud.google.com/load-balancer-type アノテーションが付加されている必要があります。AWS で LoadBalancer タイプの Service には、true に設定された service.beta.kubernetes.io/aws-load-balancer-internal アノテーションが付加されている必要があります。Service にバインドされる外部 IP(クラスタ外部の IP)は、制約で提供される内部 CIDR の範囲に含まれている必要があります。 | × |
K8sPSPAllowPrivilegeEscalationContainer | エスカレーションの root 権限への制限を制御します。PodSecurityPolicy の allowPrivilegeEscalation フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation をご覧ください。 | × |
K8sPSPAllowedUsers | コンテナと一部のボリュームのユーザー ID とグループ ID を制御します。PodSecurityPolicy の runAsUser、runAsGroup、supplementalGroups、fsGroup の各フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups をご覧ください。 | × |
K8sPSPAppArmor | コンテナで使用する AppArmor プロファイルの許可リストを構成します。これは、PodSecurityPolicy に適用される特定のアノテーションに対応します。AppArmor については、https://kubernetes.io/docs/tutorials/clusters/apparmor/ をご覧ください。 | × |
K8sPSPAutomountServiceAccountTokenPod | automountServiceAccountToken を有効にする Pod の機能を制御します。 | × |
K8sPSPCapabilities | コンテナの Linux 機能を制御します。PodSecurityPolicy の allowedCapabilities フィールドと requiredDropCapabilities フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities をご覧ください。 | × |
K8sPSPFSGroup | Pod のボリュームを所有している FSGroup の割り当てを制御します。PodSecurityPolicy の fsGroup フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。 | × |
K8sPSPFlexVolumes | FlexVolume ドライバの許可リストを制御します。PodSecurityPolicy の allowedFlexVolumes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers をご覧ください。 | × |
K8sPSPForbiddenSysctls | コンテナで使用される sysctl プロファイルを制御します。PodSecurityPolicy の allowedUnsafeSysctls フィールドと forbiddenSysctls フィールドに対応します。指定すると、allowedSysctls パラメータに含まれていない sysctl は禁止と見なされます。forbiddenSysctls パラメータは allowedSysctls パラメータよりも優先されます。詳細については、https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ をご覧ください。 | × |
K8sPSPHostFilesystem | ホスト ファイル システムの使用を制御します。PodSecurityPolicy の allowedHostPaths フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。 | × |
K8sPSPHostNamespace | Pod コンテナによるホスト PID Namespace と IPC Namespace の共有を禁止します。PodSecurityPolicy の hostPID フィールドと hostIPC フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。 | × |
K8sPSPHostNetworkingPorts | Pod コンテナによるホスト ネットワークの Namespace の使用を制御します。特定のポートを指定する必要があります。PodSecurityPolicy の hostNetwork フィールドと hostPorts フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。 | × |
K8sPSPPrivilegedContainer | 特権モードを有効にするコンテナの機能を制御します。PodSecurityPolicy の privileged フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged をご覧ください。 | × |
K8sPSPProcMount | コンテナで許可される procMount タイプを制御します。PodSecurityPolicy の allowedProcMountTypes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes をご覧ください。 | × |
K8sPSPReadOnlyRootFilesystem | Pod コンテナで読み取り専用のルート ファイル システムを使用する必要があります。PodSecurityPolicy の readOnlyRootFilesystem フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。 | × |
K8sPSPSELinuxV2 | Pod コンテナの seLinuxOptions 構成の許可リストを定義します。SELinux 構成ファイルを必要とする PodSecurityPolicy に対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux をご覧ください。 | × |
K8sPSPSeccomp | コンテナで使用される seccomp プロファイルを制御します。PodSecurityPolicy の seccomp.security.alpha.kubernetes.io/allowedProfileNames アノテーションに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp をご覧ください。 | × |
K8sPSPVolumeTypes | マウント可能なボリューム タイプをユーザーが指定したものに限定します。PodSecurityPolicy の volumes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。 | × |
K8sPSPWindowsHostProcess | Windows HostProcess コンテナ / Pod の実行を制限します。詳しくは、https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ をご覧ください。 | × |
K8sPodDisruptionBudget | PodDisruptionBudgets またはレプリカ サブリソースを実装するリソース(Deployment、ReplicationController、ReplicaSet、StatefulSet など)をデプロイする場合に、次のシナリオを許可しません。1. .spec.maxUnavailable == 0 2 を使用した PodDisruptionBudgets のデプロイ。レプリカ サブリソースを持つリソースの .spec.minAvailable == .spec.replicas を含む PodDisruptionBudgets のデプロイ。これにより、ノードのドレインなどの自発的な中断が PodDisruptionBudgets によってブロックされなくなります。 https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | ○ |
K8sPodResourcesBestPractices | コンテナが(CPU リクエストとメモリ リクエストを設定して)ベスト エフォートではなく、バースト可能なベスト プラクティスに従うことを要求します(メモリ リクエストは完全に同じ上限である必要があります)。必要に応じて、さまざまな検証をスキップするようにアノテーション キーを構成できます。 | × |
K8sPodsRequireSecurityContext | すべての Pod で securityContext を定義する必要があります。Pod で定義されたすべてのコンテナに、Pod レベルまたはコンテナレベルで SecurityContext が定義されている必要があります。 | × |
K8sProhibitRoleWildcardAccess | Roles と ClusterRoles では、免除と指定される適用除外の Roles と ClusterRoles を除き、ワイルドカード(*)値へのリソース アクセス権限が設定されていないことを必須にします。*/status のようなサブリソースへのワイルドカード アクセスは制限しません。 | × |
K8sReplicaLimits | spec.replicas フィールドのオブジェクト(例: Deployment、ReplicaSet)に、定義された範囲内のレプリカ数を指定する必要があります。 | × |
K8sRequireBinAuthZ | Binary Authorization Validating Admission Webhook が必要です。この ConstraintTemplate を使用する制約については、enforcementAction 値に関係なく監査のみ実施されます。 | ○ |
K8sRequireCosNodeImage | Google が提供する Container-Optimized OS の使用がノード上で強制されます。 | × |
K8sRequireDaemonsets | 指定された DaemonSet のリストを必須にします。 | ○ |
K8sRequireDefaultDenyEgressPolicy | クラスタで定義されているすべての Namespace に、下り(外向き)用のデフォルトの拒否 NetworkPolicy を必須にします。 | ○ |
K8sRequireNamespaceNetworkPolicies | クラスタで定義されているすべての Namespace に NetworkPolicy が必要です。 | ○ |
K8sRequireValidRangesForNetworks | 上り(内向き)と下り(外向き)のネットワークを許可する CIDR ブロックを適用します。 | × |
K8sRequiredAnnotations | リソースには、指定された正規表現と一致する値を持つ、指定されたアノテーションを含める必要があります。 | × |
K8sRequiredLabels | リソースには、指定された正規表現と一致する値を持つ、指定されたラベルを含める必要があります。 | × |
K8sRequiredProbes | Pod に readiness Probe または liveness Probe が必要です。 | × |
K8sRequiredResources | コンテナには、定義済みのリソースセットが必要です。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | × |
K8sRestrictAutomountServiceAccountTokens | サービス アカウント トークンの使用を制限します。 | × |
K8sRestrictLabels | 特定のリソースに例外がある場合を除き、指定されたラベルをリソースに含めることを禁止します。 | × |
K8sRestrictNamespaces | リソースに対して、restrictedNamespaces パラメータにリストされた Namespace の使用を制限します。 | × |
K8sRestrictNfsUrls | 特に指定のない限り、リソースに NFS URL を配置することを禁止します。 | × |
K8sRestrictRbacSubjects | RBAC サブジェクト内の名前の使用を、許可された値に制限します。 | × |
K8sRestrictRoleBindings | ClusterRoleBindings と RoleBinding で指定されたサブジェクトを、許可されたサブジェクトのリストに制限します。 | × |
K8sRestrictRoleRules | Role と ClusterRole のオブジェクトに設定可能なルールを制限します。 | × |
K8sStorageClass | 使用する場合はストレージ クラスを指定する必要があります。Gatekeeper 3.9 以降のみがサポートされています。 | ○ |
K8sUniqueIngressHost | すべての Ingress ルールホストが一意となることを必須にします。ホスト名のワイルドカードは処理されません。https://kubernetes.io/docs/concepts/services-networking/ingress/ | ○ |
K8sUniqueServiceSelector | Service に Namespace 内で一意のセレクタが必要です。セレクタのキーと値が同一の場合、セレクタは同一と見なされます。1 つ以上の異なる Key-Value ペアが存在する限り、セレクタは Key-Value ペアを共有できます。 https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | ○ |
NoUpdateServiceAccount | Pod で抽象化されたリソースのサービス アカウントの更新をブロックします。監査モードではこのポリシーは無視されます。 | × |
PolicyStrictOnly | [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/)を使用する場合は、STRICT Istio 相互 TLS を常に指定する必要があります。また、この制約により、非推奨の [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy)リソースと MeshPolicy リソースでは、STRICT 相互 TLS が適用されることが保証されます。https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh をご覧ください。 | × |
RestrictNetworkExclusions | Istio ネットワーク キャプチャから除外するインバウンド ポート、アウトバウンド ポート、アウトバウンド IP 範囲を制御します。Istio ネットワーク キャプチャをバイパスするポートと IP 範囲は Istio プロキシで処理されないため、Istio mTLS 認証、認可ポリシー、その他の Istio 機能の対象ではありません。この制約を使用すると、次のアノテーションの使用に制限を適用できます。 * traffic.sidecar.istio.io/excludeInboundPorts * traffic.sidecar.istio.io/excludeOutboundPorts * traffic.sidecar.istio.io/excludeOutboundIPRanges https://istio.io/latest/docs/reference/config/annotations/ をご覧ください。アウトバウンド IP 範囲を制限する場合、制約は除外された IP 範囲が許可された IP 範囲除外と一致するか、またはサブセットであるかを計算します。この制約をすべてのインバウンド ポートで使用する場合は、対応する include アノテーションを * に設定するか未設定のままにして、アウトバウンド ポートとアウトバウンド IP 範囲を常に含める必要があります。次のアノテーションを * 以外に設定することはできません。 * traffic.sidecar.istio.io/includeInboundPorts * traffic.sidecar.istio .io/includeOutboundPorts * traffic.sidecar.istio.io/includeOutboundIPRanges ヘルスチェックの実施に使用できるように、Istio サイドカー インジェクタによって常に traffic.sidecar.istio.io/excludeInboundPorts アノテーションに追加されるため、この制約により常にポート 15020 を除外することが許可されます。 | × |
SourceNotAllAuthz | Istio AuthorizationPolicy ルールで、ソース プリンシパルが * 以外に設定されている必要があります。 https://istio.io/latest/docs/reference/config/security/authorization-policy/ | × |
VerifyDeprecatedAPI | 非推奨の Kubernetes API を検証し、すべての API バージョンが最新であることを確認します。このテンプレートは監査には適用されません。監査は、非推奨でない API バージョンですでにクラスタに存在するリソースが対象になります。 | × |
AllowedServicePortName
Allowed Service Port Names v1.0.1
サービスポート名には、指定されたリストの接頭辞が必要です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
例
port-name-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: port-name-constraint spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Service parameters: prefixes: - http- - http2- - grpc- - mongo- - redis- - tcp-
許可
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-http spec: ports: - name: http-helloport port: 5000 selector: app: helloworld
禁止
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-tcp spec: ports: - name: foo-helloport port: 5000 selector: app: helloworld
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-bad spec: ports: - name: helloport port: 5000 selector: app: helloworld
AsmAuthzPolicyDefaultDeny
ASM AuthorizationPolicy Default Deny v1.0.4
メッシュレベルのデフォルト拒否 AuthorizationPolicy を適用します。https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "AuthorizationPolicy"
例
asm-authz-policy-default-deny-with-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
asm-authz-policy-default-deny-no-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
AsmAuthzPolicyDisallowedPrefix
ASM AuthorizationPolicy Disallowed Prefixes v1.0.2
Istio AuthorizationPolicy
ルールのプリンシパルと Namespace に、指定されたリストの接頭辞が含まれないようにします。
https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
disallowedNamespacePrefixes:
- <string>
# disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
disallowedPrincipalPrefixes:
- <string>
例
asm-authz-policy-disallowed-prefix-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: asm-authz-policy-disallowed-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedNamespacePrefixes: - bad-ns-prefix - worse-ns-prefix disallowedPrincipalPrefixes: - bad-principal-prefix - worse-principal-prefix
許可
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test selector: matchLabels: app: httpbin
禁止
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/worse-principal-prefix-sleep - source: namespaces: - test selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - bad-ns-prefix-test selector: matchLabels: app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
ASM AuthorizationPolicy Enforcement Principals v1.0.2
Istio AuthorizationPolicy の from フィールドが定義されている場合、参照元は * 以外に設定されている必要があります。 https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
asm-authz-policy-enforce-source-principals-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: asm-authz-policy-enforce-source-principals-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
許可
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
禁止
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: no-source-principals spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-wildcard spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-contains-wildcard spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
AsmAuthzPolicyNormalization
ASM AuthorizationPolicy Normalization v1.0.2
AuthorizationPolicy normalization を適用します。https://istio.io/latest/docs/reference/config/security/normalization/ をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
asm-authz-policy-normalization-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: asm-authz-policy-normalization-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
許可
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
禁止
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-method-lowercase spec: action: ALLOW rules: - to: - operation: methods: - get selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-request-header-whitespace spec: action: ALLOW rules: - to: - operation: methods: - GET - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Ag ent] values: - Mozilla/* selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: path-unnormalized spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test\/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
AsmAuthzPolicySafePattern
ASM AuthorizationPolicy Safe Patterns v1.0.3
AuthorizationPolicy の安全なパターンを適用します。https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-authz-policy-safe-pattern-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: asm-authz-policy-safe-pattern-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: strictnessLevel: High
許可
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-istio-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-asm-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: asm: ingressgateway
禁止
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: hosts-on-noningress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: invalid-hosts spec: action: ALLOW rules: - to: - operation: hosts: - test.com methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-negative-match spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* notMethods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-positive-match spec: action: DENY rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
AsmIngressgatewayLabel
ASM Ingress Gateway Label v1.0.3
ingressgateway Pod にのみ Istio ingressgateway ラベルの使用を適用します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
asm-ingressgateway-label-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: asm-ingressgateway-label-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: istio name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: istio-ingressgateway istio: ingressgateway name: istio-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: asm-ingressgateway asm: ingressgateway name: asm-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
禁止
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep asm: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
AsmPeerAuthnMeshStrictMtls
ASM Peer Authentication Mesh Strict mTLS v1.0.4
メッシュレベルの厳格な mTLS PeerAuthentication を適用します。https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "PeerAuthentication"
例
asm-peer-authn-mesh-strict-mtls-with-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: asm-root spec: mtls: mode: STRICT
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: asm-root spec: mtls: mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: istio-system spec: mtls: mode: STRICT
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: istio-system spec: mtls: mode: PERMISSIVE
AsmPeerAuthnStrictMtls
ASM Peer Authentication Strict mTLS v1.0.3
すべての PeerAuthentication が厳格な mtls を上書きできないようにします。https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-peer-authn-strict-mtls-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: asm-peer-authn-strict-mtls-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication parameters: strictnessLevel: High
許可
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: valid-strict-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
禁止
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-permissive-mtls-pa namespace: foo spec: mtls: mode: PERMISSIVE portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-port-disable-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: DISABLE "443": mode: STRICT selector: matchLabels: app: bar
AsmRequestAuthnProhibitedOutputHeaders
ASM RequestAuthentication Prohibited Output Headers v1.0.2
RequestAuthentication で、jwtRules.outPayloadToHeader
フィールドに、既知の HTTP リクエスト ヘッダーやカスタムの禁止ヘッダーが含まれないようにします。https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
例
asm-request-authn-prohibited-output-headers-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: asm-request-authn-prohibited-output-headers-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - RequestAuthentication parameters: prohibitedHeaders: - Bad-Header - X-Bad-Header
許可
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: valid-request-authn namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Good-Header selector: matchLabels: app: istio-ingressgateway
禁止
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Host selector: matchLabels: app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: X-Bad-Header selector: matchLabels: app: istio-ingressgateway
AsmSidecarInjection
ASM Sidecar Injection v1.0.2
ワークロード Pod に常に Istio プロキシ サイドカーが挿入されるようにします。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of sidecar injection strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-sidecar-injection-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: asm-sidecar-injection-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: strictnessLevel: High
許可
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "true" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: annotations: "false": "false" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
禁止
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "false" name: sleep spec: containers: - image: curlimages/curl name: sleep
DestinationRuleTLSEnabled
Destination Rule TLS Enabled v1.0.1
Istio DestinationRules 内のすべてのホストとホスト サブセットに対する TLS の無効化を禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
dr-tls-enabled
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: dr-tls-enabled spec: enforcementAction: dryrun match: kinds: - apiGroups: - networking.istio.io kinds: - DestinationRule
禁止
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-subset-tls-disable namespace: default spec: host: myservice subsets: - name: v1 trafficPolicy: tls: mode: DISABLE - name: v2 trafficPolicy: tls: mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-traffic-tls-disable namespace: default spec: host: myservice trafficPolicy: tls: mode: DISABLE
DisallowedAuthzPrefix
Disallow Istio AuthorizationPolicy Prefixes v1.0.2
Istio AuthorizationPolicy
ルールのプリンシパルと Namespace に、指定されたリストの接頭辞が含まれないようにします。
https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
例
disallowed-authz-prefix-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: disallowed-authz-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedprefixes: - badprefix - reallybadprefix
許可
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
禁止
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/badprefix-sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - badprefix-test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
GCPStorageLocationConstraintV1
GCP Storage Location Constraint v1.0.2
StorageBucket Config Connector リソースに許可される locations
を、制約で指定されたロケーションのリストに制限します。exemptions
リストにあるバケット名は対象外です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
例
singapore-and-jakarta-only
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: singapore-and-jakarta-only spec: enforcementAction: deny match: kinds: - apiGroups: - storage.cnrm.cloud.google.com kinds: - StorageBucket parameters: exemptions: - my_project_id_cloudbuild locations: - asia-southeast1 - asia-southeast2
許可
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
禁止
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
GkeSpotVMTerminationGrace
GKE Spot VM v1.1.2 の terminationGracePeriodSeconds を制限します。
gke-spot
の nodeSelector
または nodeAfffinty
を持つ Pod と Pod テンプレートの terminationGracePeriodSeconds
が 15 秒以下である必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
# of 15s or less for all `Pod` on a `gke-spot` Node.
includePodOnSpotNodes: <boolean>
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Node"
例
spotvm-termination-grace
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: spotvm-termination-grace spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: includePodOnSpotNodes: true
許可
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
禁止
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
K8sAllowedRepos
Allowed Repositories v1.0.0
コンテナ イメージは、指定されたリストにある文字列で開始する必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
例
repo-is-openpolicyagent
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: repo-is-openpolicyagent spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: repos: - openpolicyagent/
許可
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi
禁止
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi ephemeralContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
K8sAvoidUseOfSystemMastersGroup
Disallow the use of 'system:masters' group v1.0.0
system:masters グループの使用を禁止します。監査中は無効です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowlistedUsernames <array>: allowlistedUsernames is the list of
# usernames that are allowed to use system:masters group.
allowlistedUsernames:
- <string>
例
avoid-use-of-system-masters-group
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: avoid-use-of-system-masters-group
許可
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockAllIngress
Block all Ingress v1.0.2
Ingress オブジェクト(Ingress
、Gateway
、Service
タイプの NodePort
と LoadBalancer
)の作成を禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowList <array>: A list of regular expressions for the Ingress object
# names that are exempt from the constraint.
allowList:
- <string>
例
block-all-ingress
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: block-all-ingress spec: enforcementAction: dryrun parameters: allowList: - name1 - name2 - name3 - my-*
許可
apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: allowed-clusterip-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: ClusterIP
禁止
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
K8sBlockCreationWithDefaultServiceAccount
Block Creation with Default Service Account v1.0.2
デフォルトのサービス アカウントを使用したリソースの作成を禁止します。監査中は無効です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
block-creation-with-default-serviceaccount
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
許可
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockEndpointEditDefaultRole
Block Endpoint Edit Default Role v1.0.0
Kubernetes インストール環境の多くは、デフォルトで system:aggregate-to-edit ClusterRole を使用しているため、Endpoints の編集アクセスが適切に制限されません。この ConstraintTemplate は、system:aggregate-to-edit ClusterRole が Endpoints の作成 / パッチ / 更新の権限を付与することを禁止しています。CVE-2021-25740 のため、ClusterRole/system:aggregate-to-edit で Endpoint 編集権限を許可してはなりません。Endpoint 権限と EndpointSlice 権限は、Namespace 間の転送を許可します(https://github.com/kubernetes/kubernetes/issues/103675)。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
block-endpoint-edit-default-role
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: block-endpoint-edit-default-role spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - endpoints - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update
K8sBlockLoadBalancer
Block Services with type LoadBalancer v1.0.0
LoadBalancer タイプのすべての Service を禁止します。 https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
block-load-balancer
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: - "" kinds: - Service
許可
apiVersion: v1 kind: Service metadata: name: my-service-allowed spec: ports: - port: 80 targetPort: 80 type: ClusterIP
禁止
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: LoadBalancer
K8sBlockNodePort
Block NodePort v1.0.0
NodePort タイプを持つすべての Service を禁止します。https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
block-node-port
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: - "" kinds: - Service
禁止
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: NodePort
K8sBlockObjectsOfType
Block Objects of Type v1.0.1
禁止されたタイプのオブジェクトを禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
forbiddenTypes:
- <string>
例
block-secrets-of-type-basic-auth
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: block-secrets-of-type-basic-auth spec: match: kinds: - apiGroups: - "" kinds: - Secret parameters: forbiddenTypes: - kubernetes.io/basic-auth
許可
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
禁止
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
K8sBlockProcessNamespaceSharing
Block Process Namespace Sharing v1.0.1
Pod 仕様で shareProcessNamespace
を true
に設定することを禁止します。これにより、Pod 内のすべてのコンテナが PID 名前空間を共有し、互いのファイルシステムおよびメモリにアクセスできる状況を回避できます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
block-process-namespace-sharing
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
許可
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx
禁止
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx shareProcessNamespace: true
K8sBlockWildcardIngress
Block Wildcard Ingress v1.0.1
ブランクまたはワイルドカード(*)のホスト名を使用して、Ingress を作成できないようにする必要があります。ホスト名は、クラスタ内の他のサービスにアクセスできない場合でも、クラスタ内の他のサービスのトラフィックをインターセプトできます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
block-wildcard-ingress
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: block-wildcard-ingress spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
許可
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: non-wildcard-ingress spec: rules: - host: myservice.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
禁止
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: "" http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: '*.example.com' http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix - host: valid.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
K8sContainerEphemeralStorageLimit
Container ephemeral storage limit v1.0.1
コンテナにエフェメラル ストレージの上限を設定し、上限が指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# ephemeral-storage <string>: The maximum allowed ephemeral storage limit
# on a Pod, exclusive.
ephemeral-storage: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
container-ephemeral-storage-limit
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: container-ephemeral-storage-limit spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ephemeral-storage: 500Mi
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
K8sContainerLimits
Container Limits v1.0.0
コンテナにメモリと CPU の上限を設定し、指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
例
container-must-have-limits
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
K8sContainerRatios
Container Ratios v1.0.0
コンテナ リソースの上限に対するリクエストの最大比率を設定します。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
# `resources.requests.cpu` on a container. If not specified, equal to
# `ratio`.
cpuRatio: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
例
container-must-meet-ratio
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ratio: "2"
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 200m memory: 200Mi requests: cpu: 100m memory: 100Mi
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 800m memory: 2Gi requests: cpu: 100m memory: 100Mi
container-must-meet-memory-and-cpu-ratio
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-memory-and-cpu-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpuRatio: "10" ratio: "1"
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: "1" memory: 2Gi
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: 100m memory: 2Gi
K8sContainerRequests
Container Requests v1.0.0
コンテナにメモリと CPU のリクエストを設定し、指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory request on a Pod, exclusive.
memory: <string>
例
container-must-have-requests
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: container-must-have-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 1Gi
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
K8sDisallowAnonymous
Disallow Anonymous Access v1.0.0
ClusterRole リソースと Role リソースを system:anonymous ユーザーと system:unauthenticated グループに関連付けることはできません。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedRoles <array>: The list of ClusterRoles and Roles that may be
# associated with the `system:unauthenticated` group and `system:anonymous`
# user.
allowedRoles:
- <string>
例
no-anonymous
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: no-anonymous spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRoleBinding - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding parameters: allowedRoles: - cluster-role-1
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedRepos
Disallowed Repositories v1.0.0
指定されたリストの文字列で始まるコンテナ リポジトリは許可されません。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is not allowed to
# have.
repos:
- <string>
例
repo-must-not-be-k8s-gcr-io
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: repo-must-not-be-k8s-gcr-io spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: repos: - k8s.gcr.io/
許可
apiVersion: v1 kind: Pod metadata: name: kustomize-allowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize
禁止
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize ephemeralContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
K8sDisallowedRoleBindingSubjects
Disallowed Rolebinding Subjects v1.0.1
パラメータとして渡された disallowedSubjects
に一致するサブジェクトを持つ RoleBindings または ClusterRoleBindings を禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
例
disallowed-rolebinding-subjects
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: disallowed-rolebinding-subjects spec: parameters: disallowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Disallow tags v1.0.0
コンテナ イメージには、指定されたリストとは異なるイメージタグが必要です。 https://kubernetes.io/docs/concepts/containers/images/#image-names
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# tags <array>: Disallowed container image tags.
tags:
- <string>
例
container-image-must-not-have-latest-tag
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: container-image-must-not-have-latest-tag spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: exemptImages: - openpolicyagent/opa-exp:latest - openpolicyagent/opa-exp2:latest tags: - latest
許可
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa
apiVersion: v1 kind: Pod metadata: name: opa-exempt-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa-exp - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:v1 name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2
禁止
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-2 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-ephemeral spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-3 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:latest name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2 - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/monitor:latest name: opa-monitor
K8sEmptyDirHasSizeLimit
Empty Directory has Size Limit v1.0.3
emptyDir
ボリュームで sizeLimit
を指定する必要があります。必要に応じて、maxSizeLimit
パラメータに制約を設定して、最大サイズの上限を指定できます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptVolumesRegex <array>: Exempt Volume names as regex match.
exemptVolumesRegex:
- <string>
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
例
empty-dir-has-size-limit
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: empty-dir-has-size-limit spec: match: excludedNamespaces: - istio-system - kube-system - gatekeeper-system parameters: exemptVolumesRegex: - ^istio-[a-z]+$ maxSizeLimit: 4Gi
許可
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: sizeLimit: 2Gi name: good-pod-volume
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: istio-envoy
禁止
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: bad-pod-volume
K8sEnforceCloudArmorBackendConfig
Enforce Cloud Armor on BackendConfig Resources v1.0.2
BackendConfig リソースに Cloud Armor の構成を適用します
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
enforce-cloudarmor-backendconfig
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
許可
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: example-security-policy
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: second-backendconfig spec: securityPolicy: name: my-security-policy
禁止
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: null
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: ""
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig spec: logging: enable: true sampleRate: 0.5
K8sEnforceConfigManagement
Enforce Config Management v1.1.4
構成管理のプレゼンスとオペレーションを必須にします。この ConstraintTemplate
を使用する制約については、enforcementAction
値に関係なく監査のみ実施されます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# requireDriftPrevention <boolean>: Require Config Sync drift prevention to
# prevent config drift.
requireDriftPrevention: <boolean>
# requireRootSync <boolean>: Require a Config Sync `RootSync` object for
# cluster config management.
requireRootSync: <boolean>
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "configsync.gke.io"
version: "v1beta1"
kind: "RootSync"
例
enforce-config-management
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: enforce-config-management spec: enforcementAction: dryrun match: kinds: - apiGroups: - configmanagement.gke.io kinds: - ConfigManagement
許可
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: proxy: {} syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2 healthy: true
禁止
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2
K8sExternalIPs
External IPs v1.0.0
Service の externalIPs を、許可された IP アドレスのリストに制限します。 https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
例
external-ips
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: allowedIPs: - 203.0.113.0
許可
apiVersion: v1 kind: Service metadata: name: allowed-external-ip spec: externalIPs: - 203.0.113.0 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
禁止
apiVersion: v1 kind: Service metadata: name: disallowed-external-ip spec: externalIPs: - 1.1.1.1 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
K8sHorizontalPodAutoscaler
Horizontal Pod Autoscaler v1.0.1
HorizontalPodAutoscalers
をデプロイするときに次のシナリオを禁止します。1. 制約で定義された範囲外の .spec.minReplicas
または .spec.maxReplicas
を持つ HorizontalPodAutoscaler のデプロイ。2. .spec.minReplicas
と .spec.maxReplicas
の差が構成済み minimumReplicaSpread
より小さい HorizontalPodAutoscaler のデプロイ。3. 有効な scaleTargetRef
を参照しない HorizontalPodAutoscalers のデプロイ(Deployment、ReplicationController、ReplicaSet、StatefulSet など)。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# enforceScaleTargetRef <boolean>: If set to true it validates the HPA
# scaleTargetRef exists
enforceScaleTargetRef: <boolean>
# minimumReplicaSpread <integer>: If configured it enforces the minReplicas
# and maxReplicas in an HPA must have a spread of at least this many
# replicas
minimumReplicaSpread: <integer>
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "apps"
version: "v1"
kind: "Deployment"
OR
- group: "apps"
version: "v1"
kind: "StatefulSet"
例
horizontal-pod-autoscaler
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: horizontal-pod-autoscaler spec: enforcementAction: deny match: kinds: - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: enforceScaleTargetRef: true minimumReplicaSpread: 1 ranges: - max_replicas: 6 min_replicas: 3
許可
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-allowed namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
禁止
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicas namespace: default spec: maxReplicas: 7 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 2 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicaspread namespace: default spec: maxReplicas: 4 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 4 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-scaletarget namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment-missing --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sHttpsOnly
HTTPS Only v1.0.1
Ingress リソースは HTTPS のみにする必要があります。Ingress リソースには、false
に設定された kubernetes.io/ingress.allow-http
アノテーションを含める必要があります。デフォルトでは、有効な TLS {} 構成が必要です。tlsOptional
パラメータを true
に設定すると、この設定は省略可能になります。https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# tlsOptional <boolean>: When set to `true` the TLS {} is optional,
# defaults to false.
tlsOptional: <boolean>
例
ingress-https-only
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
許可
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix tls: - {}
禁止
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
ingress-https-only-tls-optional
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only-tls-optional spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress parameters: tlsOptional: true
許可
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
禁止
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sImageDigests
Image Digests v1.0.0
コンテナ イメージにダイジェストが含まれている必要があります。 https://kubernetes.io/docs/concepts/containers/images/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
container-image-must-have-digest
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default
許可
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a name: opa
禁止
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
K8sLocalStorageRequireSafeToEvict
Local Storage Requires Safe to Evict v1.0.1
ローカル ストレージ(emptyDir
または hostPath
)を使用する Pod にはアノテーション "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
が必要です。このアノテーションのない Pod は、クラスタ オートスケーラーによって削除されることはありません。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
local-storage-require-safe-to-evict
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: excludedNamespaces: - kube-system - istio-system - gatekeeper-system
許可
apiVersion: v1 kind: Pod metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" name: good-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
禁止
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
K8sMemoryRequestEqualsLimit
Memory Request Equals Limit v1.0.3
すべてのコンテナがリクエストするメモリがメモリ制限に完全に一致することを要求することで Pod の安定性を高め、メモリ使用量がリクエストされた量を超える状態にならないようにします。そうでないと、ノードにメモリが必要なときに、Kubernetes は追加のメモリが必要な Pod を終了する可能性があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptContainersRegex <array>: Exempt Container names as regex match.
exemptContainersRegex:
- <string>
例
container-must-request-limit
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit spec: match: excludedNamespaces: - kube-system - resource-group-system - asm-system - istio-system - config-management-system - config-management-monitoring parameters: exemptContainersRegex: - ^istio-[a-z]+$
許可
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 4Gi
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: auto name: istio-proxy resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
禁止
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
K8sNoEnvVarSecrets
No Environment Variable Secrets v1.0.1
Pod コンテナ定義で環境変数としての Secret を禁止します。代わりに、マウントされた Secrets ファイルをデータ ボリュームで使用します。https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
no-secrets-as-env-vars-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
許可
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: redis name: test volumeMounts: - mountPath: /etc/test name: test readOnly: true volumes: - name: test secret: secretName: mysecret
禁止
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - env: - name: MY_PASSWORD valueFrom: secretKeyRef: key: password name: mysecret image: redis name: test
K8sNoExternalServices
No External Services v1.0.1
ワークロードを外部 IP に公開する既知のリソースの作成を禁止します。これには、Istio Gateway リソースと Kubernetes Ingress リソースが含まれます。Kubernetes Service も、次の条件を満たす場合を除き禁止されます。Google Cloud で LoadBalancer
タイプの Service には "cloud.google.com/load-balancer-type": "Internal"
アノテーションが必要です。AWS で LoadBalancer
タイプの Service には service.beta.kubernetes.io/aws-load-balancer-internal: "true
アノテーションが必要です。Service にバインドされる外部 IP(クラスタ外部の IP)は、制約で提供される内部 CIDR の範囲に含まれている必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
# are supported currently.
cloudPlatform: <string>
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
例
no-external
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external spec: parameters: internalCIDRs: - 10.0.0.1/32
許可
apiVersion: v1 kind: Service metadata: name: good-service namespace: default spec: externalIPs: - 10.0.0.1 ports: - port: 8888 protocol: TCP targetPort: 8888
禁止
apiVersion: v1 kind: Service metadata: name: bad-service namespace: default spec: externalIPs: - 10.0.0.2 ports: - port: 8888 protocol: TCP targetPort: 8888
no-external-aws
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external-aws spec: parameters: cloudPlatform: AWS
許可
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" name: good-aws-service namespace: default spec: type: LoadBalancer
禁止
apiVersion: v1 kind: Service metadata: annotations: cloud.google.com/load-balancer-type: Internal name: bad-aws-service namespace: default spec: type: LoadBalancer
K8sPSPAllowPrivilegeEscalationContainer
Allow Privilege Escalation in Container v1.0.1
エスカレーションの root 権限への制限を制御します。PodSecurityPolicy の allowPrivilegeEscalation
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-allow-privilege-escalation-container-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-allowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: false
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Allowed Users v1.0.1
コンテナと一部のボリュームのユーザー ID とグループ ID を制御します。PodSecurityPolicy の runAsUser
、runAsGroup
、supplementalGroups
、fsGroup
フィールドに対応しています。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
例
psp-pods-allowed-user-ranges
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: fsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsUser: ranges: - max: 200 min: 100 rule: MustRunAs supplementalGroups: ranges: - max: 200 min: 100 rule: MustRunAs
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-allowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 199 runAsUser: 199 securityContext: fsGroup: 199 supplementalGroups: - 199
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
K8sPSPAppArmor
App Armor v1.0.0
コンテナで使用する AppArmor プロファイルの許可リストを構成します。これは、PodSecurityPolicy に適用される特定のアノテーションに対応します。AppArmor については、https://kubernetes.io/docs/tutorials/clusters/apparmor/ をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-apparmor
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default
許可
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor name: nginx-apparmor-allowed spec: containers: - image: nginx name: nginx
禁止
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPAutomountServiceAccountTokenPod
Automount Service Account Token for Pod v1.0.1
automountServiceAccountToken を有効にする Pod の機能を制御します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
<object>
例
psp-automount-serviceaccount-token-pod
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: psp-automount-serviceaccount-token-pod spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-not-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-allowed spec: automountServiceAccountToken: false containers: - image: nginx name: nginx
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-disallowed spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
K8sPSPCapabilities
Capabilities v1.0.1
コンテナの Linux 機能を制御します。PodSecurityPolicy の allowedCapabilities
フィールドと requiredDropCapabilities
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
例
capabilities-demo
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: capabilities-demo spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: allowedCapabilities: - something requiredDropCapabilities: - must_drop
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - something drop: - must_drop - another_one
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
K8sPSPFSGroup
FS Group v1.0.1
Pod のボリュームを所有している FSGroup の割り当てを制御します。PodSecurityPolicy の fsGroup
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
例
psp-fsgroup
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ranges: - max: 1000 min: 1 rule: MayRunAs
許可
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 500 volumes: - emptyDir: {} name: fsgroup-demo-vol
禁止
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 2000 volumes: - emptyDir: {} name: fsgroup-demo-vol
K8sPSPFlexVolumes
FlexVolumes v1.0.1
FlexVolume ドライバの許可リストを制御します。PodSecurityPolicy の allowedFlexVolumes
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
例
psp-flexvolume-drivers
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedFlexVolumes: - driver: example/lvm - driver: example/cifs
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/lvm name: test-volume
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/testdriver name: test-volume
K8sPSPForbiddenSysctls
Forbidden Sysctls v1.1.2
コンテナで使用される sysctl
プロファイルを制御します。PodSecurityPolicy の allowedUnsafeSysctls
フィールドと forbiddenSysctls
フィールドに対応します。指定すると、allowedSysctls
パラメータに含まれていない sysctl は禁止と見なされます。forbiddenSysctls
パラメータは allowedSysctls
パラメータよりも優先されます。詳細については、https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
# not listed in the `forbiddenSysctls` parameter.
allowedSysctls:
- <string>
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
例
psp-forbidden-sysctls
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSysctls: - '*' forbiddenSysctls: - kernel.*
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: net.core.somaxconn value: "1024"
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536" - name: net.core.somaxconn value: "1024"
K8sPSPHostFilesystem
Host Filesystem v1.0.1
ホスト ファイル システムの使用を制御します。PodSecurityPolicy の allowedHostPaths
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
例
psp-host-filesystem
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedHostPaths: - pathPrefix: /foo readOnly: true
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /foo/bar name: cache-volume
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: ephemeralContainers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
K8sPSPHostNamespace
Host Namespace v1.0.1
Pod コンテナによるホスト PID Namespace と IPC Namespace の共有を禁止します。PodSecurityPolicy の hostPID
フィールドと hostIPC
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
<object>
例
psp-host-namespace-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: psp-host-namespace-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-allowed spec: containers: - image: nginx name: nginx hostIPC: false hostPID: false
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-disallowed spec: containers: - image: nginx name: nginx hostIPC: true hostPID: true
K8sPSPHostNetworkingPorts
Host Networking Ports v1.0.1
Pod コンテナによるホスト ネットワークの Namespace の使用を制御します。特定のポートを指定する必要があります。PodSecurityPolicy の hostNetwork
フィールドと hostPorts
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
例
psp-host-network-ports-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: psp-host-network-ports-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: hostNetwork: true max: 9000 min: 80
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-allowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9000 hostPort: 80 hostNetwork: false
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: ephemeralContainers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
K8sPSPPrivilegedContainer
Privileged Container v1.0.1
特権モードを有効にするコンテナの機能を制御します。PodSecurityPolicy の privileged
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-privileged-container-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container-sample spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-allowed spec: containers: - image: nginx name: nginx securityContext: privileged: false
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: containers: - image: nginx name: nginx securityContext: privileged: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: privileged: true
K8sPSPProcMount
Proc Mount v1.0.2
コンテナで許可される procMount
型を制御します。PodSecurityPolicy の allowedProcMountTypes
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
例
psp-proc-mount
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: procMount: Default
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Default
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Unmasked
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Read Only Root Filesystem v1.0.1
Pod コンテナで読み取り専用のルート ファイル システムを使用する必要があります。PodSecurityPolicy の readOnlyRootFilesystem
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-readonlyrootfilesystem
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-allowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: true
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
K8sPSPSELinuxV2
SELinux V2 v1.0.1
Pod コンテナの seLinuxOptions 構成の許可リストを定義します。SELinux 構成ファイルを必要とする PodSecurityPolicy に対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-selinux-v2
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-allowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
K8sPSPSeccomp
Seccomp v1.0.0
コンテナで使用される seccomp プロファイルを制御します。PodSecurityPolicy の seccomp.security.alpha.kubernetes.io/allowedProfileNames
アノテーションに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-seccomp
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default - docker/default
許可
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed2 spec: containers: - image: nginx name: nginx
禁止
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed2 spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPVolumeTypes
Volume Types v1.0.1
マウント可能なボリューム タイプをユーザーが指定したものに限定します。PodSecurityPolicy の volumes
フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
例
psp-volume-types
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - flexVolume
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - emptyDir: {} name: cache-volume - emptyDir: {} name: demo-vol
禁止
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - hostPath: path: /tmp name: cache-volume - emptyDir: {} name: demo-vol
K8sPSPWindowsHostProcess
Restricts Windows HostProcess containers / pods. v1.0.0
Windows HostProcess コンテナ / Pod の実行を制限します。詳しくは、https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
restrict-windows-hostprocess
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: restrict-windows-hostprocess spec: match: kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-loop nodeSelector: kubernetes.io/os: windows
禁止
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-container spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM hostNetwork: true nodeSelector: kubernetes.io/os: windows
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-pod spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test hostNetwork: true nodeSelector: kubernetes.io/os: windows securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM
K8sPodDisruptionBudget
Pod Disruption Budget v1.0.3
PodDisruptionBudgets またはレプリカ サブリソースを実装するリソース(Deployment、ReplicationController、ReplicaSet、StatefulSet など)をデプロイする場合に、次のシナリオを許可しません。1. .spec.maxUnavailable == 0 2 を使用した PodDisruptionBudgets のデプロイ。レプリカ サブリソースを持つリソースの .spec.minAvailable == .spec.replicas を含む PodDisruptionBudgets のデプロイ。これにより、ノードのドレインなどの自発的な中断が PodDisruptionBudgets によってブロックされなくなります。 https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "policy"
version: "v1"
kind: "PodDisruptionBudget"
例
pod-distruption-budget
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: pod-distruption-budget spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - apiGroups: - policy kinds: - PodDisruptionBudget - apiGroups: - "" kinds: - ReplicationController
許可
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-allowed namespace: default spec: maxUnavailable: 1 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-1 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-1 template: metadata: labels: app: nginx example: allowed-deployment-1 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-1 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx example: allowed-deployment-1
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-2 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-2 template: metadata: labels: app: nginx example: allowed-deployment-2 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-2 namespace: default spec: maxUnavailable: 1 selector: matchLabels: app: nginx example: allowed-deployment-2
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-3 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-3 template: metadata: labels: app: nginx example: allowed-deployment-3 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx
apiVersion: apps/v1 kind: Deployment metadata: labels: app: non-matching-nginx name: nginx-deployment-allowed-4 namespace: default spec: replicas: 1 selector: matchLabels: app: non-matching-nginx example: allowed-deployment-4 template: metadata: labels: app: non-matching-nginx example: allowed-deployment-4 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-mongo-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: mongo example: non-matching-deployment-3
禁止
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-disallowed namespace: default spec: maxUnavailable: 0 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-disallowed namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: disallowed-deployment template: metadata: labels: app: nginx example: disallowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-disallowed namespace: default spec: minAvailable: 3 selector: matchLabels: app: nginx example: disallowed-deployment
K8sPodResourcesBestPractices
Requires Containers are not Best-effort and Following Burstable Best Practices v1.0.4
コンテナが(CPU リクエストとメモリ リクエストを設定して)ベスト エフォートではなく、バースト可能なベスト プラクティスに従うことを要求します(メモリ リクエストは完全に同じ上限である必要があります)。必要に応じて、さまざまな検証をスキップするようにアノテーション キーを構成できます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
# skipBestEffortValidationAnnotationKey <string>: Optional annotation key
# to skip best-effort container validation.
skipBestEffortValidationAnnotationKey: <string>
# skipBurstableValidationAnnotationKey <string>: Optional annotation key to
# skip burstable container validation.
skipBurstableValidationAnnotationKey: <string>
# skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
# annotation key to skip both best-effort and burstable validation.
skipResourcesBestPracticesValidationAnnotationKey: <string>
例
gke-pod-resources-best-practices
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: gke-pod-resources-best-practices spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: skipBestEffortValidationAnnotationKey: skip_besteffort_validation skipBurstableValidationAnnotationKey: skip_burstable_validation skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
許可
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-limits-only spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: annotations: skip_besteffort_validation: "true" skip_burstable_validation: "true" skip_resources_best_practices_validation: "false" name: pod-skip-validation spec: containers: - image: nginx name: nginx
禁止
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-cpu-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-requests spec: containers: - image: nginx name: nginx restartPolicy: OnFailure
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-not-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-memory-requests-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 30m requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-requests spec: containers: - image: nginx name: nginx resources: requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu spec: containers: - image: nginx name: nginx resources: limits: cpu: 500m requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 250Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-requests spec: containers: - image: nginx name: nginx resources: requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: memory: 100Mi
K8sPodsRequireSecurityContext
Pods Require Security Context v1.1.1
すべての Pod で securityContext を定義する必要があります。Pod で定義されたすべてのコンテナに、Pod レベルまたはコンテナレベルで SecurityContext が定義されている必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
例
pods-require-security-context-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context-sample spec: enforcementAction: dryrun parameters: exemptImages: - nginix-exempt - alpine*
許可
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: nginx name: nginx securityContext: runAsUser: 2000
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage spec: containers: - image: nginix-exempt name: nginx
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage-wildcard spec: containers: - image: alpine17 name: alpine
禁止
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - image: nginx name: nginx
K8sProhibitRoleWildcardAccess
Prohibit Role Wildcard Access v1.0.4
Roles と ClusterRoles では、免除と指定される適用除外の Roles と ClusterRoles を除き、ワイルドカード()値へのリソース アクセス権限が設定されていないことを必須にします。/status のようなサブリソースへのワイルドカード アクセスは制限しません。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression
# based match on the name.
regexMatch: <boolean>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
例
prohibit-role-wildcard-access-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-wildcard-except-exempted-cluster-role spec: enforcementAction: dryrun parameters: exemptions: clusterRoles: - name: cluster-role-allowed-example roles: - name: role-allowed-example namespace: role-ns-allowed-example
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Replica Limits v1.0.1
spec.replicas
フィールドのオブジェクト(Deployments、ReplicaSets など)に、定義された範囲内のレプリカ数を指定する必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
例
replica-limits
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: replica-limits spec: match: kinds: - apiGroups: - apps kinds: - Deployment parameters: ranges: - max_replicas: 50 min_replicas: 3
許可
apiVersion: apps/v1 kind: Deployment metadata: name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
禁止
apiVersion: apps/v1 kind: Deployment metadata: name: disallowed-deployment spec: replicas: 100 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sRequireBinAuthZ
Requires Binary Authorization v1.0.2
Binary Authorization Validating Admission Webhook が必要です。この ConstraintTemplate
を使用する制約については、enforcementAction
値に関係なく監査のみ実施されます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "admissionregistration.k8s.io"
version: "v1" OR "v1beta1"
kind: "ValidatingWebhookConfiguration"
例
require-binauthz
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: require-binauthz spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace
許可
apiVersion: v1 kind: Namespace metadata: name: default --- # Referential Data apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: binauthz-admission-controller webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview name: imagepolicywebhook.image-policy.k8s.io rules: - operations: - CREATE - UPDATE - apiVersion: - v1 sideEffects: None
禁止
apiVersion: v1 kind: Namespace metadata: name: default
K8sRequireCosNodeImage
Require COS Node Image v1.1.1
Google が提供する Container-Optimized OS の使用がノード上で強制されます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptOsImages <array>: A list of exempt OS Images.
exemptOsImages:
- <string>
例
nodes-have-consistent-time
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: nodes-have-consistent-time spec: enforcementAction: dryrun parameters: exemptOsImages: - Debian - Ubuntu*
許可
apiVersion: v1 kind: Node metadata: name: allowed-example status: nodeInfo: osImage: Container-Optimized OS from Google
apiVersion: v1 kind: Node metadata: name: example-exempt status: nodeInfo: osImage: Debian
apiVersion: v1 kind: Node metadata: name: example-exempt-wildcard status: nodeInfo: osImage: Ubuntu 18.04.5 LTS
禁止
apiVersion: v1 kind: Node metadata: name: disallowed-example status: nodeInfo: osImage: Debian GNUv1.0
K8sRequireDaemonsets
Required Daemonsets v1.1.1
指定された DaemonSet のリストを必須にします。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# requiredDaemonsets <array>: A list of names and namespaces of the
# required daemonsets.
requiredDaemonsets:
- # name <string>: The name of the required daemonset.
name: <string>
# namespace <string>: The namespace for the required daemonset.
namespace: <string>
# restrictNodeSelector <boolean>: The daemonsets cannot include
# `NodeSelector`.
restrictNodeSelector: <boolean>
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "DaemonSet"
OR
- group: "apps"
version: "v1beta2" OR "v1"
kind: "DaemonSet"
例
require-daemonset
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: require-daemonset spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace parameters: requiredDaemonsets: - name: clamav namespace: pci-dss-av restrictNodeSelector: true
許可
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: clamav-host-scanner name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: metadata: labels: name: clamav spec: containers: - image: us.gcr.io/{your-project-id}/clamav:latest livenessProbe: exec: command: - /health.sh initialDelaySeconds: 60 periodSeconds: 30 name: clamav-scanner resources: limits: memory: 3Gi requests: cpu: 500m memory: 2Gi volumeMounts: - mountPath: /data name: data-vol - mountPath: /host-fs name: host-fs readOnly: true - mountPath: /logs name: logs terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master volumes: - emptyDir: {} name: data-vol - hostPath: path: / name: host-fs - hostPath: path: /var/log/clamav name: logs
禁止
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: clamav nodeSelector: cloud.google.com/gke-spot: "true"
K8sRequireDefaultDenyEgressPolicy
Require Default Deny Egress Policy v1.0.3
クラスタで定義されているすべての Namespace に、下り(外向き)用のデフォルトの拒否 NetworkPolicy を必須にします。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
例
require-default-deny-network-policies
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
許可
apiVersion: v1 kind: Namespace metadata: name: example-namespace --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
禁止
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1 kind: Namespace metadata: name: example-namespace2 --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
K8sRequireNamespaceNetworkPolicies
Require Namespace Network Policies v1.0.4
クラスタで定義されているすべての Namespace に NetworkPolicy が必要です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
例
require-namespace-network-policies-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
許可
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
禁止
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Require Valid Ranges for Networks v1.0.2
上り(内向き)と下り(外向き)のネットワークを許可する CIDR ブロックを適用します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for egress.
allowedEgress:
- <string>
# allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for ingress.
allowedIngress:
- <string>
例
require-valid-network-ranges
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: require-valid-network-ranges spec: enforcementAction: dryrun parameters: allowedEgress: - 10.0.0.0/32 allowedIngress: - 10.0.0.0/24
許可
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 10.0.0.0/32 ingress: - from: - ipBlock: cidr: 10.0.0.0/29 - ipBlock: cidr: 10.0.0.100/29 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
禁止
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy-disallowed namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 1.1.2.0/31 ingress: - from: - ipBlock: cidr: 1.1.2.0/24 - ipBlock: cidr: 2.1.2.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
K8sRequiredAnnotations
Required Annotations v1.0.0
リソースには、指定された正規表現と一致する値を持つ、指定されたアノテーションを含める必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
例
all-must-have-certain-set-of-annotations
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: annotations: - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ key: a8r.io/owner - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$ key: a8r.io/runbook message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
許可
apiVersion: v1 kind: Service metadata: annotations: a8r.io/owner: dev-team-alfa@contoso.com a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks name: allowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
禁止
apiVersion: v1 kind: Service metadata: name: disallowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
K8sRequiredLabels
Required Labels v1.0.0
リソースには、指定された正規表現と一致する値を持つ、指定されたラベルを含める必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
例
all-must-have-owner
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username
許可
apiVersion: v1 kind: Namespace metadata: labels: owner: user.agilebank.demo name: allowed-namespace
禁止
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Required Probes v1.0.1
Pod に readiness Probe または liveness Probe が必要です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# probeTypes <array>: The probe must define a field listed in `probeType`
# in order to satisfy the constraint (ex. `tcpSocket` satisfies
# `['tcpSocket', 'exec']`)
probeTypes:
- <string>
# probes <array>: A list of probes that are required (ex: `readinessProbe`)
probes:
- <string>
例
must-have-probes
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: probeTypes: - tcpSocket - httpGet - exec probes: - readinessProbe - livenessProbe
許可
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: tomcat livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
禁止
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: nginx:1.7.9 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
apiVersion: v1 kind: Pod metadata: name: test-pod2 spec: containers: - image: nginx:1.7.9 livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
K8sRequiredResources
Required Resources v1.0.1
コンテナには、定義済みのリソースセットが必要です。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# limits <array>: A list of limits that should be enforced (`cpu`,
# `memory`, or both).
limits:
# Allowed Values: cpu, memory
- <string>
# requests <array>: A list of requests that should be enforced (`cpu`,
# `memory`, or both).
requests:
# Allowed Values: cpu, memory
- <string>
例
container-must-have-limits-and-requests
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - cpu - memory requests: - cpu - memory
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-cpu-requests-memory-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - memory requests: - cpu - memory
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m memory: 2Gi
禁止
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
no-enforcements
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: no-enforcements spec: match: kinds: - apiGroups: - "" kinds: - Pod
許可
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
K8sRestrictAutomountServiceAccountTokens
Restrict Service Account Tokens v1.0.1
サービス アカウント トークンの使用を制限します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
restrict-serviceaccounttokens
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: restrict-serviceaccounttokens spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod - ServiceAccount
許可
apiVersion: v1 kind: Pod metadata: name: allowed-example-pod spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: ServiceAccount metadata: name: disallowed-example-serviceaccount
禁止
apiVersion: v1 kind: Pod metadata: name: disallowed-example-pod spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: name: allowed-example-serviceaccount
K8sRestrictLabels
Restrict Labels v1.0.2
特定のリソースに例外がある場合を除き、指定されたラベルをリソースに含めることを禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
例
restrict-label-example
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: exceptions: - group: "" kind: Pod name: allowed-example namespace: default restrictedLabels: - label-example
許可
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
禁止
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNamespaces
Restrict Namespaces v1.0.1
リソースに対して、restrictedNamespaces パラメータにリストされた Namespace の使用を制限します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
例
restrict-default-namespace-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: restrict-default-namespace-sample spec: enforcementAction: dryrun parameters: restrictedNamespaces: - default
許可
apiVersion: v1 kind: Pod metadata: name: allowed-example namespace: test-namespace spec: containers: - image: nginx name: nginx
禁止
apiVersion: v1 kind: Pod metadata: name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNfsUrls
Restrict NFS URLs v1.0.1
特に指定のない限り、リソースに NFS URL を配置することを禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedNfsUrls <array>: A list of allowed NFS URLs
allowedNfsUrls:
- <string>
例
restrict-label-example
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: allowedNfsUrls: - my-nfs-server.example.com/my-nfs-volume - my-nfs-server.example.com/my-wildcard-nfs-volume/*
許可
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume server: my-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs-wildcard namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path server: my-nfs-server.example.com
禁止
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs-mixed namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume-allowed nfs: path: /my-nfs-volume server: my-nfs-server.example.com - name: test-volume-disallowed nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
K8sRestrictRbacSubjects
Restrict RBAC Subjects v1.0.3
RBAC サブジェクト内の名前の使用を、許可された値に制限します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of names permitted in RBAC subjects.
allowedSubjects:
- # name <string>: The exact-name or the pattern of the allowed subject
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
例
restrict-rbac-subjects
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: restrict-rbac-subjects spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding - ClusterRoleBinding parameters: allowedSubjects: - name: system:masters - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$ regexMatch: true - name: ^.+@system.gserviceaccount.com$ regexMatch: true - name: ^.+@google.com$ regexMatch: true
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user@google.com - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters - apiGroup: rbac.authorization.k8s.io kind: User name: service-1234567890@gcp-sa-ktd-control.iam.gserviceaccount.com
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1@example.com - apiGroup: rbac.authorization.k8s.io kind: User name: user2@example.com
K8sRestrictRoleBindings
Restrict Role Bindings v1.0.2
ClusterRoleBindings と RoleBinding で指定されたサブジェクトを、許可されたサブジェクトのリストに制限します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
例
restrict-clusteradmin-rolebindings-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-sample spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-regex spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$ regexMatch: true restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sRestrictRoleRules
Restrict Role and ClusterRole rules. v1.0.3
Role と ClusterRole のオブジェクトに設定可能なルールを制限します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedRules <array>: AllowedRules is the list of rules that are allowed
# on Role or ClusterRole objects. If set, any item off this list will be
# rejected.
allowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be allowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# disallowedRules <array>: DisallowedRules is the list of rules that are
# NOT allowed on Role or ClusterRole objects. If set, any item on this list
# will be rejected.
disallowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be disallowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
# names that are allowed to violate this policy.
exemptions:
clusterRoles:
- # name <string>: Name is the name or a pattern of the ClusterRole
# to be exempted.
name: <string>
# regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
# regex match of the ClusterRole name.
regexMatch: <boolean>
roles:
- # name <string>: Name is the name of the Role to be exempted.
name: <string>
# namespace <string>: Namespace is the namespace of the Role to be
# exempted.
namespace: <string>
例
restrict-pods-exec
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: restrict-pods-exec spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - Role - ClusterRole parameters: disallowedRules: - apiGroups: - "" resources: - pods/exec verbs: - create
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allowed-role-example rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: disallowed-cluster-role-example rules: - apiGroups: - "" resources: - pods/exec verbs: - '*'
K8sStorageClass
Storage Class v1.1.1
使用する場合はストレージ クラスを指定する必要があります。Gatekeeper 3.9 以降のみがサポートされています。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedStorageClasses <array>: An optional allow-list of storage classes.
# If specified, any storage class not in the `allowedStorageClasses`
# parameter is disallowed.
allowedStorageClasses:
- <string>
includeStorageClassesInMessage: <boolean>
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "storage.k8s.io"
version: "v1"
kind: "StorageClass"
例
storageclass
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: includeStorageClassesInMessage: true
許可
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ok spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: somestorageclass volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
apiVersion: apps/v1 kind: StatefulSet metadata: name: volumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: volumeclaimstorageclass serviceName: volumeclaimstorageclass template: metadata: labels: app: volumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: somestorageclass --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
禁止
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: badstorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: badstorageclass volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: badvolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: badvolumeclaimstorageclass serviceName: badvolumeclaimstorageclass template: metadata: labels: app: badvolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: badstorageclass
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nostorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: novolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: novolumeclaimstorageclass serviceName: novolumeclaimstorageclass template: metadata: labels: app: novolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi
allowed-storageclass
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: allowed-storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: allowedStorageClasses: - allowed-storage-class includeStorageClassesInMessage: true
許可
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: allowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: allowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
禁止
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disallowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: disallowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
K8sUniqueIngressHost
Unique Ingress Host v1.0.3
すべての Ingress ルールホストが一意となることを必須にします。ホスト名のワイルドカードは処理されません。https://kubernetes.io/docs/concepts/services-networking/ingress/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "Ingress"
OR
- group: "networking.k8s.io"
version: "v1beta1" OR "v1"
kind: "Ingress"
例
unique-ingress-host
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: unique-ingress-host spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
許可
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-allowed namespace: default spec: rules: - host: example-allowed-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-allowed-host1.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix
禁止
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-host3.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sUniqueServiceSelector
Unique Service Selector v1.0.2
Service に Namespace 内で一意のセレクタが必要です。セレクタのキーと値が同一の場合、セレクタは同一と見なされます。1 つ以上の異なる Key-Value ペアが存在する限り、セレクタは Key-Value ペアを共有できます。 https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
参照制約
この制約は参照です。使用する前に、参照制約を有効にし、監視するオブジェクトの種類について Policy Controller に指示する構成を作成する必要があります。
Policy Controller の Config
には、次のような syncOnly
エントリが必要です。
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Service"
例
unique-service-selector
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: labels: owner: admin.agilebank.demo name: unique-service-selector
許可
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: other-value
禁止
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: value --- # Referential Data apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-example namespace: default spec: ports: - port: 443 selector: key: value
NoUpdateServiceAccount
Block updating Service Account v1.0.0
Pod で抽象化されたリソースのサービス アカウントの更新をブロックします。監査モードではこのポリシーは無視されます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedGroups <array>: Groups that should be allowed to bypass the
# policy.
allowedGroups:
- <string>
# allowedUsers <array>: Users that should be allowed to bypass the policy.
allowedUsers:
- <string>
例
no-update-kube-system-service-account
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: no-update-kube-system-service-account spec: match: kinds: - apiGroups: - "" kinds: - ReplicationController - apiGroups: - apps kinds: - ReplicaSet - Deployment - StatefulSet - DaemonSet - apiGroups: - batch kinds: - CronJob namespaces: - kube-system parameters: allowedGroups: [] allowedUsers: []
許可
apiVersion: apps/v1 kind: Deployment metadata: labels: app: policy-test name: policy-test namespace: kube-system spec: replicas: 1 selector: matchLabels: app: policy-test-deploy template: metadata: labels: app: policy-test-deploy spec: containers: - command: - /bin/bash - -c - sleep 99999 image: ubuntu name: policy-test serviceAccountName: policy-test-sa-1
PolicyStrictOnly
Require STRICT Istio mTLS Policy v1.0.3
PeerAuthentication を使用する場合は、STRICT
Istio 相互 TLS を常に指定する必要があります。この制約により、非推奨の Policy リソースと MeshPolicy リソースでは、STRICT
相互 TLS が適用されることが保証されます。https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
peerauthentication-strict-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: peerauthentication-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication namespaces: - default
許可
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict namespace: default spec: mtls: mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-level namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-unset namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: UNSET
禁止
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: empty-mtls namespace: default spec: mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-null namespace: default spec: mtls: mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-permissive namespace: default spec: mtls: mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE "8081": mode: STRICT
deprecated-policy-strict-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: deprecated-policy-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - authentication.istio.io kinds: - Policy namespaces: - default
許可
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mode-strict namespace: default spec: peers: - mtls: mode: STRICT
禁止
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-empty namespace: default spec: peers: - mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-permissive namespace: default spec: peers: - mtls: mode: PERMISSIVE
RestrictNetworkExclusions
Restrict Network Exclusions v1.0.2
Istio ネットワーク キャプチャから除外するインバウンド ポート、アウトバウンド ポート、アウトバウンド IP 範囲を制御します。Istio ネットワーク キャプチャをバイパスするポートと IP 範囲は Istio プロキシで処理されないため、Istio mTLS 認証、認可ポリシー、その他の Istio 機能の対象ではありません。この制約を使用すると、次のアノテーションの使用に制限を適用できます。
traffic.sidecar.istio.io/excludeInboundPorts
traffic.sidecar.istio.io/excludeOutboundPorts
traffic.sidecar.istio.io/excludeOutboundIPRanges
https://istio.io/latest/docs/reference/config/annotations/ をご覧ください。
アウトバウンド IP 範囲を制限する場合、制約は除外された IP 範囲が許可された IP 範囲除外と一致するか、またはサブセットであるかを計算します。
この制約をすべての受信ポートで使用する場合は、対応する include アノテーションを "*"
に設定するか未設定のままにして、送信ポートと送信 IP 範囲を常に含める必要があります。次のアノテーションを "*"
以外に設定することはできません。
traffic.sidecar.istio.io/includeInboundPorts
traffic.sidecar.istio.io/includeOutboundPorts
traffic.sidecar.istio.io/includeOutboundIPRanges
この制約では、Istio サイドカー インジェクタは必ず traffic.sidecar.istio.io/excludeInboundPorts
アノテーションに追加され、ヘルスチェックに使用できるため、常にポート 15020 を除外できます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# allowedInboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
allowedInboundPortExclusions:
- <string>
# allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
# constraint calculates whether excluded IP ranges match or are a subset of
# the ranges in this list.
allowedOutboundIPRangeExclusions:
- <string>
# allowedOutboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
allowedOutboundPortExclusions:
- <string>
例
restrict-network-exclusions
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: restrict-network-exclusions spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedInboundPortExclusions: - "80" allowedOutboundIPRangeExclusions: - 169.254.169.254/32 allowedOutboundPortExclusions: - "8888"
許可
apiVersion: v1 kind: Pod metadata: labels: app: nginx name: nothing-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "80" traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/excludeOutboundPorts: "8888" labels: app: nginx name: allowed-port-and-ip-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundIPRanges: '*' labels: app: nginx name: all-ip-ranges-included-with-one-allowed-ip-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: '*' traffic.sidecar.istio.io/includeOutboundIPRanges: '*' traffic.sidecar.istio.io/includeOutboundPorts: '*' labels: app: nginx name: everything-included-with-no-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
禁止
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24 labels: app: nginx name: disallowed-ip-range-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24 labels: app: nginx name: one-disallowed-ip-exclusion-and-one-allowed-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: 80,443 traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundPorts: "8888" labels: app: nginx name: disallowed-specific-port-and-ip-inclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
SourceNotAllAuthz
Require Istio AuthorizationPolicy Source not all v1.0.1
Istio AuthorizationPolicy ルールで、ソース プリンシパルが * 以外に設定されている必要があります。 https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
例
sourcenotall-authz-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: sourcenotall-authz-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
許可
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
禁止
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-dne namespace: foo spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-all namespace: foo spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-someall namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
VerifyDeprecatedAPI
Verify deprecated APIs v1.0.0
非推奨の Kubernetes API を検証し、すべての API バージョンが最新であることを確認します。このテンプレートは監査には適用されません。監査は、非推奨でない API バージョンですでにクラスタに存在するリソースが対象になります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
match:
[match schema]
parameters:
# k8sVersion <number>: kubernetes version
k8sVersion: <number>
# kvs <array>: Deprecated api versions and corresponding kinds
kvs:
- # deprecatedAPI <string>: deprecated api
deprecatedAPI: <string>
# kinds <array>: impacted list of kinds
kinds:
- <string>
# targetAPI <string>: target api
targetAPI: <string>
例
verify-1.16
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.16 spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - DaemonSet - apiGroups: - extensions kinds: - PodSecurityPolicy - ReplicaSet - Deployment - DaemonSet - NetworkPolicy parameters: k8sVersion: 1.16 kvs: - deprecatedAPI: apps/v1beta1 kinds: - Deployment - ReplicaSet - StatefulSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - ReplicaSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - PodSecurityPolicy targetAPI: policy/v1beta1 - deprecatedAPI: apps/v1beta2 kinds: - ReplicaSet - StatefulSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - NetworkPolicy targetAPI: networking.k8s.io/v1
許可
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
禁止
apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: nginx name: disallowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
verify-1.22
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.22 spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration - apiGroups: - apiextensions.k8s.io kinds: - CustomResourceDefinition - apiGroups: - apiregistration.k8s.io kinds: - APIService - apiGroups: - authentication.k8s.io kinds: - TokenReview - apiGroups: - authorization.k8s.io kinds: - SubjectAccessReview - apiGroups: - certificates.k8s.io kinds: - CertificateSigningRequest - apiGroups: - coordination.k8s.io kinds: - Lease - apiGroups: - extensions - networking.k8s.io kinds: - Ingress - apiGroups: - networking.k8s.io kinds: - IngressClass - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding - apiGroups: - scheduling.k8s.io kinds: - PriorityClass - apiGroups: - storage.k8s.io kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment parameters: k8sVersion: 1.22 kvs: - deprecatedAPI: admissionregistration.k8s.io/v1beta1 kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration targetAPI: admissionregistration.k8s.io/v1 - deprecatedAPI: apiextensions.k8s.io/v1beta1 kinds: - CustomResourceDefinition targetAPI: apiextensions.k8s.io/v1 - deprecatedAPI: apiregistration.k8s.io/v1beta1 kinds: - APIService targetAPI: apiregistration.k8s.io/v1 - deprecatedAPI: authentication.k8s.io/v1beta1 kinds: - TokenReview targetAPI: authentication.k8s.io/v1 - deprecatedAPI: authorization.k8s.io/v1beta1 kinds: - SubjectAccessReview targetAPI: authorization.k8s.io/v1 - deprecatedAPI: certificates.k8s.io/v1beta1 kinds: - CertificateSigningRequest targetAPI: certificates.k8s.io/v1 - deprecatedAPI: coordination.k8s.io/v1beta1 kinds: - Lease targetAPI: coordination.k8s.io/v1 - deprecatedAPI: extensions/v1beta1 kinds: - Ingress targetAPI: networking.k8s.io/v1 - deprecatedAPI: networking.k8s.io/v1beta1 kinds: - Ingress - IngressClass targetAPI: networking.k8s.io/v1 - deprecatedAPI: rbac.authorization.k8s.io/v1beta1 kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding targetAPI: rbac.authorization.k8s.io/v1 - deprecatedAPI: scheduling.k8s.io/v1beta1 kinds: - PriorityClass targetAPI: scheduling.k8s.io/v1 - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment targetAPI: storage.k8s.io/v1
許可
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: allowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
禁止
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: disallowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
verify-1.25
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.25 spec: match: kinds: - apiGroups: - batch kinds: - CronJob - apiGroups: - discovery.k8s.io kinds: - EndpointSlice - apiGroups: - events.k8s.io kinds: - Event - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler - apiGroups: - policy kinds: - PodDisruptionBudget - PodSecurityPolicy - apiGroups: - node.k8s.io kinds: - RuntimeClass parameters: k8sVersion: 1.25 kvs: - deprecatedAPI: batch/v1beta1 kinds: - CronJob targetAPI: batch/v1 - deprecatedAPI: discovery.k8s.io/v1beta1 kinds: - EndpointSlice targetAPI: discovery.k8s.io/v1 - deprecatedAPI: events.k8s.io/v1beta1 kinds: - Event targetAPI: events.k8s.io/v1 - deprecatedAPI: autoscaling/v2beta1 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2 - deprecatedAPI: policy/v1beta1 kinds: - PodDisruptionBudget targetAPI: policy/v1 - deprecatedAPI: policy/v1beta1 kinds: - PodSecurityPolicy targetAPI: None - deprecatedAPI: node.k8s.io/v1beta1 kinds: - RuntimeClass targetAPI: node.k8s.io/v1
許可
apiVersion: batch/v1 kind: CronJob metadata: name: allowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
禁止
apiVersion: batch/v1beta1 kind: CronJob metadata: name: disallowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
verify-1.26
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.26 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: k8sVersion: 1.26 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3 - deprecatedAPI: autoscaling/v2beta2 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2
許可
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
禁止
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
verify-1.27
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.27 spec: match: kinds: - apiGroups: - storage.k8s.io kinds: - CSIStorageCapacity parameters: k8sVersion: 1.27 kvs: - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIStorageCapacity targetAPI: storage.k8s.io/v1
許可
apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity storageClassName: standard
禁止
apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity namespace: default storageClassName: standard
verify-1.29
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.29 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration parameters: k8sVersion: 1.29 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
許可
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
禁止
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
次のステップ
- Policy Controller の詳細を確認する
- Policy Controller をインストールする
- PodSecurityPolicies の代わりに制約を使用する方法を学ぶ
- gatekeeper-library リポジトリで制約テンプレートのオープンソース ライブラリを確認する