Biblioteca de plantillas de restricciones

Las plantillas de restricciones te permiten definir cómo funciona una restricción y también delegar la definición de sus detalles a una persona o un grupo con experiencia en el tema. Además de separar los problemas, esto también separa la lógica de la restricción de su definición.

Todas las restricciones contienen una sección match, que define los objetos a los que se aplica una restricción. Para obtener detalles sobre cómo configurar esa sección, consulta Sección de coincidencia de restricción.

No todas las plantillas de restricciones están disponibles para todas las versiones del controlador de políticas, y las plantillas pueden cambiar entre versiones. Usa los siguientes vínculos para comparar las restricciones de las versiones compatibles:

Para asegurarte de recibir compatibilidad total, te recomendamos que uses plantillas de restricciones de una versión compatible del controlador de políticas.

Para ayudarte a ver cómo funcionan las plantillas de restricciones, cada plantilla incluye una restricción de ejemplo y un recurso que infringe la restricción.

Plantillas de restricciones disponibles

Plantilla de restricciones Descripción Referencia
AllowedServicePortName Requiere que los nombres de los puertos del servicio tengan un prefijo de una lista especificada. No
AsmAuthzPolicyDefaultDeny Aplica la denegación predeterminada a nivel de malla de AuthorizationPolicy Referencia a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
AsmAuthzPolicyDisallowedPrefix Requiere que las principales y los espacios de nombres en las reglas `AuthorizationPolicy` de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
AsmAuthzPolicyEnforceSourcePrincipals Requiere que el campo “from” de AuthorizationPolicy de Istio, cuando se defina, tenga principios de origen, que deben configurarse en algo distinto de “*”. https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
AsmAuthzPolicyNormalization Aplica la normalización de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/reference/config/security/normalization/. No
AsmAuthzPolicySafePattern Aplica los patrones seguros de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. No
AsmIngressgatewayLabel Aplica el uso de etiquetas de Ingressgateway de Istio solo en los Pods de Ingressgateway. No
AsmPeerAuthnMeshStrictMtls Aplica PeerAuthentication de la mTLS estricta a nivel de malla de. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
AsmPeerAuthnStrictMtls Aplica todos los PeerAuthentications, no puede reemplazar la mTLS estricta Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. No
AsmRequestAuthnProhibitedOutputHeaders En RequestAuthentication, aplica el campo “jwtRules.outPayloadToHeader” para que no contenga encabezados de solicitud HTTP conocidos ni encabezados prohibidos personalizados. Referencia a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. No
AsmSidecarInjection Aplica el sidecar del proxy de Istio que siempre se insertó en los Pods de carga de trabajo No
DestinationRuleTLSEnabled Prohíbe la inhabilitación de TLS para todos los hosts y subconjuntos de hosts en las reglas de destino de Istio. No
DisallowedAuthzPrefix Requiere que las principales y los espacios de nombres en las reglas `AuthorizationPolicy` de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
GCPStorageLocationConstraintV1 Restringe las “ubicaciones” permitidas para los recursos del Config Connector de StorageBucket a la lista de ubicaciones proporcionadas en la restricción. Los nombres de buckets de la lista de “exenciones” están exentos. No
GkeSpotVMTerminationGrace Requiere que los Pods y las plantillas de Pods con “nodeSelector” o “nodeAfffinty” de “gke-spot” tengan un “terminationGracePeriodSeconds” de 15 s o menos.
K8sAllowedRepos Requiere imágenes de contenedor para comenzar con una string de la lista especificada. No
K8sAvoidUseOfSystemMastersGroup No permite el uso del grupo "system:masters". No tiene ningún efecto durante la auditoría. No
K8sBlockAllIngress No permite la creación de objetos Ingress (tipos `Ingress`, `Gateway` y `Service` de `NodePort` y `LoadBalancer`). No
K8sBlockCreationWithDefaultServiceAccount No permite la creación de recursos con una cuenta de servicio predeterminada. No tiene ningún efecto durante la auditoría. No
K8sBlockEndpointEditDefaultRole Muchas instalaciones de Kubernetes tienen un ClusterRole system:aggregate-to-edit predeterminado que, de forma predeterminada, no restringe correctamente el acceso de edición a Endpoints. Esta ConstraintTemplate prohíbe el extremo system:aggregate-to-edit ClusterRole from granting permission to create/patch/update. ClusterRole/system:aggregate-to-edit no debe permitir los permisos de edición de extremos debido a CVE-2021-25740, los permisos de extremos y EndpointSlice permiten el reenvío entre espacios de nombres mediante https://github.com/kubernetes/kubernetes/issues/103675. No
K8sBlockLoadBalancer No permite todos los servicios con el tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer. No
K8sBlockNodePort No permite todos los servicios con el tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport No
K8sBlockObjectsOfType No permite el objeto de los tipos prohibidos. No
K8sBlockProcessNamespaceSharing Prohíbe las especificaciones del Pod con `shareProcessWorkspace` configurado como `true`. Esto evita situaciones en las que todos los contenedores de un Pod comparten un espacio de nombres PID y pueden acceder al sistema de archivos y la memoria del otro. No
K8sBlockWildcardIngress Los usuarios no deberían poder crear Ingress con un nombre de host en blanco o un comodín (*), ya que esto les permitiría interceptar el tráfico de otros servicios en el clúster, incluso si no tienen acceso a esos servicios. No
K8sContainerEphemeralStorageLimit Requiere que los contenedores tengan establecido un límite de almacenamiento efímero y restringe el límite para que esté dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sContainerLimits Requiere que los contenedores tengan establecidos los límites de memoria y CPU y restrinja los límites dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sContainerRatios Establece una proporción máxima para los límites de recursos del contenedor a las solicitudes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sContainerRequests Requiere que los contenedores tengan establecidas las solicitudes de memoria y CPU y restrinja las solicitudes a los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sCronJobAllowedRepos Requiere que las imágenes de contenedor de CronJobs comiencen con una string de la lista especificada. No
K8sDisallowAnonymous No permite asociar los recursos ClusterRole y Role al usuario system:anonymous y al grupo system:unauthenticated. No
K8sDisallowInteractiveTTY Requiere que los objetos tengan los campos “spec.tty” y “spec.stdin” configurados como falsos o sin configurar. No
K8sDisallowedRepos Repositorios de contenedores no permitidos que comienzan con una string de la lista especificada. No
K8sDisallowedRoleBindingSubjects Prohíbe RoleBindings o ClusterRoleBindings con sujetos que coincidan con cualquier `disableedSubjects` que se haya pasado como parámetro. No
K8sDisallowedTags Se requiere que las imágenes de contenedor tengan una etiqueta de imagen diferente de las que se enumeran en la lista especificada. https://kubernetes.io/docs/concepts/containers/images/#image-names No
K8sEmptyDirHasSizeLimit Requiere que cualquier volumen “emptyDir” especifique un “sizeLimit”. De manera opcional, se puede proporcionar un parámetro “maxSizeLimit” en la restricción para especificar un límite de tamaño máximo permitido. No
K8sEnforceCloudArmorBackendConfig Aplica la configuración de Cloud Armor en los recursos de BackendConfig No
K8sEnforceConfigManagement Requiere la presencia y el funcionamiento de Config Management. Las restricciones que usan esta "ConstraintTemplate" solo se auditarán, independientemente del valor de "enforcementAction".
IP externas Restringe las IP externas del servicio a una lista permitida de direcciones IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips No
K8sHorizontalPodAutoscaler No permite las siguientes situaciones cuando se implementa `HorizontalPodAutoscalers` 1. Deployment de HorizontalPodAutoscalers con “.spec.minReplicas” o “.spec.maxReplicas” fuera de los rangos definidos en la restricción 2. Deployment de HorizontalPodAutoscalers en la que la diferencia entre “.spec.minReplicas” y “.spec.maxReplicas” es menor que la “minimumReplicaSpread” configurada. 3. Implementación de HorizontalPodAutoscalers que no hacen referencia a un `scaleTargetRef` válido (p.ej., Deployment, ReplicationController, ReplicaSet, StatefulSet).
K8sHttpsOnly Requiere que los recursos Ingress solo sean HTTPS. Los recursos de Ingress deben incluir la anotación `kubernetes.io/ingress.allow-http` establecida en `false`. De forma predeterminada, se requiere una configuración válida de TLS {}, esta puede ser opcional si estableces el parámetro `tlsOptional` en `true`. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls No
K8sImageDigests Requiere que las imágenes del contenedor contengan un resumen. https://kubernetes.io/docs/concepts/containers/images/ No
K8sLocalStorageRequireSafeToEvict Requiere que los Pods que usen almacenamiento local (“emptyDir” o “hostPath”) tengan la anotación “cluster-autoscaler.kubernetes.io/safe-to-evict”: “true”`. El escalador automático del clúster no borrará los Pods sin esta anotación. No
K8sMemoryRequestEqualsLimit Promueve la estabilidad del Pod, ya que requiere que la memoria solicitada de todos los contenedores sea igual al límite de memoria, de modo que los Pods nunca se encuentren en un estado en el que el uso de memoria supere la cantidad solicitada. De lo contrario, Kubernetes puede finalizar los Pods que solicitan memoria adicional si se necesita memoria en el nodo. No
K8sNoEnvVarSecrets Prohíbe los secretos como variables de entorno en las definiciones del contenedor del Pod. En su lugar, usa archivos secretos activados en volúmenes de datos: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod No
K8sNoExternalServices Prohíbe la creación de recursos conocidos que expongan las cargas de trabajo a IP externas. Esto incluye los recursos de puerta de enlace de Istio y de Ingress de Kubernetes. Los servicios de Kubernetes tampoco están permitidos, a menos que cumplan con los siguientes criterios: Cualquier servicio de tipo “LoadBalancer” en Google Cloud debe tener una anotación “networking.gke.io/load-balancer-type”: “Internal”. Cualquier Service de tipo `LoadBalancer` en AWS debe tener una anotación `service.beta.kubernetes.io/aws-load-balancer-internal: “true”. Cualquier “IP externa” (externa al clúster) vinculada al servicio debe ser miembro de un rango de CIDR internos como se proporciona en la restricción. No
K8sPSPAllowPrivilegeEscalationContainer Controla la derivación de privilegios raíz. Corresponde al campo `allowPrivilegeEscalation` en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation No
K8sPSPAllowedUsers Controla los ID de grupo y usuario del contenedor y algunos volúmenes. Corresponde a los campos `runAsUser`, `runAsGroup`, `supplementalGroups` y `fsGroup` en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups No
K8sPSPAppArmor. Configura una lista de anunciantes permitidos de los perfiles de AppArmor para que los usen los contenedores. Esto corresponde a anotaciones específicas aplicadas a una PodSecurityPolicy. Para obtener más información sobre AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/ No
K8sPSPAutomountServiceAccountTokenPod Controla la capacidad de cualquier Pod de habilitar automountServiceAccountToken. No
K8sPSPCapabilities Controla las capacidades de Linux en los contenedores. Corresponde a los campos “allowedCapabilities” y “requiredDropCapabilities” en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities. No
K8sPSPFSGrupo Controla la asignación de un FSGroup que posea los volúmenes del Pod. Corresponde al campo “fsGroup” en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPFlexVolumes Controla la lista de entidades permitidas de controladores Flexvolume. Corresponde al campo “allowedFlexVolumes” de PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers No
K8sPSPForbiddenSysctls Controla el perfil “sysctl” que usan los contenedores. Corresponde a los campos “allowedUnsafeSysctls” y “forbiddenSysctls” en una PodSecurityPolicy. Cuando se especifica, cualquier sysctl que no está en el parámetro “allowedSysctls” se considera prohibido. El parámetro “forbiddenSysctls” tiene prioridad sobre el parámetro “allowedSysctls”. Para obtener más información, consulta https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ No
Sistema de archivosK8sPSPHost Controla el uso del sistema de archivos del host. Corresponde al campo “allowedHostPaths” en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPHostNamespace Los contenedores de Pod no permiten el uso compartido de los espacios de nombres PID y IPC del host. Corresponde a los campos `hostPID` y `hostIPC` en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces No
K8sPSPHostNetworkingPorts Los contenedores de pod controlan el uso del espacio de nombres de la red host. Se deben especificar puertos específicos. Corresponde a los campos `hostNetwork` y `hostPorts` en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces No
K8sPSPPrivilegedContainer Controla la capacidad de cualquier contenedor de habilitar el modo privilegiado. Corresponde al campo `privilegiado` en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged. No
K8sPSPProcMount Controla los tipos "procMount" permitidos para el contenedor. Corresponde al campo “allowedProcMountTypes” en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes No
K8sPSPReadOnlyRootFilesystem Requiere el uso de un sistema de archivos raíz de solo lectura por parte de los contenedores del Pod. Corresponde al campo “readOnlyRootFilesystem” en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPSELinuxV2 Define una lista de anunciantes permitidos de opciones de configuración seLinuxOptions para contenedores de Pod. Corresponde a una PodSecurityPolicy que requiere opciones de configuración de SELinux. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux No
K8sPSPSeccomp Controla el perfil de seccomp que usan los contenedores. Corresponde a la anotación `seccomp.security.alpha.kubernetes.io/allowedProfileNames` en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp No
K8sPSPVolumeTypes Restringe los tipos de volúmenes que se pueden activar a los que especifica el usuario. Corresponde al campo “volumes” en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems No
K8sPSPWindowsHostProcess Restringe la ejecución de contenedores o Pods de HostProcess de Windows. Consulta https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ para obtener más información. No
K8sPSSSRunAsNonRoot. Requiere que los contenedores se ejecuten como usuarios no raíz. Para obtener más información, consulta https://kubernetes.io/docs/concepts/security/pod-security-standards/ No
K8sPodDisruptionBudget Inhabilita las siguientes situaciones cuando implementes PodDisruptionBudgets o recursos que implementen el subrecurso de réplica (p. ej., Deployment, ReplicationController, ReplicaSet y StatefulSet): 1. Implementación de PodDisruptionBudgets con .spec.maxUnavailable == 0. 2. Implementación de PodDisruptionBudgets with .spec.minAvailable == .spec.replicas del recurso con el subrecurso de réplica. Esto evitará que PodDisruptionBudgets bloquee las interrupciones voluntarias, como el desvío de nodos. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
K8sPodResourcesBestPractices Requiere que los contenedores no hagan el mejor esfuerzo (mediante la configuración de solicitudes de CPU y memoria) y que sigan prácticas recomendadas de alto rendimiento (la solicitud de memoria debe tener exactamente el mismo límite). De manera opcional, las claves de anotación se pueden configurar para permitir la omisión de las diferentes validaciones. No
K8sPodsRequireSecurityContext Requiere que todos los Pods definan securityContext. Requiere que todos los contenedores definidos en los Pods tengan un SecurityContext definido a nivel del Pod o del contenedor. No
K8sProhibitRoleWildcardAccess Requiere que los Roles y ClusterRoles no establezcan el acceso a los recursos con un valor comodín “*”', excepto los Roles exentos y los ClusterRoles que se proporcionan como exenciones. No se restringe el acceso mediante caracteres comodín a los subrecursos, como '"*/status"'. No
K8sReplicaLimits Requiere que los objetos con el campo “spec.replicas” (Deployments, ReplicaSets, etc.) especifiquen una cantidad de réplicas dentro de los rangos definidos. No
K8sRequireAdmissionController Requiere la admisión de seguridad de Pods o un sistema de control de políticas externo.
K8sRequireBinAuthZ Requiere el webhook de admisión de validación de autorización binaria. Las restricciones que usan esta "ConstraintTemplate" solo se auditarán, independientemente del valor de "enforcementAction".
K8sRequireCosNodeImage Aplica el uso de Container-Optimized OS de Google en los nodos. No
K8sRequireDaemonsets Requiere la lista de daemonsets especificados.
K8sRequireDefaultDenyEgressPolicy Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy de denegación predeterminada para la salida.
K8sRequireNamespaceNetworkPolicies Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy.
K8sRequireValidRangesForNetworks Aplica los bloques CIDR que se permiten para la entrada y la salida de la red. No
K8sRequiredAnnotations Requiere que los recursos contengan anotaciones especificadas, con valores que coincidan con las expresiones regulares proporcionadas. No
K8sRequiredLabels Requiere que los recursos contengan etiquetas especificadas, con valores que coincidan con las expresiones regulares proporcionadas. No
K8sRequiredProbes Requiere que los Pods tengan sondeos de preparación o capacidad de respuesta. No
K8sRequiredResources Requiere que los contenedores tengan recursos definidos. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ No
K8sRestrictAdmissionController Restringir los controladores de admisión dinámicos a los permitidos No
K8sRestrictAutomountServiceAccountTokens Restringe el uso de tokens de cuentas de servicio. No
K8sRestrictLabels No permite que los recursos contengan etiquetas especificadas, a menos que haya una excepción para el recurso específico. No
K8sRestrictNamespaces Restringe que los recursos usen espacios de nombres enumerados en el parámetro restrictNamespaces. No
K8sRestrictNfsUrls No permite que los recursos contengan URLs de NFS, a menos que se especifiquen. No
K8sRestrictRbacSubjects Restringe el uso de nombres en sujetos de RBAC a los valores permitidos. No
K8sRestrictRoleBindings Restringe los sujetos especificados en ClusterRoleBindings y RoleBindings a una lista de sujetos permitidos. No
K8sRestrictRoleRules Restringe las reglas que se pueden configurar en los objetos Role y ClusterRole. No
K8sStorageClass Requiere que se especifiquen las clases de almacenamiento cuando se utilizan. Solo se admiten los contenedores Gatekeeper 3.9+ y no efímeros.
K8sUniqueIngressHost Requiere que todos los hosts de reglas de entrada sean únicos. No admite comodines de nombres de host: https://kubernetes.io/docs/concepts/services-networking/ingress/
K8sUniqueServiceSelector Requiere que los servicios tengan selectores únicos dentro de un espacio de nombres. Los selectores se consideran iguales si tienen claves y valores idénticos. Los selectores pueden compartir un par clave-valor siempre que haya al menos un par clave-valor entre ellos. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
NoUpdateServiceAccount Bloquea la actualización de la cuenta de servicio en los recursos que se abstraen sobre los pods. Esta política se ignora en el modo de auditoría. No
PolicyStrictOnly Requiere que la TLS mutua de Istio `STRICT` siempre se especifique cuando se use [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). Esta restricción también garantiza que los recursos obsoletos [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) y de MeshPolicy apliquen TLS mutuamente “STRICT”. Consulta https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh No
RestrictNetworkExclusions Controla qué puertos de entrada, puertos de salida y rangos de IP salientes se pueden excluir de la captura de red de Istio. El proxy de Istio no controla los puertos ni los rangos de IP que evitan la captura de red de Istio, y estos no están sujetos a la autenticación de mTLS de Istio, la política de autorización y otras funciones de Istio. Se puede usar esta restricción para aplicar restricciones al uso de las siguientes anotaciones: * `traffic.sidecar.istio.io/ExcludeInboundPorts` * `traffic.sidecar.istio.io/ExcludeOutboundPorts` * `traffic.sidecar.istio.io/ExcludeOutboundIPRanges` Consulta https://istio.io/latest/docs/reference/config/annotations/. Cuando restringes los rangos de IP salientes, la restricción calcula si los rangos de IP excluidos son un subconjunto de las exclusiones de rangos de IP permitidas o coinciden con estas. Cuando se usa esta restricción, todos los puertos de entrada, los puertos de salida y los rangos de IP salientes siempre deben incluirse. Para ello, se deben configurar las anotaciones correspondientes de "include" como"*" o no se deben establecer. No se permite establecer ninguna de estas anotaciones que no sean "*"": * `traffic.sidecar.istio.io/includeInboundPorts` * `traffic.sidecar.istio.io/includeOutboundPorts` * `traffic.sidecar.istio.io/includeOutboundIPRanges` Esta restricción siempre permite que "traffic.sidecar.istio.io/includeInboundPorts` * `traffic.sidecar.istio.io/includeOutboundPorts` * `traffic.sidecar.istio.io/includeOutboundIPRanges`. Esta restricción siempre permite que el puerto 15020 de la anotación de tráfico No
SourceNotAllAuthz Requiere que las reglas de AuthorizationPolicy de Istio tengan principales de origen configurados en un valor distinto de “*” https://istio.io/latest/docs/reference/config/security/authorization-policy/ No
VerifyDeprecatedAPI Verifica las APIs de Kubernetes obsoletas para garantizar que todas las versiones de la API estén actualizadas. Esta plantilla no se aplica a la auditoría, ya que analiza los recursos que ya están presentes en el clúster con versiones de API no obsoletas. No

AllowedServicePortName

Nombres de puertos de servicio permitidos v1.0.1

Requiere que los nombres de los puertos del servicio tengan un prefijo de una lista especificada.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # prefixes <array>: Prefixes of allowed service port names.
    prefixes:
      - <string>

Ejemplos

port-name-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: port-name-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    prefixes:
    - http-
    - http2-
    - grpc-
    - mongo-
    - redis-
    - tcp-
Permitido
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-http
spec:
  ports:
  - name: http-helloport
    port: 5000
  selector:
    app: helloworld
No permitida
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-tcp
spec:
  ports:
  - name: foo-helloport
    port: 5000
  selector:
    app: helloworld
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-bad
spec:
  ports:
  - name: helloport
    port: 5000
  selector:
    app: helloworld

AsmAuthzPolicyDefaultDeny

Denegación predeterminada de la política de autorización de ASM v1.0.4

Aplica la denegación predeterminada a nivel de malla de AuthorizationPolicy Referencia a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "AuthorizationPolicy"

Ejemplos

asm-authz-policy-default-deny-with-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST
asm-authz-policy-default-deny-no-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST

AsmAuthzPolicyDisallowedPrefix

Prefijos no permitidos de ASM AuthorizationPolicy v1.0.2

Requiere que los principales y los espacios de nombres en las reglas AuthorizationPolicy de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
    disallowedNamespacePrefixes:
      - <string>
    # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
    disallowedPrincipalPrefixes:
      - <string>

Ejemplos

asm-authz-policy-disallowed-prefix-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: asm-authz-policy-disallowed-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedNamespacePrefixes:
    - bad-ns-prefix
    - worse-ns-prefix
    disallowedPrincipalPrefixes:
    - bad-principal-prefix
    - worse-principal-prefix
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin
No permitida
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/worse-principal-prefix-sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - bad-ns-prefix-test
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyEnforceSourcePrincipals

Principales de aplicación de las políticas de autorización de ASM v1.0.2

Requiere que el campo “from” de AuthorizationPolicy de Istio, cuando se defina, tenga principios de origen, que deben configurarse en algo distinto de “*”. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

asm-authz-policy-enforce-source-principals-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: asm-authz-policy-enforce-source-principals-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
No permitida
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: no-source-principals
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-contains-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyNormalization

Normalización de AuthorizationPolicy de ASM v1.0.2

Aplica la normalización de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/reference/config/security/normalization/.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

asm-authz-policy-normalization-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: asm-authz-policy-normalization-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin
No permitida
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-method-lowercase
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - get
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-request-header-whitespace
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Ag ent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: path-unnormalized
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test\/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicySafePattern

Patrones seguros de AuthorizationPolicy de ASM v1.0.4

Aplica los patrones seguros de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Ejemplos

asm-authz-policy-safe-pattern-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: asm-authz-policy-safe-pattern-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-istio-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-asm-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      asm: ingressgateway
No permitida
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: hosts-on-noningress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: invalid-hosts
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-negative-match
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        notMethods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-positive-match
spec:
  action: DENY
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway

AsmIngressgatewayLabel

Etiqueta de la puerta de enlace de entrada de ASM v1.0.3

Aplica el uso de etiquetas de Ingressgateway de Istio solo en los Pods de Ingressgateway.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

asm-ingressgateway-label-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: asm-ingressgateway-label-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: istio
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: istio-ingressgateway
    istio: ingressgateway
  name: istio-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: asm-ingressgateway
    asm: ingressgateway
  name: asm-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    asm: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

AsmPeerAuthnMeshStrictMtls

Malla de autenticación de intercambio de tráfico de ASM con mTLS estricta v1.0.4

Aplica PeerAuthentication de la mTLS estricta a nivel de malla de. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "PeerAuthentication"

Ejemplos

asm-peer-authn-mesh-strict-mtls-with-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: asm-root
spec:
  mtls:
    mode: STRICT
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: asm-root
spec:
  mtls:
    mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: istio-system
spec:
  mtls:
    mode: PERMISSIVE

AsmPeerAuthnStrictMtls

Autenticación de intercambio de tráfico de ASM con mTLS estricta v1.0.3

Aplica todos los PeerAuthentications, no puede reemplazar la mTLS estricta Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Ejemplos

asm-peer-authn-strict-mtls-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: asm-peer-authn-strict-mtls-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
  parameters:
    strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: valid-strict-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar
No permitida
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-permissive-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-port-disable-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: DISABLE
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar

AsmRequestAuthnProhibitedOutputHeaders

Encabezados de salida prohibidos de RequestAuthentication de ASM v1.0.2

En RequestAuthentication, aplica el campo jwtRules.outPayloadToHeader para que no contenga encabezados de solicitud HTTP conocidos ni encabezados prohibidos personalizados. Referencia a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # prohibitedHeaders <array>: User predefined prohibited headers.
    prohibitedHeaders:
      - <string>

Ejemplos

asm-request-authn-prohibited-output-headers-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: asm-request-authn-prohibited-output-headers-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - RequestAuthentication
  parameters:
    prohibitedHeaders:
    - Bad-Header
    - X-Bad-Header
Permitido
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: valid-request-authn
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Good-Header
  selector:
    matchLabels:
      app: istio-ingressgateway
No permitida
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Host
  selector:
    matchLabels:
      app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: X-Bad-Header
  selector:
    matchLabels:
      app: istio-ingressgateway

AsmSidecarInjection

Inyección de sidecar de ASM v1.0.2

Aplica el sidecar del proxy de Istio que siempre se insertó en los Pods de carga de trabajo

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of sidecar injection strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Ejemplos

asm-sidecar-injection-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: asm-sidecar-injection-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    strictnessLevel: High
Permitido
apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "true"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  annotations:
    "false": "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
No permitida
apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep

DestinationRuleTLSEnabled

TLS de la regla de destino habilitada v1.0.1

Prohíbe la inhabilitación de TLS para todos los hosts y subconjuntos de hosts en las reglas de destino de Istio.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

dr-tls-enabled
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: dr-tls-enabled
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - networking.istio.io
      kinds:
      - DestinationRule
No permitida
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-subset-tls-disable
  namespace: default
spec:
  host: myservice
  subsets:
  - name: v1
    trafficPolicy:
      tls:
        mode: DISABLE
  - name: v2
    trafficPolicy:
      tls:
        mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-traffic-tls-disable
  namespace: default
spec:
  host: myservice
  trafficPolicy:
    tls:
      mode: DISABLE

DisallowedAuthzPrefix

No permitir los prefijos de AuthorizationPolicy de Istio v1.0.2

Requiere que los principales y los espacios de nombres en las reglas AuthorizationPolicy de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedprefixes <array>: Disallowed prefixes of principals and
    # namespaces.
    disallowedprefixes:
      - <string>

Ejemplos

disallowed-authz-prefix-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: disallowed-authz-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedprefixes:
    - badprefix
    - reallybadprefix
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
No permitida
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/badprefix-sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - badprefix-test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

GCPStorageLocationConstraintV1

Restricción de ubicación de almacenamiento de GCP v1.0.3

Restringe las locations permitidas para los recursos de Config Connector de StorageBucket a la lista de ubicaciones proporcionadas en la restricción. Los nombres de los buckets de la lista exemptions están exentos.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <array>: A list of bucket names that are exempt from this
    # constraint.
    exemptions:
      - <string>
    # locations <array>: A list of locations that a bucket is permitted to
    # have.
    locations:
      - <string>

Ejemplos

singapore-and-jakarta-only
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: singapore-and-jakarta-only
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - storage.cnrm.cloud.google.com
      kinds:
      - StorageBucket
  parameters:
    exemptions:
    - my_project_id_cloudbuild
    locations:
    - asia-southeast1
    - asia-southeast2
Permitido
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-permitted-location
spec:
  location: asia-southeast1
No permitido
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-disallowed-location
spec:
  location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-without-specific-location
spec: null

GkeSpotVMTerminationGrace

Restringe EndpointsGracePeriodSeconds para las VMs Spot de GKE v1.1.3

Requiere que los Pods y las plantillas de Pods con nodeSelector o nodeAfffinty de gke-spot tengan un terminationGracePeriodSeconds de 15 s o menos.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
    # of 15s or less for all `Pod` on a `gke-spot` Node.
    includePodOnSpotNodes: <boolean>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Node"

Ejemplos

Spotify-termination-grace
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: spotvm-termination-grace
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    includePodOnSpotNodes: true
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default
apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default
apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default

K8sAllowedRepos

Repositorios permitidos v1.0.1

Requiere imágenes de contenedor para comenzar con una string de la lista especificada.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

Ejemplos

repo-is-openpolicyagent
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: repo-is-openpolicyagent
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    repos:
    - openpolicyagent/
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
No permitido
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  ephemeralContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

K8sAvoidUseOfSystemMastersGroup

No permitir el uso del grupo “system:masters” v1.0.0

No permite el uso del grupo "system:masters". No tiene ningún efecto durante la auditoría.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowlistedUsernames <array>: allowlistedUsernames is the list of
    # usernames that are allowed to use system:masters group.
    allowlistedUsernames:
      - <string>

Ejemplos

avoid-use-of-system-masters-group
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: avoid-use-of-system-masters-group
Permitido
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockAllIngress

Bloquear todas las instancias de Ingress v1.0.4

No permite la creación de objetos Ingress (tipos Ingress, Gateway y Service de NodePort y LoadBalancer).

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowList <array>: A list of regular expressions for the Ingress object
    # names that are exempt from the constraint.
    allowList:
      - <string>

Ejemplos

bloquear todo-entrada
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: block-all-ingress
spec:
  enforcementAction: dryrun
  parameters:
    allowList:
    - name1
    - name2
    - name3
    - my-*
Permitido
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
  name: allowed-clusterip-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: ClusterIP
No permitido
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: disallowed-gateway-example
spec:
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    hostname: '*.example.com'
    name: default
    port: 80
    protocol: HTTP

K8sBlockCreationWithDefaultServiceAccount

Creación de bloques con la cuenta de servicio predeterminada v1.0.2

No permite la creación de recursos con una cuenta de servicio predeterminada. No tiene ningún efecto durante la auditoría.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

block-creation-with-default-serviceaccount
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: block-creation-with-default-serviceaccount
spec:
  enforcementAction: dryrun
Permitido
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockEndpointEditDefaultRole

Función predeterminada de edición del extremo del bloque v1.0.0

Muchas instalaciones de Kubernetes tienen un ClusterRole system:aggregate-to-edit predeterminado que, de forma predeterminada, no restringe correctamente el acceso de edición a Endpoints. Esta ConstraintTemplate prohíbe el extremo system:aggregate-to-edit ClusterRole from granting permission to create/patch/update. ClusterRole/system:aggregate-to-edit no debe permitir los permisos de edición de extremos debido a CVE-2021-25740, los permisos de extremos y EndpointSlice permiten el reenvío entre espacios de nombres mediante https://github.com/kubernetes/kubernetes/issues/103675.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

block-endpoint-edit-default-role
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
No permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - endpoints
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

K8sBlockLoadBalancer

Bloquea objetos Service con el tipo LoadBalancer v1.0.0

No permite todos los servicios con el tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

balanceador de cargas de bloques
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: block-load-balancer
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
Permitido
apiVersion: v1
kind: Service
metadata:
  name: my-service-allowed
spec:
  ports:
  - port: 80
    targetPort: 80
  type: ClusterIP
No permitida
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: LoadBalancer

K8sBlockNodePort

Bloquear NodePort v1.0.0

No permite todos los servicios con el tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

block-node-port
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
No permitido
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: NodePort

K8sBlockObjectsOfType

Bloquear objetos de tipo v1.0.1

No permite el objeto de los tipos prohibidos.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    forbiddenTypes:
      - <string>

Ejemplos

block-secrets-of-type-basic-auth
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: block-secrets-of-type-basic-auth
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Secret
  parameters:
    forbiddenTypes:
    - kubernetes.io/basic-auth
Permitido
apiVersion: v1
data:
  password: ZHVtbXlwYXNz
  username: ZHVtbXl1c2Vy
kind: Secret
metadata:
  name: credentials
  namespace: default
type: Opaque
No permitido
apiVersion: v1
data:
  password: YmFzaWMtcGFzc3dvcmQ=
  username: YmFzaWMtdXNlcm5hbWU=
kind: Secret
metadata:
  name: secret-basic-auth
  namespace: default
type: kubernetes.io/basic-auth

K8sBlockProcessNamespaceSharing

Bloquear el uso compartido del espacio de nombres del proceso v1.0.1

Prohíbe las especificaciones de Pod con shareProcessNamespace establecido en true. Esto evita situaciones en las que todos los contenedores de un Pod comparten un espacio de nombres PID y pueden acceder al sistema de archivos y a la memoria de los demás.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

block-process-namespace-sharing
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: block-process-namespace-sharing
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  shareProcessNamespace: true

K8sBlockWildcardIngress

Bloquear entrada de comodín v1.0.1

Los usuarios no deberían poder crear Ingress con un nombre de host en blanco o un comodín (*), ya que esto les permitiría interceptar el tráfico de otros servicios en el clúster, incluso si no tienen acceso a esos servicios.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

block-wildcard-ingress
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: block-wildcard-ingress
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: non-wildcard-ingress
spec:
  rules:
  - host: myservice.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
No permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: ""
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: valid.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

K8sContainerEphemeralStorageLimit

Límite de almacenamiento efímero del contenedor v1.0.2

Requiere que los contenedores tengan establecido un límite de almacenamiento efímero y restringe el límite para que esté dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # ephemeral-storage <string>: The maximum allowed ephemeral storage limit
    # on a Pod, exclusive.
    ephemeral-storage: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

container-ephemeral-storage-limit
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: container-ephemeral-storage-limit
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ephemeral-storage: 500Mi
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi

K8sContainerLimits

Container Limits v1.0.1

Requiere que los contenedores tengan establecidos los límites de memoria y CPU y restrinja los límites dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory limit on a Pod, exclusive.
    memory: <string>

Ejemplos

container-must-have-limits
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi

K8sContainerRatios

Proporción de contenedores v1.0.1

Establece una proporción máxima para los límites de recursos del contenedor a las solicitudes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
    # `resources.requests.cpu` on a container. If not specified, equal to
    # `ratio`.
    cpuRatio: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # ratio <string>: The maximum allowed ratio of `resources.limits` to
    # `resources.requests` on a container.
    ratio: <string>

Ejemplos

container-must-meet-ratio
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ratio: "2"
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 200m
        memory: 200Mi
      requests:
        cpu: 100m
        memory: 100Mi
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 800m
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 100Mi
container-must-meet-memory-and-cpu-ratio
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-memory-and-cpu-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpuRatio: "10"
    ratio: "1"
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: "1"
        memory: 2Gi
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi

K8sContainerRequests

Solicitudes de contenedores v1.0.1

Requiere que los contenedores tengan establecidas las solicitudes de memoria y CPU y restrinja las solicitudes a los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory request on a Pod, exclusive.
    memory: <string>

Ejemplos

container-must-have-requests
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: container-must-have-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 1Gi
No permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi

K8sCronJobAllowedRepos

Repositorios permitidos de CronJob v1.0.1

Requiere que las imágenes de contenedor de CronJobs comiencen con una string de la lista especificada.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

Ejemplos

cronjob-restrict-repos
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
  name: cronjob-restrict-repos
spec:
  match:
    kinds:
    - apiGroups:
      - batch
      kinds:
      - CronJob
  parameters:
    repos:
    - gke.gcr.io/
Permitido
apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: gke.gcr.io/busybox:1.28
            name: hello
  schedule: '* * * * *'
No permitida
apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: busybox:1.28
            name: hello
  schedule: '* * * * *'

K8sDisallowAnonymous

No permitir el acceso anónimo v1.0.0

No permite asociar los recursos ClusterRole y Role al usuario system:anonymous y al grupo system:unauthenticated.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRoles <array>: The list of ClusterRoles and Roles that may be
    # associated with the `system:unauthenticated` group and `system:anonymous`
    # user.
    allowedRoles:
      - <string>

Ejemplos

no-anonymous
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: no-anonymous
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRoleBinding
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
  parameters:
    allowedRoles:
    - cluster-role-1
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-1
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated
No permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-2
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowInteractiveTTY

No permitir los contenedores interactivos de TTY v1.0.0

Requiere que los objetos tengan los campos spec.tty y spec.stdin configurados como falsos o sin configurar.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

no-interactive-tty-containers
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
  name: no-interactive-tty-containers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-interactive-tty
  name: nginx-interactive-tty-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    stdin: false
    tty: false
No permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    stdin: true
    tty: true

K8sDisallowedRepos

Repositorios no permitidos v1.0.0

Repositorios de contenedores no permitidos que comienzan con una string de la lista especificada.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is not allowed to
    # have.
    repos:
      - <string>

Ejemplos

repo-must-not-be-k8s-gcr-io
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: repo-must-not-be-k8s-gcr-io
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    repos:
    - k8s.gcr.io/
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-allowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  ephemeralContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize

K8sDisallowedRoleBindingSubjects

Sujetos de Rolebinding v1.0.1 no permitidos

Prohíbe RoleBinding o ClusterRoleBindings con sujetos que coinciden con cualquier disallowedSubjects pasado como parámetro.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedSubjects <array>: A list of subjects that cannot appear in a
    # RoleBinding.
    disallowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the disallowed role
        # binding subject. Currently ignored.
        apiGroup: <string>
        # kind <string>: The kind of the disallowed role binding subject.
        kind: <string>
        # name <string>: The name of the disallowed role binding subject.
        name: <string>

Ejemplos

disallowed-rolebinding-subjects
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: disallowed-rolebinding-subjects
spec:
  parameters:
    disallowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:unauthenticated
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
No permitida
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowedTags

No permitir etiquetas v1.0.1

Se requiere que las imágenes de contenedor tengan una etiqueta de imagen diferente de las que se enumeran en la lista especificada. https://kubernetes.io/docs/concepts/containers/images/#image-names

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # tags <array>: Disallowed container image tags.
    tags:
      - <string>

Ejemplos

container-image-must-not-have-latest-tag
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: container-image-must-not-have-latest-tag
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    exemptImages:
    - openpolicyagent/opa-exp:latest
    - openpolicyagent/opa-exp2:latest
    tags:
    - latest
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-exempt-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa-exp
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:v1
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-2
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-ephemeral
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-3
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:latest
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/monitor:latest
    name: opa-monitor

K8sEmptyDirHasSizeLimit

El directorio vacío tiene un límite de tamaño v1.0.5

Requiere que cualquier volumen emptyDir especifique una sizeLimit. De manera opcional, se puede proporcionar un parámetro maxSizeLimit en la restricción para especificar un límite de tamaño máximo permitido.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptVolumesRegex <array>: Exempt Volume names as regex match.
    exemptVolumesRegex:
      - <string>
    # maxSizeLimit <string>: When set, the declared size limit for each volume
    # must be less than `maxSizeLimit`.
    maxSizeLimit: <string>

Ejemplos

empty-dir-has-size-limit
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-size-limit
spec:
  match:
    excludedNamespaces:
    - istio-system
    - kube-system
    - gatekeeper-system
  parameters:
    exemptVolumesRegex:
    - ^istio-[a-z]+$
    maxSizeLimit: 4Gi
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir:
      sizeLimit: 2Gi
    name: good-pod-volume
apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: istio-envoy
No permitido
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: bad-pod-volume

K8sEnforceCloudArmorBackendConfig

Aplica Cloud Armor en recursos BackendConfig v1.0.2

Aplica la configuración de Cloud Armor en los recursos de BackendConfig

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

enforce-cloudarmor-backendconfig
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: enforce-cloudarmor-backendconfig
spec:
  enforcementAction: dryrun
Permitido
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: example-security-policy
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: second-backendconfig
spec:
  securityPolicy:
    name: my-security-policy
No permitido
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: null
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: ""
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
spec:
  logging:
    enable: true
    sampleRate: 0.5

K8sEnforceConfigManagement

Aplica Config Management v1.1.6

Requiere la presencia y el funcionamiento de Config Management. Las restricciones que usen este ConstraintTemplate solo se auditarán, sin importar el valor de enforcementAction.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # requireDriftPrevention <boolean>: Require Config Sync drift prevention to
    # prevent config drift.
    requireDriftPrevention: <boolean>
    # requireRootSync <boolean>: Require a Config Sync `RootSync` object for
    # cluster config management.
    requireRootSync: <boolean>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "configsync.gke.io"
        version: "v1beta1"
        kind: "RootSync"

Ejemplos

aplicación-config-management
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: enforce-config-management
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - configmanagement.gke.io
      kinds:
      - ConfigManagement
Permitido
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    proxy: {}
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2
  healthy: true
No permitida
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2

K8sExternalIPs

IP externas v1.0.0

Restringe las IP externas del servicio a una lista permitida de direcciones IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedIPs <array>: An allow-list of external IP addresses.
    allowedIPs:
      - <string>

Ejemplos

external-ips
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    allowedIPs:
    - 203.0.113.0
Permitido
apiVersion: v1
kind: Service
metadata:
  name: allowed-external-ip
spec:
  externalIPs:
  - 203.0.113.0
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp
No permitido
apiVersion: v1
kind: Service
metadata:
  name: disallowed-external-ip
spec:
  externalIPs:
  - 1.1.1.1
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp

K8sHorizontalPodAutoscaler

Horizontal Pod Autoscaler v1.0.1

No permite las siguientes situaciones cuando se implementa HorizontalPodAutoscalers 1. Deployment de HorizontalPodAutoscalers con .spec.minReplicas o .spec.maxReplicas fuera de los rangos definidos en la restricción 2. Deployment de HorizontalPodAutoscalers en la que la diferencia entre .spec.minReplicas y .spec.maxReplicas es menor que el minimumReplicaSpread 3 configurado. Implementación de HorizontalPodAutoscalers que no hacen referencia a un scaleTargetRef válido (p.ej., Deployment, ReplicationController, ReplicaSet, StatefulSet).

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # enforceScaleTargetRef <boolean>: If set to true it validates the HPA
    # scaleTargetRef exists
    enforceScaleTargetRef: <boolean>
    # minimumReplicaSpread <integer>: If configured it enforces the minReplicas
    # and maxReplicas in an HPA must have a spread of at least this many
    # replicas
    minimumReplicaSpread: <integer>
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "apps"
        version: "v1"
        kind: "Deployment"
      OR
      - group: "apps"
        version: "v1"
        kind: "StatefulSet"

Ejemplos

horizontal-pod-autoscaler
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: horizontal-pod-autoscaler
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    enforceScaleTargetRef: true
    minimumReplicaSpread: 1
    ranges:
    - max_replicas: 6
      min_replicas: 3
Permitido
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-allowed
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
No permitida
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicas
  namespace: default
spec:
  maxReplicas: 7
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 2
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicaspread
  namespace: default
spec:
  maxReplicas: 4
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 4
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-scaletarget
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment-missing
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sHttpsOnly

Solo HTTPS v1.0.2

Requiere que los recursos Ingress solo sean HTTPS. Los recursos de entrada deben incluir la anotación kubernetes.io/ingress.allow-http, establecida en false. De forma predeterminada, se requiere una configuración de TLS válida {}. Esto puede hacerse opcional si se fija el parámetro tlsOptional en true. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # tlsOptional <boolean>: When set to `true` the TLS {} is optional,
    # defaults to false.
    tlsOptional: <boolean>

Ejemplos

ingress-https-only
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - {}
No permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
ingress-https-only-tls-optional
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only-tls-optional
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
  parameters:
    tlsOptional: true
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
No permitida
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sImageDigests

Resumen de imágenes v1.0.1

Requiere que las imágenes del contenedor contengan un resumen. https://kubernetes.io/docs/concepts/containers/images/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

container-image-must-have-digest
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
    name: opa
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit

K8sLocalStorageRequireSafeToEvict

El almacenamiento local requiere la expulsión segura de la versión 1.0.1

Requiere que los Pods que usan almacenamiento local (emptyDir o hostPath) tengan la anotación "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". El escalador automático del clúster no borrará los Pods sin esta anotación.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

local-storage-require-safe-to-evict
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
spec:
  match:
    excludedNamespaces:
    - kube-system
    - istio-system
    - gatekeeper-system
Permitido
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  name: good-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage

K8sMemoryRequestEqualsLimit

Límite igual a la solicitud de memoria v1.0.4

Promueve la estabilidad del Pod, ya que requiere que la memoria solicitada de todos los contenedores sea igual al límite de memoria, de modo que los Pods nunca se encuentren en un estado en el que el uso de memoria supere la cantidad solicitada. De lo contrario, Kubernetes puede finalizar los Pods que solicitan memoria adicional si se necesita memoria en el nodo.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptContainersRegex <array>: Exempt Container names as regex match.
    exemptContainersRegex:
      - <string>

Ejemplos

container-must-request-limit
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: container-must-request-limit
spec:
  match:
    excludedNamespaces:
    - kube-system
    - resource-group-system
    - asm-system
    - istio-system
    - config-management-system
    - config-management-monitoring
  parameters:
    exemptContainersRegex:
    - ^istio-[a-z]+$
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 4Gi
apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: auto
    name: istio-proxy
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi

K8sNoEnvVarSecrets

Sin secretos de variables de entorno v1.0.1

Prohíbe los secretos como variables de entorno en las definiciones del contenedor del Pod. En su lugar, usa archivos secretos activados en volúmenes de datos: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

no-secrets-as-env-vars-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: no-secrets-as-env-vars-sample
spec:
  enforcementAction: dryrun
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: redis
    name: test
    volumeMounts:
    - mountPath: /etc/test
      name: test
      readOnly: true
  volumes:
  - name: test
    secret:
      secretName: mysecret
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - env:
    - name: MY_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: mysecret
    image: redis
    name: test

K8sNoExternalServices

Sin servicios externos v1.0.3

Prohíbe la creación de recursos conocidos que expongan las cargas de trabajo a IP externas. Esto incluye los recursos de puerta de enlace de Istio y de Ingress de Kubernetes. Los servicios de Kubernetes tampoco están permitidos, a menos que cumplan con los siguientes criterios: cualquier servicio de tipo LoadBalancer en Google Cloud debe tener una anotación "networking.gke.io/load-balancer-type": "Internal". Cualquier servicio de tipo LoadBalancer en AWS debe tener una anotación service.beta.kubernetes.io/aws-load-balancer-internal: "true. Cualquier “IP externa” (externa al clúster) vinculada al servicio debe ser miembro de un rango de CIDR internos como se proporciona en la restricción.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
    # are supported currently.
    cloudPlatform: <string>
    # internalCIDRs <array>: A list of CIDRs that are only accessible
    # internally, for example: `10.3.27.0/24`. Which IP ranges are
    # internal-only is determined by the underlying network infrastructure.
    internalCIDRs:
      - <string>

Ejemplos

no-external
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external
spec:
  parameters:
    internalCIDRs:
    - 10.0.0.1/32
Permitido
apiVersion: v1
kind: Service
metadata:
  name: good-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.1
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
apiVersion: v1
kind: Service
metadata:
  annotations:
    networking.gke.io/load-balancer-type: Internal
  name: allowed-internal-load-balancer
  namespace: default
spec:
  type: LoadBalancer
No permitida
apiVersion: v1
kind: Service
metadata:
  name: bad-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.2
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
no-external-aws
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external-aws
spec:
  parameters:
    cloudPlatform: AWS
Permitido
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
  name: good-aws-service
  namespace: default
spec:
  type: LoadBalancer
No permitida
apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/load-balancer-type: Internal
  name: bad-aws-service
  namespace: default
spec:
  type: LoadBalancer

K8sPSPAllowPrivilegeEscalationContainer

Permitir la elevación de privilegios en el contenedor v1.0.1

Controla la derivación de privilegios raíz. Corresponde al campo allowPrivilegeEscalation en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

psp-allow-privilege-escalation-container-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: false
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

K8sPSPAllowedUsers

Usuarios permitidos v1.0.2

Controla los ID de grupo y usuario del contenedor y algunos volúmenes. Corresponde a los campos runAsUser, runAsGroup, supplementalGroups y fsGroup en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
    # or container-level SecurityContext.
    fsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the fsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsGroup <object>: Controls which group ID values are allowed in a Pod
    # or container-level SecurityContext.
    runAsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsUser <object>: Controls which user ID values are allowed in a Pod or
    # container-level SecurityContext.
    runAsUser:
      # ranges <array>: A list of user ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of user IDs affected by the rule.
        - # max <integer>: The maximum user ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum user ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsUser restriction.
      # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
      rule: <string>
    # supplementalGroups <object>: Controls the supplementalGroups values that
    # are allowed in a Pod or container-level SecurityContext.
    supplementalGroups:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the supplementalGroups
      # restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>

Ejemplos

psp-pods-allowed-user-ranges
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    fsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsUser:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    supplementalGroups:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 199
      runAsUser: 199
  securityContext:
    fsGroup: 199
    supplementalGroups:
    - 199
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250

K8sPSPAppArmor

App Armor v1.0.0

Configura una lista de anunciantes permitidos de los perfiles de AppArmor para que los usen los contenedores. Esto corresponde a anotaciones específicas aplicadas a una PodSecurityPolicy. Para obtener más información sobre AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of AppArmor profiles. Examples:
    # `runtime/default`, `unconfined`.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

psp-apparmor
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
Permitido
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-allowed
spec:
  containers:
  - image: nginx
    name: nginx
No permitida
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPAutomountServiceAccountTokenPod

Token de cuenta de servicio de activación automática para el Pod v1.0.1

Controla la capacidad de cualquier Pod de habilitar automountServiceAccountToken.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

Ejemplos

psp-automount-serviceaccount-token-pod
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: psp-automount-serviceaccount-token-pod
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-not-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-allowed
spec:
  automountServiceAccountToken: false
  containers:
  - image: nginx
    name: nginx
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-disallowed
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx

K8sPSPCapabilities

Funciones v1.0.2

Controla las capacidades de Linux en los contenedores. Corresponde a los campos allowedCapabilities y requiredDropCapabilities en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedCapabilities <array>: A list of Linux capabilities that can be
    # added to a container.
    allowedCapabilities:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # requiredDropCapabilities <array>: A list of Linux capabilities that are
    # required to be dropped from a container.
    requiredDropCapabilities:
      - <string>

Ejemplos

capabilities-demo
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: capabilities-demo
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    allowedCapabilities:
    - something
    requiredDropCapabilities:
    - must_drop
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - something
        drop:
        - must_drop
        - another_one
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability

K8sPSPFSGroup

FS Group v1.0.2

Controla la asignación de un FSGroup que posea los volúmenes del Pod. Corresponde al campo fsGroup en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: GID ranges affected by the rule.
    ranges:
      - # max <integer>: The maximum GID in the range, inclusive.
        max: <integer>
        # min <integer>: The minimum GID in the range, inclusive.
        min: <integer>
    # rule <string>: An FSGroup rule name.
    # Allowed Values: MayRunAs, MustRunAs, RunAsAny
    rule: <string>

Ejemplos

psp-fsgroup
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ranges:
    - max: 1000
      min: 1
    rule: MayRunAs
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 500
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 2000
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol

K8sPSPFlexVolumes

FlexVolumes v1.0.1

Controla la lista de entidades permitidas de controladores Flexvolume. Corresponde al campo allowedFlexVolumes en PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
    allowedFlexVolumes:
      - # driver <string>: The name of the FlexVolume driver.
        driver: <string>

Ejemplos

psp-flexvolume-drivers
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedFlexVolumes:
    - driver: example/lvm
    - driver: example/cifs
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/lvm
    name: test-volume
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/testdriver
    name: test-volume

K8sPSPForbiddenSysctls

Sysctls v1.1.3 prohibidos

Controla el perfil sysctl que usan los contenedores. Corresponde a los campos allowedUnsafeSysctls y forbiddenSysctls en una PodSecurityPolicy. Cuando se especifica, cualquier sysctl que no está en el parámetro allowedSysctls se considera prohibida. El parámetro forbiddenSysctls tiene prioridad sobre el parámetro allowedSysctls. Para obtener más información, consulta https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
    # not listed in the `forbiddenSysctls` parameter.
    allowedSysctls:
      - <string>
    # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
    # sysctls.
    forbiddenSysctls:
      - <string>

Ejemplos

psp-forbidden-sysctls
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSysctls:
    - '*'
    forbiddenSysctls:
    - kernel.*
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: net.core.somaxconn
      value: "1024"
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: kernel.msgmax
      value: "65536"
    - name: net.core.somaxconn
      value: "1024"

K8sPSPHostFilesystem

Sistema de archivos del host v1.0.2

Controla el uso del sistema de archivos del host. Corresponde al campo allowedHostPaths en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedHostPaths <array>: An array of hostpath objects, representing
    # paths and read/write configuration.
    allowedHostPaths:
      - # pathPrefix <string>: The path prefix that the host volume must
        # match.
        pathPrefix: <string>
        # readOnly <boolean>: when set to true, any container volumeMounts
        # matching the pathPrefix must include `readOnly: true`.
        readOnly: <boolean>

Ejemplos

psp-host-filesystem
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedHostPaths:
    - pathPrefix: /foo
      readOnly: true
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /foo/bar
    name: cache-volume
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume

K8sPSPHostNamespace

Espacio de nombres de host v1.0.1

Los contenedores de Pod no permiten el uso compartido de los espacios de nombres PID y IPC del host. Corresponde a los campos hostPID y hostIPC en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

Ejemplos

psp-host-namespace-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: psp-host-namespace-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: false
  hostPID: false
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: true
  hostPID: true

K8sPSPHostNetworkingPorts

Puertos de red de host v1.0.2

Los contenedores de pod controlan el uso del espacio de nombres de la red host. Se deben especificar puertos específicos. Corresponde a los campos hostNetwork y hostPorts en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # hostNetwork <boolean>: Determines if the policy allows the use of
    # HostNetwork in the pod spec.
    hostNetwork: <boolean>
    # max <integer>: The end of the allowed port range, inclusive.
    max: <integer>
    # min <integer>: The start of the allowed port range, inclusive.
    min: <integer>

Ejemplos

psp-host-network-ports-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    hostNetwork: true
    max: 9000
    min: 80
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9000
      hostPort: 80
  hostNetwork: false
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true

K8sPSPPrivilegedContainer

Contenedor con privilegios v1.0.1

Controla la capacidad de cualquier contenedor de habilitar el modo privilegiado. Corresponde al campo privileged en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

psp-privileged-container-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: psp-privileged-container-sample
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: false
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true

K8sPSPProcMount

Activación de procesos v1.0.3

Controla los tipos procMount permitidos para el contenedor. Corresponde al campo allowedProcMountTypes en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # procMount <string>: Defines the strategy for the security exposure of
    # certain paths in `/proc` by the container runtime. Setting to `Default`
    # uses the runtime defaults, where `Unmasked` bypasses the default
    # behavior.
    # Allowed Values: Default, Unmasked
    procMount: <string>

Ejemplos

psp-proc-mount
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    procMount: Default
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Default
No permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked

K8sPSPReadOnlyRootFilesystem

Sistema de archivos raíz v1.0.1 de solo lectura

Requiere el uso de un sistema de archivos raíz de solo lectura por parte de los contenedores del Pod. Corresponde al campo readOnlyRootFilesystem en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

psp-readonlyrootfilesystem
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: true
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false

K8sPSPSELinuxV2

SELinux V2 v1.0.2

Define una lista de anunciantes permitidos de opciones de configuración seLinuxOptions para contenedores de Pod. Corresponde a una PodSecurityPolicy que requiere opciones de configuración de SELinux. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSELinuxOptions <array>: An allow-list of SELinux options
    # configurations.
    allowedSELinuxOptions:
      # <list item: object>: An allowed configuration of SELinux options for a
      # pod container.
      - # level <string>: An SELinux level.
        level: <string>
        # role <string>: An SELinux role.
        role: <string>
        # type <string>: An SELinux type.
        type: <string>
        # user <string>: An SELinux user.
        user: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

psp-selinux-v2
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSELinuxOptions:
    - level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

K8sPSPSeccomp

Seccomp v1.0.1

Controla el perfil de seccomp que usan los contenedores. Corresponde a la anotación seccomp.security.alpha.kubernetes.io/allowedProfileNames en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedLocalhostFiles <array>: When using securityContext naming scheme
    # for seccomp and including `Localhost` this array holds the allowed
    # profile JSON files. Putting a `*` in this array will allows all JSON
    # files to be used. This field is required to allow `Localhost` in
    # securityContext as with an empty list it will block.
    allowedLocalhostFiles:
      - <string>
    # allowedProfiles <array>: An array of allowed profile values for seccomp
    # on Pods/Containers. Can use the annotation naming scheme:
    # `runtime/default`, `docker/default`, `unconfined` and/or
    # `localhost/some-profile.json`. The item `localhost/*` will allow any
    # localhost based profile. Can also use the securityContext naming scheme:
    # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
    # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
    # allowed profile JSON files. The policy code will translate between the
    # two schemes so it is not necessary to use both. Putting a `*` in this
    # array allows all Profiles to be used. This field is required since with
    # an empty list this policy will block all workloads.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Ejemplos

psp-seccomp
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
    - docker/default
Permitido
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed2
spec:
  containers:
  - image: nginx
    name: nginx
No permitida
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed2
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPVolumeTypes

Tipos de volúmenes v1.0.2

Restringe los tipos de volúmenes que se pueden activar a los que especifica el usuario. Corresponde al campo volumes en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # volumes <array>: `volumes` is an array of volume types. All volume types
    # can be enabled using `*`.
    volumes:
      - <string>

Ejemplos

psp-volume-types
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    volumes:
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
    - flexVolume
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - emptyDir: {}
    name: cache-volume
  - emptyDir: {}
    name: demo-vol
No permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
  - emptyDir: {}
    name: demo-vol

Proceso de host de Windows

Restringe los contenedores y los Pods de HostProcess de Windows. v1.0.0

Restringe la ejecución de contenedores o Pods de HostProcess de Windows. Consulta https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ para obtener más información.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

restrict-windows-hostprocess
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: restrict-windows-hostprocess
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-loop
  nodeSelector:
    kubernetes.io/os: windows
No permitido
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-container
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
    securityContext:
      windowsOptions:
        hostProcess: true
        runAsUserName: NT AUTHORITY\SYSTEM
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-pod
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows
  securityContext:
    windowsOptions:
      hostProcess: true
      runAsUserName: NT AUTHORITY\SYSTEM

K8sPSSRunAsNonRoot

Requiere que los contenedores se ejecuten como usuarios no raíz. v1.0.0

Requiere que los contenedores se ejecuten como usuarios no raíz. Para obtener más información, consulta https://kubernetes.io/docs/concepts/security/pod-security-standards/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

restrict-runasnonroot
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
  name: restrict-runasnonroot
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-allowed
spec:
  containers:
  - image: nginx
    name: nginx-container-allowed
    securityContext:
      runAsNonRoot: true
  securityContext:
    runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
  name: nginx-allowed
spec:
  containers:
  - image: nginx
    name: nginx-allowed
  securityContext:
    runAsNonRoot: true
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-allowed
spec:
  containers:
  - image: nginx
    name: nginx-container-disallowed
    securityContext:
      runAsNonRoot: false
  securityContext:
    runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-disallowed
spec:
  containers:
  - image: nginx
    name: nginx-container-allowed
    securityContext:
      runAsNonRoot: true
  securityContext:
    runAsNonRoot: false
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-disallowed
spec:
  containers:
  - image: nginx
    name: nginx-container-disallowed
  securityContext:
    runAsNonRoot: false

K8sPodDisruptionBudget

Presupuesto de interrupción de Pods v1.0.3

Inhabilita las siguientes situaciones cuando implementes PodDisruptionBudgets o recursos que implementen el subrecurso de réplica (p. ej., Deployment, ReplicationController, ReplicaSet y StatefulSet): 1. Implementación de PodDisruptionBudgets con .spec.maxUnavailable == 0. 2. Implementación de PodDisruptionBudgets with .spec.minAvailable == .spec.replicas del recurso con el subrecurso de réplica. Esto evitará que PodDisruptionBudgets bloquee las interrupciones voluntarias, como el desvío de nodos. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "policy"
        version: "v1"
        kind: "PodDisruptionBudget"

Ejemplos

pod-distruption-budget
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: pod-distruption-budget
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
    - apiGroups:
      - ""
      kinds:
      - ReplicationController
Permitido
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-allowed
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-1
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-1
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-1
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-2
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-2
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-2
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-3
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-3
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-3
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: non-matching-nginx
  name: nginx-deployment-allowed-4
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: non-matching-nginx
      example: allowed-deployment-4
  template:
    metadata:
      labels:
        app: non-matching-nginx
        example: allowed-deployment-4
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-mongo-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: mongo
      example: non-matching-deployment-3
No permitido
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-disallowed
  namespace: default
spec:
  maxUnavailable: 0
  selector:
    matchLabels:
      foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-disallowed
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: disallowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-disallowed
  namespace: default
spec:
  minAvailable: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment

K8sPodResourcesBestPractices

Requiere que los contenedores no sean un mejor esfuerzo y siguen las prácticas recomendadas de alto rendimiento v1.0.5

Requiere que los contenedores no hagan el mejor esfuerzo (mediante la configuración de solicitudes de CPU y memoria) y que sigan prácticas recomendadas de alto rendimiento (la solicitud de memoria debe tener exactamente el mismo límite). De manera opcional, las claves de anotación se pueden configurar para permitir la omisión de las diferentes validaciones.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>
    # skipBestEffortValidationAnnotationKey <string>: Optional annotation key
    # to skip best-effort container validation.
    skipBestEffortValidationAnnotationKey: <string>
    # skipBurstableValidationAnnotationKey <string>: Optional annotation key to
    # skip burstable container validation.
    skipBurstableValidationAnnotationKey: <string>
    # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
    # annotation key to skip both best-effort and burstable validation.
    skipResourcesBestPracticesValidationAnnotationKey: <string>

Ejemplos

gke-pod-resources-best-practices
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: gke-pod-resources-best-practices
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    skipBestEffortValidationAnnotationKey: skip_besteffort_validation
    skipBurstableValidationAnnotationKey: skip_burstable_validation
    skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-limits-only
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  annotations:
    skip_besteffort_validation: "true"
    skip_burstable_validation: "true"
    skip_resources_best_practices_validation: "false"
  name: pod-skip-validation
spec:
  containers:
  - image: nginx
    name: nginx
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-cpu-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-requests
spec:
  containers:
  - image: nginx
    name: nginx
  restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-not-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-memory-requests-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 30m
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 500m
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 250Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        memory: 100Mi

K8sPodsRequireSecurityContext

Los Pods requieren contexto de seguridad v1.1.1

Requiere que todos los Pods definan securityContext. Requiere que todos los contenedores definidos en los Pods tengan un SecurityContext definido a nivel del Pod o del contenedor.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>

Ejemplos

pods-require-security-context-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: pods-require-security-context-sample
spec:
  enforcementAction: dryrun
  parameters:
    exemptImages:
    - nginix-exempt
    - alpine*
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsUser: 2000
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage
spec:
  containers:
  - image: nginix-exempt
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage-wildcard
spec:
  containers:
  - image: alpine17
    name: alpine
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - image: nginx
    name: nginx

K8sProhibitRoleWildcardAccess

Prohibir el acceso mediante comodines de función v1.0.5

Requiere que los Roles y ClusterRoles no establezcan el acceso a los recursos a un valor comodín '“”', excepto por los Roles y ClusterRoles exentos que se proporcionan como exenciones. No se restringe el acceso mediante caracteres comodín a los subrecursos, como ""/status"'.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <object>: The list of exempted Roles and/or ClusterRoles name
    # that are allowed to set  resource access to a wildcard.
    exemptions:
      clusterRoles:
        - # name <string>: The name of the ClusterRole to be exempted.
          name: <string>
          # regexMatch <boolean>: The flag to allow a regular expression
          # based match on the name.
          regexMatch: <boolean>
      roles:
        - # name <string>: The name of the Role to be exempted.
          name: <string>
          # namespace <string>: The namespace of the Role to be exempted.
          namespace: <string>

Ejemplos

prohibit-role-wildcard-access-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-role-wildcard-access-sample
spec:
  enforcementAction: dryrun
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
No permitida
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-bad-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
prohibit-wildcard-except-exempted-cluster-role
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-wildcard-except-exempted-cluster-role
spec:
  enforcementAction: dryrun
  parameters:
    exemptions:
      clusterRoles:
      - name: cluster-role-allowed-example
      roles:
      - name: role-allowed-example
        namespace: role-ns-allowed-example
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-allowed-example
  namespace: role-ns-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
No permitida
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-not-allowed-example
  namespace: role-ns-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

K8sReplicaLimits

Límites de réplica v1.0.2

Requiere que los objetos con el campo spec.replicas (implementaciones, ReplicaSets, etc.) especifiquen una cantidad de réplicas dentro de los rangos definidos.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

Ejemplos

replica-limits
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: replica-limits
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
  parameters:
    ranges:
    - max_replicas: 50
      min_replicas: 3
Permitido
apiVersion: apps/v1
kind: Deployment
metadata:
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
No permitido
apiVersion: apps/v1
kind: Deployment
metadata:
  name: disallowed-deployment
spec:
  replicas: 100
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sRequireAdmissionController

Requerir el controlador de admisión v1.0.0

Requiere la admisión de seguridad de Pods o un sistema de control de políticas externo.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # permittedValidatingWebhooks <array>: List of permitted validating
    # webhooks which are valid external policy control systems
    permittedValidatingWebhooks:
      - <string>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "admissionregistration.k8s.io"
        version: "v1" OR "v1beta1"
        kind: "ValidatingWebhookConfiguration"

Ejemplos

requiere-controlador-de-admisión
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
  name: require-admission-controller
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
Permitido
apiVersion: v1
kind: Namespace
metadata:
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: v1.28
  name: allowed-namespace
No permitido
apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequiereBinAuthZ

Requiere autorización binaria v1.0.2

Requiere el webhook de admisión de validación de autorización binaria. Las restricciones que usen este ConstraintTemplate solo se auditarán, sin importar el valor de enforcementAction.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "admissionregistration.k8s.io"
        version: "v1" OR "v1beta1"
        kind: "ValidatingWebhookConfiguration"

Ejemplos

require-binauthz
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: require-binauthz
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
Permitido
apiVersion: v1
kind: Namespace
metadata:
  name: default
---
# Referential Data
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: binauthz-admission-controller
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview
  name: imagepolicywebhook.image-policy.k8s.io
  rules:
  - operations:
    - CREATE
    - UPDATE
  - apiVersion:
    - v1
  sideEffects: None
No permitida
apiVersion: v1
kind: Namespace
metadata:
  name: default

K8sRequireCosNodeImage

Se requiere la imagen de nodo de COS v1.1.1.

Aplica el uso de Container-Optimized OS de Google en los nodos.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptOsImages <array>: A list of exempt OS Images.
    exemptOsImages:
      - <string>

Ejemplos

nodes-have-consistent-time
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: nodes-have-consistent-time
spec:
  enforcementAction: dryrun
  parameters:
    exemptOsImages:
    - Debian
    - Ubuntu*
Permitido
apiVersion: v1
kind: Node
metadata:
  name: allowed-example
status:
  nodeInfo:
    osImage: Container-Optimized OS from Google
apiVersion: v1
kind: Node
metadata:
  name: example-exempt
status:
  nodeInfo:
    osImage: Debian
apiVersion: v1
kind: Node
metadata:
  name: example-exempt-wildcard
status:
  nodeInfo:
    osImage: Ubuntu 18.04.5 LTS
No permitido
apiVersion: v1
kind: Node
metadata:
  name: disallowed-example
status:
  nodeInfo:
    osImage: Debian GNUv1.0

K8sRequireDaemonsets

Daemonsets obligatorios v1.1.2

Requiere la lista de daemonsets especificados.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # requiredDaemonsets <array>: A list of names and namespaces of the
    # required daemonsets.
    requiredDaemonsets:
      - # name <string>: The name of the required daemonset.
        name: <string>
        # namespace <string>: The namespace for the required daemonset.
        namespace: <string>
    # restrictNodeSelector <boolean>: The daemonsets cannot include
    # `NodeSelector`.
    restrictNodeSelector: <boolean>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "DaemonSet"
      OR
      - group: "apps"
        version: "v1beta2" OR "v1"
        kind: "DaemonSet"

Ejemplos

require-daemonset
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: require-daemonset
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    requiredDaemonsets:
    - name: clamav
      namespace: pci-dss-av
    restrictNodeSelector: true
Permitido
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: clamav-host-scanner
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    metadata:
      labels:
        name: clamav
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/clamav:latest
        livenessProbe:
          exec:
            command:
            - /health.sh
          initialDelaySeconds: 60
          periodSeconds: 30
        name: clamav-scanner
        resources:
          limits:
            memory: 3Gi
          requests:
            cpu: 500m
            memory: 2Gi
        volumeMounts:
        - mountPath: /data
          name: data-vol
        - mountPath: /host-fs
          name: host-fs
          readOnly: true
        - mountPath: /logs
          name: logs
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
      - emptyDir: {}
        name: data-vol
      - hostPath:
          path: /
        name: host-fs
      - hostPath:
          path: /var/log/clamav
        name: logs
No permitido
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: clamav
      nodeSelector:
        cloud.google.com/gke-spot: "true"

K8sRequireDefaultDenyEgressPolicy

Exigir la política de salida de denegación predeterminada v1.0.3

Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy de denegación predeterminada para la salida.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

Ejemplos

require-default-deny-network-policies
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: require-default-deny-network-policies
spec:
  enforcementAction: dryrun
Permitido
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress
No permitida
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace2
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress

K8sRequireNamespaceNetworkPolicies

Exigir las políticas de red de espacio de nombres v1.0.6

Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

Ejemplos

require-namespace-network-policies-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: require-namespace-network-policies-sample
spec:
  enforcementAction: dryrun
Permitido
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: require-namespace-network-policies-example
No permitido
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example

K8sRequireValidRangesForNetworks

Exigir rangos válidos para las redes v1.0.2

Aplica los bloques CIDR que se permiten para la entrada y la salida de la red.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for egress.
    allowedEgress:
      - <string>
    # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for ingress.
    allowedIngress:
      - <string>

Ejemplos

require-valid-network-ranges
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: require-valid-network-ranges
spec:
  enforcementAction: dryrun
  parameters:
    allowedEgress:
    - 10.0.0.0/32
    allowedIngress:
    - 10.0.0.0/24
Permitido
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.0.0/32
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/29
    - ipBlock:
        cidr: 10.0.0.100/29
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
No permitida
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy-disallowed
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 1.1.2.0/31
  ingress:
  - from:
    - ipBlock:
        cidr: 1.1.2.0/24
    - ipBlock:
        cidr: 2.1.2.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress

K8sRequiredAnnotations

Anotaciones obligatorias v1.0.1

Requiere que los recursos contengan anotaciones especificadas, con valores que coincidan con las expresiones regulares proporcionadas.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # annotations <array>: A list of annotations and values the object must
    # specify.
    annotations:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required annotation.
        key: <string>
    message: <string>

Ejemplos

all-must-have-certain-set-of-annotations
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: all-must-have-certain-set-of-annotations
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    annotations:
    - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
      key: a8r.io/owner
    - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
      key: a8r.io/runbook
    message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Permitido
apiVersion: v1
kind: Service
metadata:
  annotations:
    a8r.io/owner: dev-team-alfa@contoso.com
    a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
  name: allowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo
No permitida
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo

K8sRequiredLabels

Etiquetas obligatorias v1.0.1

Requiere que los recursos contengan etiquetas especificadas, con valores que coincidan con las expresiones regulares proporcionadas.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # labels <array>: A list of labels and values the object must specify.
    labels:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required label.
        key: <string>
    message: <string>

Ejemplos

all-must-have-owner
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: all-must-have-owner
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    labels:
    - allowedRegex: ^[a-zA-Z]+.agilebank.demo$
      key: owner
    message: All namespaces must have an `owner` label that points to your company
      username
Permitido
apiVersion: v1
kind: Namespace
metadata:
  labels:
    owner: user.agilebank.demo
  name: allowed-namespace
No permitida
apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequiredProbes

Sondas requeridas v1.0.1

Requiere que los Pods tengan sondeos de preparación o capacidad de respuesta.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # probeTypes <array>: The probe must define a field listed in `probeType`
    # in order to satisfy the constraint (ex. `tcpSocket` satisfies
    # `['tcpSocket', 'exec']`)
    probeTypes:
      - <string>
    # probes <array>: A list of probes that are required (ex: `readinessProbe`)
    probes:
      - <string>

Ejemplos

must-have-probes
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    probeTypes:
    - tcpSocket
    - httpGet
    - exec
    probes:
    - readinessProbe
    - livenessProbe
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: tomcat
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: nginx:1.7.9
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume
apiVersion: v1
kind: Pod
metadata:
  name: test-pod2
spec:
  containers:
  - image: nginx:1.7.9
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

K8sRequiredResources

Recursos obligatorios v1.0.1

Requiere que los contenedores tengan recursos definidos. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # limits <array>: A list of limits that should be enforced (`cpu`,
    # `memory`, or both).
    limits:
      # Allowed Values: cpu, memory
      - <string>
    # requests <array>: A list of requests that should be enforced (`cpu`,
    # `memory`, or both).
    requests:
      # Allowed Values: cpu, memory
      - <string>

Ejemplos

container-must-have-limits-and-requests
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - cpu
    - memory
    requests:
    - cpu
    - memory
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - memory
    requests:
    - cpu
    - memory
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}
no-enforcements
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: no-enforcements
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}

K8sRestrictAdmissionController

Restringir el controlador de admisión v1.0.0

Restringir los controladores de admisión dinámicos a los permitidos

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # permittedMutatingWebhooks <array>: List of permitted mutating webhooks
    # (mutating admission controllers)
    permittedMutatingWebhooks:
      - <string>
    # permittedValidatingWebhooks <array>: List of permitted validating
    # webhooks (validating admission controllers)
    permittedValidatingWebhooks:
      - <string>

Ejemplos

controlador-de-restringido-de-admisión
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
  name: restrict-admission-controller
spec:
  match:
    kinds:
    - apiGroups:
      - admissionregistration.k8s.io
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
  parameters:
    permittedMutatingWebhooks:
    - allowed-mutating-webhook
    permittedValidatingWebhooks:
    - allowed-validating-webhook
Permitido
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: allowed-validating-webhook
No permitido
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: disallowed-validating-webhook

K8sRestrictAutomountServiceAccountTokens

Restringir tokens de cuentas de servicio v1.0.1

Restringe el uso de tokens de cuentas de servicio.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

restrict-serviceaccounttokens
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: restrict-serviceaccounttokens
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
      - ServiceAccount
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-pod
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: ServiceAccount
metadata:
  name: disallowed-example-serviceaccount
No permitida
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example-pod
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  name: allowed-example-serviceaccount

K8sRestrictLabels

Restringir etiquetas v1.0.2

No permite que los recursos contengan etiquetas especificadas, a menos que haya una excepción para el recurso específico.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exceptions <array>: Objects listed here are exempt from enforcement of
    # this constraint. All fields must be provided.
    exceptions:
      # <list item: object>: A single object's identification, based on group,
      # kind, namespace, and name.
      - # group <string>: The Kubernetes group of the exempt object.
        group: <string>
        # kind <string>: The Kubernetes kind of the exempt object.
        kind: <string>
        # name <string>: The name of the exempt object.
        name: <string>
        # namespace <string>: The namespace of the exempt object. For
        # cluster-scoped resources, use the empty string `""`.
        namespace: <string>
    # restrictedLabels <array>: A list of label keys strings.
    restrictedLabels:
      - <string>

Ejemplos

restrict-label-example
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    exceptions:
    - group: ""
      kind: Pod
      name: allowed-example
      namespace: default
    restrictedLabels:
    - label-example
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
No permitida
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNamespaces

Restringir espacios de nombres v1.0.1

Restringe que los recursos usen espacios de nombres enumerados en el parámetro restrictNamespaces.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # restrictedNamespaces <array>: A list of Namespaces to restrict.
    restrictedNamespaces:
      - <string>

Ejemplos

restrict-default-namespace-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: restrict-default-namespace-sample
spec:
  enforcementAction: dryrun
  parameters:
    restrictedNamespaces:
    - default
Permitido
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
  namespace: test-namespace
spec:
  containers:
  - image: nginx
    name: nginx
No permitido
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNfsUrls

Restringir URLs NFS v1.0.1

No permite que los recursos contengan URLs de NFS, a menos que se especifiquen.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedNfsUrls <array>: A list of allowed NFS URLs
    allowedNfsUrls:
      - <string>

Ejemplos

restrict-label-example
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    allowedNfsUrls:
    - my-nfs-server.example.com/my-nfs-volume
    - my-nfs-server.example.com/my-wildcard-nfs-volume/*
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs-wildcard
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path
      server: my-nfs-server.example.com
No permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs-mixed
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume-allowed
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com
  - name: test-volume-disallowed
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com

K8sRestrictRbacSubjects

Restringir sujetos de RBAC v1.0.3

Restringe el uso de nombres en sujetos de RBAC a los valores permitidos.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of names permitted in RBAC subjects.
    allowedSubjects:
      - # name <string>: The exact-name or the pattern of the allowed subject
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>

Ejemplos

restrict-rbac-subjects
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: restrict-rbac-subjects
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
      - ClusterRoleBinding
  parameters:
    allowedSubjects:
    - name: system:masters
    - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@system.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@google.com$
      regexMatch: true
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user@google.com
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-1234567890@gcp-sa-ktd-control.iam.gserviceaccount.com
No permitida
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user1@example.com
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user2@example.com

K8sRestrictRoleBindings

Restringir las vinculaciones de funciones v1.0.3

Restringe los sujetos especificados en ClusterRoleBindings y RoleBindings a una lista de sujetos permitidos.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of subjects that are allowed to bind to
    # the restricted role.
    allowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the subject.
        apiGroup: <string>
        # kind <string>: The Kubernetes kind of the subject.
        kind: <string>
        # name <string>: The name of the subject which is matched exactly as
        # provided as well as based on a regular expression.
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>
    # restrictedRole <object>: The role that cannot be bound to unless
    # expressly allowed.
    restrictedRole:
      # apiGroup <string>: The Kubernetes API group of the role.
      apiGroup: <string>
      # kind <string>: The Kubernetes kind of the role.
      kind: <string>
      # name <string>: The name of the role.
      name: <string>

Ejemplos

restrict-clusteradmin-rolebindings-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-sample
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:masters
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
No permitida
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-regex
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
      regexMatch: true
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
No permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

K8sRestrictRoleRules

Restringir Roles y las reglas de ClusterRole. v1.0.4

Restringe las reglas que se pueden configurar en los objetos Role y ClusterRole.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRules <array>: AllowedRules is the list of rules that are allowed
    # on Role or ClusterRole objects. If set, any item off this list will be
    # rejected.
    allowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be allowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # disallowedRules <array>: DisallowedRules is the list of rules that are
    # NOT allowed on Role or ClusterRole objects. If set, any item on this list
    # will be rejected.
    disallowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be disallowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
    # names that are allowed to violate this policy.
    exemptions:
      clusterRoles:
        - # name <string>: Name is the name or a pattern of the ClusterRole
          # to be exempted.
          name: <string>
          # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
          # regex match of the ClusterRole name.
          regexMatch: <boolean>
      roles:
        - # name <string>: Name is the name of the Role to be exempted.
          name: <string>
          # namespace <string>: Namespace is the namespace of the Role to be
          # exempted.
          namespace: <string>

Ejemplos

restrict-pods-exec
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: restrict-pods-exec
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - Role
      - ClusterRole
  parameters:
    disallowedRules:
    - apiGroups:
      - ""
      resources:
      - pods/exec
      verbs:
      - create
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: allowed-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
No permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: disallowed-cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - '*'

K8sStorageClass

Clase de almacenamiento v1.1.2

Requiere que se especifiquen las clases de almacenamiento cuando se utilizan. Solo se admiten los contenedores Gatekeeper 3.9+ y no efímeros.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedStorageClasses <array>: An optional allow-list of storage classes.
    #  If specified, any storage class not in the `allowedStorageClasses`
    # parameter is disallowed.
    allowedStorageClasses:
      - <string>
    includeStorageClassesInMessage: <boolean>

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "storage.k8s.io"
        version: "v1"
        kind: "StorageClass"

Ejemplos

storageclass
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    includeStorageClassesInMessage: true
Permitido
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ok
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: somestorageclass
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: volumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: volumeclaimstorageclass
  serviceName: volumeclaimstorageclass
  template:
    metadata:
      labels:
        app: volumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: somestorageclass
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo
No permitido
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: badstorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: badstorageclass
  volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: badvolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: badvolumeclaimstorageclass
  serviceName: badvolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: badvolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: badstorageclass
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nostorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: novolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: novolumeclaimstorageclass
  serviceName: novolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: novolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
clase-de-almacenamiento permitida
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: allowed-storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    allowedStorageClasses:
    - allowed-storage-class
    includeStorageClassesInMessage: true
Permitido
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: allowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: allowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo
No permitida
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disallowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: disallowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo

K8sUniqueIngressHost

Host de entrada único v1.0.4

Requiere que todos los hosts de reglas de entrada sean únicos. No admite comodines de nombres de host: https://kubernetes.io/docs/concepts/services-networking/ingress/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "Ingress"
      OR
      - group: "networking.k8s.io"
        version: "v1beta1" OR "v1"
        kind: "Ingress"

Ejemplos

unique-ingress-host
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: unique-ingress-host
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-allowed
  namespace: default
spec:
  rules:
  - host: example-allowed-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-allowed-host1.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix
No permitida
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-host3.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sUniqueServiceSelector

Selector de servicio único v1.0.2

Requiere que los servicios tengan selectores únicos dentro de un espacio de nombres. Los selectores se consideran iguales si tienen claves y valores idénticos. Los selectores pueden compartir un par clave-valor siempre que haya al menos un par clave-valor entre ellos. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Restricción de referencia

Esta restricción es referencial. Antes de su uso, debes habilitar las restricciones referenciales y crear una configuración que le indique al controlador de políticas qué tipos de objetos mirar.

Tu controlador de políticas Config requerirá una entrada de syncOnly similar a la siguiente:

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Service"

Ejemplos

unique-service-selector
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  labels:
    owner: admin.agilebank.demo
  name: unique-service-selector
Permitido
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: other-value
No permitida
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-example
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value

NoUpdateServiceAccount

Bloquear la actualización de la cuenta de servicio v1.0.1

Bloquea la actualización de la cuenta de servicio en los recursos que se abstraen sobre los pods. Esta política se ignora en el modo de auditoría.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedGroups <array>: Groups that should be allowed to bypass the
    # policy.
    allowedGroups:
      - <string>
    # allowedUsers <array>: Users that should be allowed to bypass the policy.
    allowedUsers:
      - <string>

Ejemplos

no-update-kube-system-service-account
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: no-update-kube-system-service-account
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - ReplicationController
    - apiGroups:
      - apps
      kinds:
      - ReplicaSet
      - Deployment
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - batch
      kinds:
      - CronJob
    namespaces:
    - kube-system
  parameters:
    allowedGroups: []
    allowedUsers: []
Permitido
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: policy-test
  name: policy-test
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: policy-test-deploy
  template:
    metadata:
      labels:
        app: policy-test-deploy
    spec:
      containers:
      - command:
        - /bin/bash
        - -c
        - sleep 99999
        image: ubuntu
        name: policy-test
      serviceAccountName: policy-test-sa-1

PolicyStrictOnly

Exigir la política STRICT de mTLS de Istio v1.0.4

Requiere que la TLS mutua STRICT de Istio siempre se especifique cuando se usa PeerAuthentication. Esta restricción también garantiza que los recursos Policy y MeshPolicy obsoletos apliquen la TLS mutua STRICT. Consulta https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

peerauthentication-strict-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: peerauthentication-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
    namespaces:
    - default
Permitido
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict
  namespace: default
spec:
  mtls:
    mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-level
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-unset
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: UNSET
No permitida
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: empty-mtls
  namespace: default
spec:
  mtls: {}
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: unspecified-mtls
  namespace: default
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-null
  namespace: default
spec:
  mtls:
    mode: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls-null
  namespace: default
spec:
  mtls: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-permissive
  namespace: default
spec:
  mtls:
    mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE
    "8081":
      mode: STRICT
deprecated-policy-strict-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: deprecated-policy-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - authentication.istio.io
      kinds:
      - Policy
    namespaces:
    - default
Permitido
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mode-strict
  namespace: default
spec:
  peers:
  - mtls:
      mode: STRICT
No permitida
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-empty
  namespace: default
spec:
  peers:
  - mtls: {}
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-null
  namespace: default
spec:
  peers:
  - mtls: null
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: peers-empty
  namespace: default
spec:
  peers: []
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-no-peers
  namespace: default
spec:
  targets:
  - name: httpbin
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-permissive
  namespace: default
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

RestrictNetworkExclusions

Restringir exclusiones de red v1.0.2

Controla qué puertos de entrada, puertos de salida y rangos de IP salientes se pueden excluir de la captura de red de Istio. El proxy de Istio no controla los puertos ni los rangos de IP que evitan la captura de red de Istio, y estos no están sujetos a la autenticación de mTLS de Istio, la política de autorización y otras funciones de Istio. Esta restricción se puede usar para aplicar restricciones al uso de las siguientes anotaciones:

  • traffic.sidecar.istio.io/excludeInboundPorts
  • traffic.sidecar.istio.io/excludeOutboundPorts
  • traffic.sidecar.istio.io/excludeOutboundIPRanges

Consulta https://istio.io/latest/docs/reference/config/annotations/.

Cuando restringes los rangos de IP salientes, la restricción calcula si los rangos de IP excluidos son un subconjunto de las exclusiones de rangos de IP permitidas o coinciden con estas.

Cuando se usa esta restricción, siempre se deben incluir todos los puertos de entrada, puertos de salida y rangos de IP salientes configurando las anotaciones “include” correspondientes como "*" o dejándolas sin configurar. No se permite establecer ninguna de las siguientes anotaciones en un elemento que no sea "*":

  • traffic.sidecar.istio.io/includeInboundPorts
  • traffic.sidecar.istio.io/includeOutboundPorts
  • traffic.sidecar.istio.io/includeOutboundIPRanges

Esta restricción permite que el puerto 15020 se excluya porque el inyector de sidecar de Istio siempre lo agrega a la anotación traffic.sidecar.istio.io/excludeInboundPorts a fin de que pueda usarse para la verificación de estado.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedInboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
    allowedInboundPortExclusions:
      - <string>
    # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
    # constraint calculates whether excluded IP ranges match or are a subset of
    # the ranges in this list.
    allowedOutboundIPRangeExclusions:
      - <string>
    # allowedOutboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
    allowedOutboundPortExclusions:
      - <string>

Ejemplos

restrict-network-exclusions
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: restrict-network-exclusions
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedInboundPortExclusions:
    - "80"
    allowedOutboundIPRangeExclusions:
    - 169.254.169.254/32
    allowedOutboundPortExclusions:
    - "8888"
Permitido
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx
  name: nothing-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeInboundPorts: "80"
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
  labels:
    app: nginx
  name: allowed-port-and-ip-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
  labels:
    app: nginx
  name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: '*'
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
    traffic.sidecar.istio.io/includeOutboundPorts: '*'
  labels:
    app: nginx
  name: everything-included-with-no-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
No permitida
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
  labels:
    app: nginx
  name: disallowed-ip-range-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
  labels:
    app: nginx
  name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: 80,443
    traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundPorts: "8888"
  labels:
    app: nginx
  name: disallowed-specific-port-and-ip-inclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

SourceNotAllAuthz

Exigir la fuente de AuthorizationPolicy de Istio no toda v1.0.1

Requiere que las reglas de AuthorizationPolicy de Istio tengan principales de origen configurados en un valor distinto de “*” https://istio.io/latest/docs/reference/config/security/authorization-policy/

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Ejemplos

sourcenotall-authz-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: sourcenotall-authz-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
No permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-dne
  namespace: foo
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-all
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-someall
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

VerifyDeprecatedAPI

Verifica las APIs obsoletas v1.0.0

Verifica las APIs de Kubernetes obsoletas para garantizar que todas las versiones de la API estén actualizadas. Esta plantilla no se aplica a la auditoría, ya que analiza los recursos que ya están presentes en el clúster con versiones de API no obsoletas.

Esquema de restricciones

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # k8sVersion <number>: kubernetes version
    k8sVersion: <number>
    # kvs <array>: Deprecated api versions and corresponding kinds
    kvs:
      - # deprecatedAPI <string>: deprecated api
        deprecatedAPI: <string>
        # kinds <array>: impacted list of kinds
        kinds:
          - <string>
        # targetAPI <string>: target api
        targetAPI: <string>

Ejemplos

verificar-1.16
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.16
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - extensions
      kinds:
      - PodSecurityPolicy
      - ReplicaSet
      - Deployment
      - DaemonSet
      - NetworkPolicy
  parameters:
    k8sVersion: 1.16
    kvs:
    - deprecatedAPI: apps/v1beta1
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - ReplicaSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: policy/v1beta1
    - deprecatedAPI: apps/v1beta2
      kinds:
      - ReplicaSet
      - StatefulSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - NetworkPolicy
      targetAPI: networking.k8s.io/v1
Permitido
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
No permitido
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: disallowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
verificar-1.22
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.22
spec:
  match:
    kinds:
    - apiGroups:
      - admissionregistration.k8s.io
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
    - apiGroups:
      - apiextensions.k8s.io
      kinds:
      - CustomResourceDefinition
    - apiGroups:
      - apiregistration.k8s.io
      kinds:
      - APIService
    - apiGroups:
      - authentication.k8s.io
      kinds:
      - TokenReview
    - apiGroups:
      - authorization.k8s.io
      kinds:
      - SubjectAccessReview
    - apiGroups:
      - certificates.k8s.io
      kinds:
      - CertificateSigningRequest
    - apiGroups:
      - coordination.k8s.io
      kinds:
      - Lease
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
    - apiGroups:
      - networking.k8s.io
      kinds:
      - IngressClass
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
    - apiGroups:
      - scheduling.k8s.io
      kinds:
      - PriorityClass
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
  parameters:
    k8sVersion: 1.22
    kvs:
    - deprecatedAPI: admissionregistration.k8s.io/v1beta1
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
      targetAPI: admissionregistration.k8s.io/v1
    - deprecatedAPI: apiextensions.k8s.io/v1beta1
      kinds:
      - CustomResourceDefinition
      targetAPI: apiextensions.k8s.io/v1
    - deprecatedAPI: apiregistration.k8s.io/v1beta1
      kinds:
      - APIService
      targetAPI: apiregistration.k8s.io/v1
    - deprecatedAPI: authentication.k8s.io/v1beta1
      kinds:
      - TokenReview
      targetAPI: authentication.k8s.io/v1
    - deprecatedAPI: authorization.k8s.io/v1beta1
      kinds:
      - SubjectAccessReview
      targetAPI: authorization.k8s.io/v1
    - deprecatedAPI: certificates.k8s.io/v1beta1
      kinds:
      - CertificateSigningRequest
      targetAPI: certificates.k8s.io/v1
    - deprecatedAPI: coordination.k8s.io/v1beta1
      kinds:
      - Lease
      targetAPI: coordination.k8s.io/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - Ingress
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: networking.k8s.io/v1beta1
      kinds:
      - Ingress
      - IngressClass
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: rbac.authorization.k8s.io/v1beta1
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
      targetAPI: rbac.authorization.k8s.io/v1
    - deprecatedAPI: scheduling.k8s.io/v1beta1
      kinds:
      - PriorityClass
      targetAPI: scheduling.k8s.io/v1
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
      targetAPI: storage.k8s.io/v1
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: allowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix
No permitido
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: disallowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix
verificar-1.25
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.25
spec:
  match:
    kinds:
    - apiGroups:
      - batch
      kinds:
      - CronJob
    - apiGroups:
      - discovery.k8s.io
      kinds:
      - EndpointSlice
    - apiGroups:
      - events.k8s.io
      kinds:
      - Event
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
      - PodSecurityPolicy
    - apiGroups:
      - node.k8s.io
      kinds:
      - RuntimeClass
  parameters:
    k8sVersion: 1.25
    kvs:
    - deprecatedAPI: batch/v1beta1
      kinds:
      - CronJob
      targetAPI: batch/v1
    - deprecatedAPI: discovery.k8s.io/v1beta1
      kinds:
      - EndpointSlice
      targetAPI: discovery.k8s.io/v1
    - deprecatedAPI: events.k8s.io/v1beta1
      kinds:
      - Event
      targetAPI: events.k8s.io/v1
    - deprecatedAPI: autoscaling/v2beta1
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodDisruptionBudget
      targetAPI: policy/v1
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: None
    - deprecatedAPI: node.k8s.io/v1beta1
      kinds:
      - RuntimeClass
      targetAPI: node.k8s.io/v1
Permitido
apiVersion: batch/v1
kind: CronJob
metadata:
  name: allowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'
No permitido
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: disallowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'
verificar-1.26
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.26
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    k8sVersion: 1.26
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
    - deprecatedAPI: autoscaling/v2beta2
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
No permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
verificar-1.27
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.27
spec:
  match:
    kinds:
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIStorageCapacity
  parameters:
    k8sVersion: 1.27
    kvs:
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIStorageCapacity
      targetAPI: storage.k8s.io/v1
Permitido
apiVersion: storage.k8s.io/v1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
storageClassName: standard
No permitido
apiVersion: storage.k8s.io/v1beta1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
  namespace: default
storageClassName: standard
verificar-1.29
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.29
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
  parameters:
    k8sVersion: 1.29
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
No permitida
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group

¿Qué sigue?