Libreria di modelli del vincolo
I modelli di vincolo consentono di definire il funzionamento di un vincolo, ma delegano la definizione delle specifiche del vincolo a un individuo o a un gruppo con esperienza in materia. Oltre a separare i problemi, questa operazione separa anche la logica del vincolo dalla sua definizione.
Tutti i vincoli contengono una sezione match, che definisce gli oggetti a cui si applica un vincolo. Per maggiori dettagli su come configurare questa sezione, consulta la sezione Corrispondenza del vincolo.
Non tutti i modelli di vincolo sono disponibili per tutte le versioni di Anthos Config Management e i modelli possono cambiare da una versione all'altra. Utilizza i seguenti link per confrontare i vincoli delle versioni supportate di Anthos Config Management:
Link alle versioni supportate di questa pagina
Per assicurarti di ricevere il supporto completo, ti consigliamo di utilizzare modelli di vincolo di una versione supportata di Anthos Config Management.
Per aiutarti a capire come funzionano i modelli di vincolo, ogni modello include un vincolo di esempio e una risorsa che viola il vincolo.
Modelli di vincolo disponibili
| Modello di vincolo | Description | Di riferimento |
|---|---|---|
| AllowedServicePortName | Richiede che i nomi delle porte di servizio abbiano un prefisso di un elenco specificato. | No |
| AsmAuthzPolicyDefaultDeny | Applica il criterio di negazione predefinito a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns. | Sì |
| AsmAuthzPolicyDisallowedPrefisso | Richiede che le entità e gli spazi dei nomi nelle regole "AuthorizationPolicy" di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| AsmAuthzPolicyEnforceSourcePrincipals | Richiede che il campo "from" di Istio AuthorizationPolicy, se definito, abbia principi di origine, che devono essere impostati su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| AsmAuthzPolicyNormalization | Applica la normalizzazione AuthorizationPolicy. Riferimento a https://istio.io/latest/docs/reference/config/security/normalization/. | No |
| AsmAuthzPolicySafePattern | Applica i pattern sicuri di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. | No |
| Etichetta Ingresso Asm | Applica l'utilizzo delle etichette istio ingressgateway solo sui pod ingressgateway. | No |
| AsmPeerAuthnMeshStrictMtls | Applica il livello di rete mesh PeerTLS restrittiva. Riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | Sì |
| AsmPeerAuthnStrictMtls | L'applicazione di tutti i valori PeerAuthentications non può sovrascrivere i valori mtls restrittivi. Riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | No |
| AsmRequestAuthnProhibitedOutputHeaders | In RichiediAutenticazione, imposta il campo "jwtRules.outPayloadToHeader" in modo che non contenga intestazioni delle richieste HTTP note o intestazioni vietate personalizzate. Riferimento a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRULE. | No |
| AsmSidecarInjection | Applica sempre il sidecar proxy Istio ai pod dei carichi di lavoro. | No |
| DestinationRULETLSEnabled | Vieta la disattivazione di TLS per tutti gli host e i sottoinsiemi di host in IstioDestinationRules. | No |
| DisallowedAuthzPrefisso | Richiede che le entità e gli spazi dei nomi nelle regole "AuthorizationPolicy" di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| ConstraintV1 posizione archiviazione GCP | Limita le "località" consentite per le risorse del connettore di configurazione StorageBucket all'elenco di località fornite nel vincolo. I nomi di bucket nell'elenco "esenzioni" sono esenti. | No |
| GkeSpotVMRisoluzioneGrace | Richiede che i pod e i modelli di pod con "nodeSelector" o "nodeAfffinty" di "gke-spot" abbiano una "terminationGracePeriodsecond" di 15 secondi o meno. | Sì |
| K8sAllowedRepos | Richiede che le immagini container inizino con una stringa dell'elenco specificato. | No |
| K8sBlockAllIngress | Non consente la creazione di oggetti Ingress (tipi "Ingress", "Gateway" e "Service" di "NodePort" e "LoadBalancer"). | No |
| K8sBlockCreationWithDefaultServiceAccount | Non consente la creazione di risorse usando un account di servizio predefinito. | No |
| Ruolo K8sBlockEndpointEditDefaultRole | Per impostazione predefinita, molte installazioni di Kubernetes hanno un valore system:aggregate-to-edit ClusterRole che non limita correttamente l'accesso alla modifica degli endpoint. Questo ConstraintTemplate vieta al system:aggregate-to-edit ClusterRole di concedere l'autorizzazione per create/patch/update Endpoints. ClusterRole/system:aggregate-to-edit non deve consentire le autorizzazioni di modifica degli endpoint a causa di CVE-2021-25740; le autorizzazioni Endpoint ed EndpointSlice consentono l'inoltro cross-Namespace, https://github.com/kubernetes/kubernetes/issues/103675 | No |
| K8sBlockLoadBalancer | Non consente tutti i servizi di tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | No |
| K8sBlockNodePort | Non consente tutti i servizi di tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | No |
| K8sBlockObjectsOfType | Non consente l'uso di oggetti di tipo vietato. | No |
| K8sBlockProcessNamespaceSharing | Vieta le specifiche del pod con "shareProcessNamespace" impostato su "true". Ciò evita gli scenari in cui tutti i container in un pod condividono uno spazio dei nomi PID e possono accedere reciproci al file system e alla memoria. | No |
| K8sBlockWildcardIngress | Gli utenti non dovrebbero essere in grado di creare Ingress con un nome host vuoto o con carattere jolly (*), poiché ciò consentirebbe loro di intercettare il traffico per altri servizi nel cluster, anche se non hanno accesso a quei servizi. | No |
| K8sContainerEphemeralStorageLimit | Richiede che per i container sia impostato un limite di archiviazione temporaneo e limita il limite a valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerLimits | Richiede che i limiti di memoria e CPU siano impostati per i container e limita i limiti a non superare i valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerRatios | Imposta un rapporto massimo tra i limiti delle risorse dei container e le richieste. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerRequests | Richiede che nei container siano impostate le richieste di memoria e CPU e limita le richieste a non superare i valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sDisallowAnonimo | Non consente di associare le risorse ClusterRole e Role al gruppo system:anonymous user e al gruppo system:unauthenticated. | No |
| K8sDisallowedRepos | Repository di container non consentiti che iniziano con una stringa dell'elenco specificato. | No |
| Soggetti K8sDisallowedRoleBinding | Proibisce RoleBinding o ClusterRoleBinding con oggetti corrispondenti a qualsiasi oggetto "disallowedSubjects" passato come parametro. | No |
| Tag non consentiti K8s | Richiede che le immagini container abbiano un tag immagine diverso da quelli nell'elenco specificato. https://kubernetes.io/docs/concepts/containers/images/#image-names | No |
| K8sSvuotaDirHasSizeLimit | Richiede che tutti i volumi "emptyDir" specifichino un "sizeLimit". Facoltativamente, nel vincolo può essere fornito un parametro "maxSizeLimit" per specificare un limite di dimensione massima consentita. | No |
| K8sEnforceCloudArmorBackendConfig | Applica la configurazione di Cloud Armor nelle risorse BackendConfig | No |
| K8sEnforceConfigManagement | Richiede la presenza e il funzionamento di Config Management. I vincoli che utilizzano questo "ConstraintTemplate" verranno controllati solo indipendentemente dal valore "enforcementAction". | Sì |
| IPEsterniK8s | Limita Service externalIPs a un elenco consentito di indirizzi IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | No |
| K8sHorizontalPodAutoscaler | Non consentire i seguenti scenari durante il deployment di "HorizontalPodAutoscalers" 1. Deployment di HorizontalPodAutoscaler con ".spec.minReplicas" o ".spec.maxReplicas" al di fuori degli intervalli definiti nel vincolo 2. Deployment di HorizontalPodAutoscaler in cui la differenza tra ".spec.minReplicas" e ".spec.maxReplicas" è inferiore al valore "minimumReplicaSpread" 3 configurato. Deployment di HorizontalPodAutoscaler che non fanno riferimento a un valore "scaleTargetRef" valido (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet). | Sì |
| K8sHttpsOnly | Richiede che le risorse Ingress siano solo HTTPS. Le risorse Ingress devono includere l'annotazione "kubernetes.io/ingress.allow-http", impostata su "false". Per impostazione predefinita, è richiesta una configurazione TLS {} valida, che può essere resa facoltativa impostando il parametro "tlsOptional" su "true". https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | No |
| K8sImageDigest | Richiede che le immagini container contengano un digest. https://kubernetes.io/docs/concepts/containers/images/ | No |
| K8sLocalStorageRequireSafeToEvict | Richiede i pod che utilizzano lo spazio di archiviazione locale ("emptyDir" o "hostPath") per avere l'annotazione "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"`. Il gestore della scalabilità automatica dei cluster non eliminerà i pod senza questa annotazione. | No |
| K8sMemoryRequestEqualsLimit | Promuove la stabilità dei pod richiedendo che la memoria richiesta di tutti i container corrisponda esattamente al limite di memoria, in modo che i pod non si trovino mai in uno stato in cui la memoria utilizzata supera la quantità richiesta. In caso contrario, Kubernetes può terminare i pod che richiedono memoria aggiuntiva se è necessaria memoria sul nodo. | No |
| K8sNoEnvVarSecrets | Proibisce i secret come variabili di ambiente nelle definizioni dei container dei pod. Utilizza invece i file secret montati nei volumi di dati: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod | No |
| K8sSenzaServizi Esterni | Vieta la creazione di risorse note che espongono carichi di lavoro a IP esterni. Sono incluse le risorse del gateway Istio e le risorse Kubernetes Ingress. Inoltre, i servizi Kubernetes non sono consentiti, a meno che non soddisfino i seguenti criteri: Qualsiasi servizio di tipo "LoadBalancer" in Google Cloud deve avere un'annotazione "cloud.google.com/load-balancer-type": "Internal"`. Qualsiasi servizio di tipo "LoadBalancer" in AWS deve avere un'annotazione "service.beta.kubernetes.io/aws-load-balancer-internal: "true". Tutti gli "IP esterni" (esterni al cluster) associati al servizio devono essere membri di un intervallo di CIDR interni fornito al vincolo. | No |
| K8sPSPAllowPrivilegeEscalationContainer | Controlli che limitano la riassegnazione ai privilegi root. Corrisponde al campo "allowPrivilegeEscalation" in PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation | No |
| UtentiK8sPSPAllowed | Controlla gli ID utente e gruppo del contenitore e alcuni volumi. Corrisponde ai campi "runAsUser", "runAsGroup", "supplementalGroups" e "fsGroup" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups | No |
| K8sPSPAppArmor | Consente di configurare una lista consentita di profili AppArmor per l'utilizzo da parte dei container. Corrisponde ad annotazioni specifiche applicate a un PodSecurityPolicy. Per informazioni su AppArmor, visita la pagina https://kubernetes.io/docs/tutorials/clusters/apparmor/ | No |
| K8sPSPAutomountServiceAccountTokenPod | Controlla la capacità di qualsiasi pod di abilitare automountServiceAccountToken. | No |
| Funzionalità K8sPSP | Consente di controllare le funzionalità di Linux sui container. Corrisponde ai campi "allowedCapabilities" e "requiredDropCapabilities" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities | No |
| Gruppo K8sPSPFS | Controlli per l'allocazione di un FSGroup proprietario dei volumi del pod. Corrisponde al campo "fsGroup" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPFlexVolumes | Consente di gestire la lista consentita dei driver FlexVolume. Corrisponde al campo "allowedFlexVolumes" in PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers | No |
| K8sPSPForbiddenSysctls | Controlla il profilo "sysctl" utilizzato dai container. Corrisponde ai campi "allowedUnsafeSysctls" e "forbiddenSysctls" in un PodSecurityPolicy. Se specificato, qualsiasi sysctl non incluso nel parametro "allowedSysctls" è considerato vietato. Il parametro "forbiddenSysctls" ha la precedenza sul parametro "allowedSysctls". Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | No |
| File system host K8sPSP | Consente di controllare l'utilizzo del file system dell'host. Corrisponde al campo "allowedHostPaths" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| Spazio dei nomi host K8sPSP | Non consente la condivisione degli spazi dei nomi PID e IPC dell'host da parte dei container di pod. Corrisponde ai campi "hostPID" e "hostIPC" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | No |
| Porte di rete host K8sPSP | Controlla l'utilizzo dello spazio dei nomi di rete host da parte dei container di pod. È necessario specificare porte specifiche. Corrisponde ai campi "hostNetwork" e "hostPorts" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | No |
| K8sPSPPrivilegedContainer | Controlla la capacità di qualsiasi container di attivare la modalità con privilegi. Corrisponde al campo "privileged" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | No |
| Montaggio K8sPSPProc | Consente di controllare i tipi "procMount" consentiti per il container. Corrisponde al campo "allowedProcMountTypes" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes | No |
| File system radice di Radice Solo lettura K8sPSP | Richiede l'utilizzo di un file system radice di sola lettura da parte dei container dei pod. Corrisponde al campo "readOnlyRootFilesystem" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPSELinuxV2 | Definisce una lista consentita di configurazioni seLinuxOptions per i contenitori dei pod. Corrisponde a un PodSecurityPolicy che richiede configurazioni SELinux. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux | No |
| K8sPSPSeccomp | Controlla il profilo seccomp utilizzato dai container. Corrisponde all'annotazione "seccomp.security.alpha.kubernetes.io/allowedProfileNames" su PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp | No |
| K8sPSPVolumeTypes | Limita i tipi di volume montabili a quelli specificati dall'utente. Corrisponde al campo "volumes" in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| Budget per K8sPodDisruption | Non consentire gli scenari seguenti durante il deployment di PodDisruptionBudget o di risorse che implementano la sottorisorsa di replica (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment di PodDisruptionBudgets con .spec.maxavailable == 0 2. Deployment di PodDisruptionBudgets con .spec.minAvailable == .spec.replicas della risorsa con una sottorisorsa di replica. Ciò impedirà a PodDisruptionBudgets di bloccare interruzioni volontarie, come lo svuotamento dei nodi. https://kubernetes.io/docs/concepts/workloads/pods/pauseions/ | Sì |
| Best practice per K8sPodResources | Richiede che i container non siano il "best effort" (impostando richieste di CPU e memoria) e che seguano le best practice per il burst (la richiesta di memoria deve essere esattamente uguale al limite). Facoltativamente, le chiavi di annotazione possono essere configurate per consentire di saltare le varie convalide. | No |
| K8sPodsRequireSecurityContext | Richiede a tutti i pod di definire securityContext. Richiede che tutti i container definiti nei pod abbiano un valore SecurityContext definito a livello di pod o container. | No |
| Accesso con carattere jolly K8sProhibitRole | Richiede che Role e ClusterRoles non impostino l 'accesso alle risorse su un valore con carattere jolly ""*" ad eccezione dei ruoli e ClusterRole esenti forniti come esenzioni. Non limita l'accesso con caratteri jolly alle risorse secondarie, ad esempio ""*/status"". | No |
| K8sReplicaLimits | Richiede che gli oggetti con il campo "spec.replicas" (deployment, ReplicaSet e così via) specifichino un numero di repliche all'interno degli intervalli definiti. | No |
| K8sRequireBinAuthZ | Richiede il webhook di convalida di ammissione binaria. I vincoli che utilizzano questo "ConstraintTemplate" verranno controllati solo indipendentemente dal valore "enforcementAction". | Sì |
| Immagine K8sRequireCosNode | Applica ai nodi l'utilizzo di Container-Optimized OS di Google. | No |
| Daemonsets per K8s | Richiede la presenza dell'elenco di daemonsset specificato. | Sì |
| K8sRequireDefaultDeny ticketPolicy | Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy predefinito per il traffico in uscita. | Sì |
| Criteri di rete dello spazio dei nomi K8sRequireName | Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy. | Sì |
| K8sRequireValidRangesForNetwork | Applica in modo forzato i blocchi CIDR consentiti per il traffico in entrata e in uscita dalla rete. | No |
| Annotazioni richieste da parte di K8sRequired | Richiede che le risorse contengano annotazioni specificate, con valori corrispondenti alle espressioni regolari fornite. | No |
| Etichette obbligatorieK8s | Richiede che le risorse contengano etichette specificate, con valori corrispondenti alle espressioni regolari fornite. | No |
| K8sRequiredProbes | Richiede che i pod dispongano di probe di idoneità e/o di attività. | No |
| Risorse richieste K8s | Richiede che i container abbiano un set di risorse definite. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sRestrictAutomountServiceAccountTokens | Limita l'utilizzo dei token degli account di servizio. | No |
| K8sRestrictLabels | Non consente alle risorse di contenere etichette specificate, a meno che non esista un'eccezione per la risorsa specifica. | No |
| Spazi dei nomi K8sRestrictName | Limita le risorse dall'utilizzo degli spazi dei nomi elencati nel parametro restrictedNamespaces. | No |
| K8sRestrictNfsUrls | Non consente alle risorse di contenere URL NFS, se non diversamente specificato. | No |
| K8sRestrictRbacSubjects | Limita l'uso dei nomi in RBAC in base ai valori consentiti. | No |
| K8sRestrictRoleBinding | Limita i soggetti specificati in ClusterRoleBindings e RoleBindings a un elenco di soggetti consentiti. | No |
| K8sRestrictRoleRules | Limita le regole che possono essere impostate sugli oggetti Role e ClusterRole. | No |
| K8sStorageClass | Richiede l'indicazione delle classi di archiviazione al momento dell'utilizzo. È supportato solo il gatekeeper 3.9 o versioni successive. | Sì |
| K8sUniqueIngressHost | Richiede che tutti gli host di regole Ingress siano univoci. Non gestisce i caratteri jolly del nome host: https://kubernetes.io/docs/concepts/services-networking/ingress/ | Sì |
| K8sUniqueServiceSelector | Richiede che i servizi abbiano selettori univoci all'interno di uno spazio dei nomi. I selettori sono considerati identici se hanno chiavi e valori identici. I selettori possono condividere una coppia chiave/valore purché sia presente almeno una coppia chiave/valore distinta tra di loro. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | Sì |
| NoUpdateServiceAccount | Blocca l'aggiornamento dell'account di servizio sulle risorse che eseguono l'astrazione sui pod. Questo criterio viene ignorato in modalità di controllo. | No |
| Solo rigorosa delle norme | Richiede che "STRICT" Istio reciproco TLS sia sempre specificato quando si utilizza [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). Questo vincolo assicura inoltre che le risorse [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) e MeshPolicy deprecate applichino il TLS reciproco "STRICT". Vedi: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh | No |
| LimitaNetworkEsclusioni | Controlla quali porte in entrata, porte in uscita e intervalli IP in uscita possono essere esclusi dall'acquisizione della rete Istio. Le porte e gli intervalli IP che ignorano l'acquisizione della rete Istio non sono gestiti dal proxy Istio e non sono soggetti all'autenticazione mTLS, al criterio di autorizzazione e ad altre funzionalità di Istio. Questo vincolo può essere utilizzato per applicare limitazioni all'uso delle seguenti annotazioni: * `traffic.sidecar.istio.io/excludeOutboundPorts` * `traffic.sidecar.istio.io/excludeOutboundPorts` * `traffic.sidecar.istio.io/excludeOutboundIPRanges` Vedi https://istio.io/latest/docs/reference/config/annotations/ Quando limiti gli intervalli IP in uscita, il vincolo calcola se gli intervalli IP esclusi corrispondono o sono un sottoinsieme delle esclusioni di intervalli IP consentiti. Quando utilizzi questo vincolo, tutte le porte in entrata, le porte in uscita e gli intervalli IP in uscita devono essere sempre inclusi impostando le corrispondenti annotazioni "Includi" su "*"" o lasciandole non impostate. Non è consentito impostare una qualsiasi delle seguenti annotazioni su un valore diverso da "*"": * `traffic.sidecar.istio.io/include inboundPorts` * `traffic.sidecar.istio.io/includeOutboundPorts` * `traffic.sidecar.istio.io/includeOutboundIPRanges` Questo vincolo consente sempre di escludere il lato `traffico.sidecar.istio.io/include 15020. | No |
| SourceNotAllAuthz | Richiede che le regole Istio AuthorizationPolicy abbiano entità di origine impostate su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| VerificaDeprecataAPI | Verifica le API Kubernetes deprecate per garantire che tutte le versioni API siano aggiornate. Questo modello non si applica all'audit, poiché l'audit esamina le risorse già presenti nel cluster con versioni API non deprecate. | No |
Nome della porta del servizio consentito
Nomi porte di servizio consentiti v1.0.1
Richiede che i nomi delle porte di servizio abbiano un prefisso di un elenco specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
Esempi
vincolo-nome-porta
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: port-name-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
prefixes:
- http-
- http2-
- grpc-
- mongo-
- redis-
- tcp-
Consentita
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-http
spec:
ports:
- name: http-helloport
port: 5000
selector:
app: helloworld
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-tcp
spec:
ports:
- name: foo-helloport
port: 5000
selector:
app: helloworld
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-bad
spec:
ports:
- name: helloport
port: 5000
selector:
app: helloworld
AsmAuthzPolicyDefaultDeny
Negazione predefinita AuthorizationPolicy ASM v1.0.3
Applica il criterio di negazione predefinito a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "AuthorizationPolicy"
Esempi
asm-authz-policy-default-deny-with-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
asm-authz-policy-default-deny-no-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
AsmAuthzPolicyDisallowedPrefisso
Prefissi non consentiti AuthorizationPolicy ASM v1.0.1
Richiede che le entità e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso di un elenco specificato.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
disallowedNamespacePrefixes:
- <string>
# disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
disallowedPrincipalPrefixes:
- <string>
Esempi
asm-authz-policy-disallowed-prefisso-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: asm-authz-policy-disallowed-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedNamespacePrefixes:
- bad-ns-prefix
- worse-ns-prefix
disallowedPrincipalPrefixes:
- bad-principal-prefix
- worse-principal-prefix
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/worse-principal-prefix-sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- bad-ns-prefix-test
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyEnforceSourceEntità
Entità di applicazione AuthorizationPolicy ASM v1.0.1
Richiede che il campo "from" di Istio AuthorizationPolicy, se definito, abbia principi di origine, che devono essere impostati su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
asm-authz-policy-enforce-source-principals-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: asm-authz-policy-enforce-source-principals-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: no-source-principals
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-wildcard
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-contains-wildcard
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyNormalization
Normalizzazione AuthorizationPolicy ASM v1.0.1
Applica la normalizzazione AuthorizationPolicy. Riferimento a https://istio.io/latest/docs/reference/config/security/normalization/.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
esempio-asm-authz-policy-normalization
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: asm-authz-policy-normalization-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-method-lowercase
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- get
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-request-header-whitespace
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Ag ent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: path-unnormalized
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test\/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
Pattern sicuroAsmAuthzPolicy
Pattern sicuri AuthorizationPolicy ASM v1.0.1
Applica i pattern sicuri di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
esempio-asm-authz-policy-safe-pattern-
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: asm-authz-policy-safe-pattern-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
strictnessLevel: High
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-istio-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-asm-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
asm: ingressgateway
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: hosts-on-noningress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: invalid-hosts
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-negative-match
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
notMethods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-positive-match
spec:
action: DENY
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
Etichetta AsmIngressgateway
Etichetta gateway in entrata ASM v1.0.1
Applica l'utilizzo delle etichette istio ingressgateway solo sui pod ingressgateway.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
campione-etichetta-asm-ingressgateway
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: asm-ingressgateway-label-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: istio
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: asm-ingressgateway
asm: ingressgateway
name: asm-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
asm: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
AsmPeerAuthnMeshStrictMtls
Mesh autenticazione peer ASM - mTLS v1.0.3
Applica il livello di rete mesh PeerTLS restrittiva. Riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "PeerAuthentication"
Esempi
asm-peer-authn-mesh-strict-mtls-con-vincolo-input
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: asm-root
spec:
mtls:
mode: STRICT
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: asm-root
spec:
mtls:
mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-vincolo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: istio-system
spec:
mtls:
mode: STRICT
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
AsmPeerAuthnStrictMtls
mTLS restrittiva autenticazione peer ASM v1.0.1
L'applicazione di tutti i valori PeerAuthentications non può sovrascrivere i valori mtls restrittivi. Riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
asm-peer-authn-strict-mtls-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: asm-peer-authn-strict-mtls-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
parameters:
strictnessLevel: High
Consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: valid-strict-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-permissive-mtls-pa
namespace: foo
spec:
mtls:
mode: PERMISSIVE
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-port-disable-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: DISABLE
"443":
mode: STRICT
selector:
matchLabels:
app: bar
AsmRequestAuthnProhibitedOutputHeaders
Intestazioni di output proibite ASM Request Authentication v1.0.1
In RichiestaAutenticazione, imposta il campo jwtRules.outPayloadToHeader in modo che non contenga intestazioni delle richieste HTTP note o intestazioni vietate personalizzate. Riferimento a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRules.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
Esempi
asm-request-authn-prohibited-output-headers-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: asm-request-authn-prohibited-output-headers-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- RequestAuthentication
parameters:
prohibitedHeaders:
- Bad-Header
- X-Bad-Header
Consentita
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: valid-request-authn
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Good-Header
selector:
matchLabels:
app: istio-ingressgateway
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Host
selector:
matchLabels:
app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: X-Bad-Header
selector:
matchLabels:
app: istio-ingressgateway
AsmSidecarInjection
ASM Sidecar Injection v1.0.1
Applica sempre il sidecar proxy Istio ai pod dei carichi di lavoro.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of sidecar injection strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
campione-iniezione-asm-sidecar
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: asm-sidecar-injection-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
strictnessLevel: High
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "true"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
annotations:
"false": "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
SourceRegolaTLSAbilitata
Regola di destinazione TLS abilitato v1.0.1
Vieta la disattivazione di TLS per tutti gli host e i sottoinsiemi di host in IstioDestinationRules.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
abilitato per DR-tls
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: dr-tls-enabled
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- networking.istio.io
kinds:
- DestinationRule
Operazione non consentita
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-subset-tls-disable
namespace: default
spec:
host: myservice
subsets:
- name: v1
trafficPolicy:
tls:
mode: DISABLE
- name: v2
trafficPolicy:
tls:
mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-traffic-tls-disable
namespace: default
spec:
host: myservice
trafficPolicy:
tls:
mode: DISABLE
DisallowedAuthzPrefisso
Non consentire i prefissi AuthorizationPolicy di Istio v1.0.1
Richiede che le entità e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso di un elenco specificato.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
Esempi
vincolo-prefisso-autorizzazione-non-consentito
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: disallowed-authz-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedprefixes:
- badprefix
- reallybadprefix
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Operazione non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/badprefix-sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- badprefix-test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
ConstraintV1 posizione archiviazione GCP
Vincolo di località archiviazione GCP v1.0.1
Limita il numero consentito di locations per le risorse del connettore di configurazione StorageBucket all'elenco di località fornito nel vincolo. I nomi dei bucket nell'elenco exemptions sono esenti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
Esempi
solo-singapore-e-giacarta
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: singapore-and-jakarta-only
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- storage.cnrm.cloud.google.com
kinds:
- StorageBucket
parameters:
exemptions:
- my_project_id_cloudbuild
locations:
- asia-southeast1
- asia-southeast2
Consentita
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Operazione non consentita
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
Grazia per recesso VMGkeSpot
Limita terminaGracePeriodsecond per le VM spot GKE v1.1.0
Richiede che i pod e i modelli di pod con nodeSelector o nodeAfffinty di gke-spot abbiano una durata di terminationGracePeriodSeconds pari o inferiore a 15 secondi.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
# of 15s or less for all `Pod` on a `gke-spot` Node.
includePodOnSpotNodes: <boolean>
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Node"
Esempi
spotvm-termination-grace
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
name: spotvm-termination-grace
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
includePodOnSpotNodes: true
Consentita
apiVersion: v1
kind: Pod
metadata:
name: example-allowed
spec:
containers:
- image: nginx
name: nginx
nodeSelector:
cloud.google.com/gke-spot: "true"
terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
name: example-allowed
spec:
containers:
- image: nginx
name: nginx
nodeSelector:
cloud.google.com/gke-spot: "true"
terminationGracePeriodSeconds: 15
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cloud.google.com/gke-spot
operator: In
values:
- "true"
containers:
- image: nginx
name: nginx
terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cloud.google.com/gke-spot
operator: In
values:
- "true"
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
containers:
- image: nginx
name: nginx
nodeSelector:
cloud.google.com/gke-spot: "true"
terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cloud.google.com/gke-spot
operator: In
values:
- "true"
containers:
- image: nginx
name: nginx
K8sAllowedRepos
Repository consentiti v1.0.0
Richiede che le immagini container inizino con una stringa dell'elenco specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Esempi
repo-is-openpolicyagent
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: repo-is-openpolicyagent
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
repos:
- openpolicyagent/
Consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
ephemeralContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
K8sBlockAllIngress
Blocca tutto Ingress v1.0.1
Non consente la creazione di oggetti Ingress (Ingress, Gateway e tipi Service di NodePort e LoadBalancer).
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowList <array>: A list of regular expressions for the Ingress object
# names that are exempt from the constraint.
allowList:
- <string>
Esempi
blocca-tutto-in-ingresso
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: block-all-ingress
spec:
enforcementAction: dryrun
parameters:
allowList:
- name1
- name2
- name3
- my-*
Consentita
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: allowed-clusterip-service-example
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: ClusterIP
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
name: disallowed-service-example
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: LoadBalancer
K8sBlockCreationWithDefaultServiceAccount
Blocca la creazione con l'account di servizio predefinito v1.0.1
Non consente la creazione di risorse usando un account di servizio predefinito.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
blocca-creazione-con-account-di-servizio-predefinito
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
Consentita
apiVersion: v1 kind: Namespace metadata: name: example-namespace
Ruolo predefinito K8sBlockEndpointEdit
Modifica ruolo predefinito blocco endpoint v1.0.0
Per impostazione predefinita, molte installazioni di Kubernetes hanno un valore system:aggregate-to-edit ClusterRole che non limita correttamente l'accesso alla modifica degli endpoint. Questo ConstraintTemplate vieta al system:aggregate-to-edit ClusterRole di concedere l'autorizzazione per create/patch/update Endpoints. ClusterRole/system:aggregate-to-edit non deve consentire le autorizzazioni di modifica degli endpoint a causa di CVE-2021-25740; le autorizzazioni Endpoint ed EndpointSlice consentono l'inoltro cross-Namespace, https://github.com/kubernetes/kubernetes/issues/103675
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
blocco-endpoint-edit-predefinito-ruolo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: block-endpoint-edit-default-role
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
Consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- endpoints
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
Bilanciatore del caricoK8sBlockLoad
Servizi a blocchi con il tipo LoadBalancer v1.0.0
Non consente tutti i servizi di tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
blocco-bilanciatore-carico
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
Consentita
apiVersion: v1
kind: Service
metadata:
name: my-service-allowed
spec:
ports:
- port: 80
targetPort: 80
type: ClusterIP
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: LoadBalancer
Porta del nodoBlocco K8s
Blocco NodePort v1.0.0
Non consente tutti i servizi di tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
porta-nodo-blocco
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: NodePort
K8sBlockObjectsOfType
Oggetti a blocchi di tipo v1.0.0
Non consente l'uso di oggetti di tipo vietato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
forbiddenTypes:
- <string>
Esempi
bloccare-segreti-di-tipo-autenticazione-di-base
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: block-secrets-of-type-basic-auth
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Secret
parameters:
forbiddenTypes:
- kubernetes.io/basic-auth
Consentita
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
Operazione non consentita
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
Condivisione dello spazio dei nomi K8sBlockProcessNamespace
Condivisione dello spazio dei nomi del processo a blocchi v1.0.1
Vieta le specifiche dei pod con shareProcessNamespace impostato su true. Ciò evita scenari in cui tutti i container in un pod condividono uno spazio dei nomi PID e possono accedere reciproci al file system e alla memoria.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
bloccare-processo-condivisione-spazio-dei-nomi
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Consentita
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
shareProcessNamespace: true
K8sBlockWildcardIngress
Blocca Ingress con caratteri jolly v1.0.1
Gli utenti non dovrebbero essere in grado di creare Ingress con un nome host vuoto o con carattere jolly (*), poiché ciò consentirebbe loro di intercettare il traffico per altri servizi nel cluster, anche se non hanno accesso a quei servizi.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
blocca-carattere jolly-in-ingresso
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: block-wildcard-ingress
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: non-wildcard-ingress
spec:
rules:
- host: myservice.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: ""
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
- host: valid.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
K8sContainerEphemeralStorageLimit
Limite di archiviazione temporanea del container v1.0.0
Richiede che per i container sia impostato un limite di archiviazione temporaneo e limita il limite a valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ephemeral-storage <string>: The maximum allowed ephemeral storage limit
# on a Pod, exclusive.
ephemeral-storage: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
container-ephemeral-storage-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: container-ephemeral-storage-limit
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ephemeral-storage: 500Mi
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: init-opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 1Pi
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: init-opa
resources:
limits:
cpu: 100m
ephemeral-storage: 1Pi
memory: 1Gi
K8sContainerLimits
Limiti dei container v1.0.0
Richiede che i limiti di memoria e CPU siano impostati per i container e limita i limiti a non superare i valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
Esempi
container-need-have-limits
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
K8sContainerRatios
Proporzioni container v1.0.0
Imposta un rapporto massimo tra i limiti delle risorse dei container e le richieste. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
# `resources.requests.cpu` on a container. If not specified, equal to
# `ratio`.
cpuRatio: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
Esempi
rapporto container-deve-meet
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ratio: "2"
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 800m
memory: 2Gi
requests:
cpu: 100m
memory: 100Mi
rapporto-memoria-e-cpu-responsabilità-container-deve-meet
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-memory-and-cpu-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpuRatio: "10"
ratio: "1"
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: "1"
memory: 2Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
K8sContainerRequests
Richieste container v1.0.0
Richiede che nei container siano impostate le richieste di memoria e CPU e limita le richieste a non superare i valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory request on a Pod, exclusive.
memory: <string>
Esempi
richieste-container-deve-avere
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: container-must-have-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
K8sDisallowAnonimo
Non consentire l'accesso anonimo v1.0.0
Non consente di associare le risorse ClusterRole e Role al gruppo system:anonymous user e al gruppo system:unauthenticated.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRoles <array>: The list of ClusterRoles and Roles that may be
# associated with the `system:unauthenticated` group and `system:anonymous`
# user.
allowedRoles:
- <string>
Esempi
nessun anonimo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: no-anonymous
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRoleBinding
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
parameters:
allowedRoles:
- cluster-role-1
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedRepos
Repository non consentiti v1.0.0
Repository di container non consentiti che iniziano con una stringa dell'elenco specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is not allowed to
# have.
repos:
- <string>
Esempi
repo-need-not-be-k8s-gcr-io
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
name: repo-must-not-be-k8s-gcr-io
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
repos:
- k8s.gcr.io/
Consentita
apiVersion: v1
kind: Pod
metadata:
name: kustomize-allowed
spec:
containers:
- image: registry.k8s.io/kustomize/kustomize:v3.8.9
name: kustomize
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: registry.k8s.io/kustomize/kustomize:v3.8.9
name: kustomize
initContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
initContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
ephemeralContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
initContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
Oggetti K8sDisallowedRoleBinding
Soggetti Rolebinding non consentiti v1.0.1
Vieta RoleBinding o ClusterRoleBinding con oggetti corrispondenti a qualsiasi disallowedSubjects passato come parametro.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
Esempi
oggetti-rolebinding-non consentiti
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: disallowed-rolebinding-subjects
spec:
parameters:
disallowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Tag non consentiti K8s
Non consentire tag v1.0.0
Richiede che le immagini container abbiano un tag immagine diverso da quelli nell'elenco specificato. https://kubernetes.io/docs/concepts/containers/images/#image-names
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# tags <array>: Disallowed container image tags.
tags:
- <string>
Esempi
container-image-deve-non avere-ultimo-tag
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: container-image-must-not-have-latest-tag
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
exemptImages:
- openpolicyagent/opa-exp:latest
- openpolicyagent/opa-exp2:latest
tags:
- latest
Consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-exempt-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa-exp
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:v1
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-2
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-ephemeral
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-3
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:latest
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/monitor:latest
name: opa-monitor
K8sVuotoDirHasSizeLimit
La directory vuota ha un limite di dimensioni v1.0.1
Richiede che qualsiasi volume emptyDir specifichi un valore sizeLimit. Facoltativamente, è possibile fornire un parametro maxSizeLimit nel vincolo per specificare un limite di dimensione massimo consentito.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptVolumesRegex <array>: Exempt Volume names as regex match.
exemptVolumesRegex:
- <string>
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
Esempi
dir-vuota-ha-dimensione-limite
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-size-limit
spec:
match:
excludedNamespaces:
- istio-system
- kube-system
- gatekeeper-system
parameters:
exemptVolumesRegex:
- ^istio-[a-z]+$
maxSizeLimit: 4Gi
Consentita
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir:
sizeLimit: 2Gi
name: good-pod-volume
apiVersion: v1
kind: Pod
metadata:
name: exempt-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: istio-envoy
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: bad-pod-volume
Configurazione backend CloudArmor
Applica Cloud Armor alle risorse BackendConfig v1.0.1
Applica la configurazione di Cloud Armor nelle risorse BackendConfig
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
applica-cloudarmor-backendconfig
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
Consentita
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: example-security-policy
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: second-backendconfig
spec:
securityPolicy:
name: my-security-policy
Operazione non consentita
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: null
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: ""
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
spec:
logging:
enable: true
sampleRate: 0.5
K8sEnforceConfigManagement
Applica Config Management v1.1.2
Richiede la presenza e il funzionamento di Config Management. I vincoli che utilizzano questo ConstraintTemplate verranno sottoposti a controllo solo indipendentemente dal valore di enforcementAction.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# requireDriftPrevention <boolean>: Require Config Sync drift prevention to
# prevent config drift.
requireDriftPrevention: <boolean>
# requireRootSync <boolean>: Require a Config Sync `RootSync` object for
# cluster config management.
requireRootSync: <boolean>
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "configsync.gke.io"
version: "v1beta1"
kind: "RootSync"
Esempi
applicazione-configurazione-gestione
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
name: enforce-config-management
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- configmanagement.gke.io
kinds:
- ConfigManagement
Consentita
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
annotations:
configmanagement.gke.io/managed-by-hub: "true"
configmanagement.gke.io/update-time: "1663586155"
name: config-management
spec:
binauthz:
enabled: true
clusterName: tec6ea817b5b4bb2-cluster
enableMultiRepo: true
git:
proxy: {}
syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
hierarchyController: {}
policyController:
auditIntervalSeconds: 60
enabled: true
monitoring:
backends:
- prometheus
- cloudmonitoring
mutation: {}
referentialRulesEnabled: true
templateLibraryInstalled: true
status:
configManagementVersion: v1.12.2-rc.2
healthy: true
Operazione non consentita
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
annotations:
configmanagement.gke.io/managed-by-hub: "true"
configmanagement.gke.io/update-time: "1663586155"
name: config-management
spec:
binauthz:
enabled: true
clusterName: tec6ea817b5b4bb2-cluster
enableMultiRepo: true
git:
syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
hierarchyController: {}
policyController:
auditIntervalSeconds: 60
enabled: true
monitoring:
backends:
- prometheus
- cloudmonitoring
mutation: {}
referentialRulesEnabled: true
templateLibraryInstalled: true
status:
configManagementVersion: v1.12.2-rc.2
IPEsterniK8s
IP esterni v1.0.0
Limita Service externalIPs a un elenco consentito di indirizzi IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
Esempi
IP esterni
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
allowedIPs:
- 203.0.113.0
Consentita
apiVersion: v1
kind: Service
metadata:
name: allowed-external-ip
spec:
externalIPs:
- 203.0.113.0
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
name: disallowed-external-ip
spec:
externalIPs:
- 1.1.1.1
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
K8sHorizontalPodAutoscaler
Horizontal Pod Autoscaler v1.0.1
Non consentire i seguenti scenari durante il deployment di HorizontalPodAutoscalers 1. Deployment di HorizontalPodAutoscaler con .spec.minReplicas o .spec.maxReplicas al di fuori degli intervalli definiti nel vincolo 2. Deployment di HorizontalPodAutoscaler in cui la differenza tra .spec.minReplicas e .spec.maxReplicas è inferiore al valore di minimumReplicaSpread 3 configurato. Deployment di HorizontalPodAutoscaler che non fanno riferimento a un valore scaleTargetRef valido (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet).
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# enforceScaleTargetRef <boolean>: If set to true it validates the HPA
# scaleTargetRef exists
enforceScaleTargetRef: <boolean>
# minimumReplicaSpread <integer>: If configured it enforces the minReplicas
# and maxReplicas in an HPA must have a spread of at least this many
# replicas
minimumReplicaSpread: <integer>
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "apps"
version: "v1"
kind: "Deployment"
OR
- group: "apps"
version: "v1"
kind: "StatefulSet"
Esempi
Horizontal-pod-Autoscaler
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
name: horizontal-pod-autoscaler
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- autoscaling
kinds:
- HorizontalPodAutoscaler
parameters:
enforceScaleTargetRef: true
minimumReplicaSpread: 1
ranges:
- max_replicas: 6
min_replicas: 3
Consentita
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-allowed
namespace: default
spec:
maxReplicas: 6
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 3
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Operazione non consentita
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-disallowed-replicas
namespace: default
spec:
maxReplicas: 7
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 2
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-disallowed-replicaspread
namespace: default
spec:
maxReplicas: 4
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 4
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-disallowed-scaletarget
namespace: default
spec:
maxReplicas: 6
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 3
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment-missing
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
K8sHttpsOnly
Solo HTTPS v1.0.1
Richiede che le risorse Ingress siano solo HTTPS. Le risorse Ingress devono includere l'annotazione kubernetes.io/ingress.allow-http, impostata su false. Per impostazione predefinita, è richiesta una configurazione TLS {} valida. Questa operazione può essere resa facoltativa impostando il parametro tlsOptional su true.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# tlsOptional <boolean>: When set to `true` the TLS {} is optional,
# defaults to false.
tlsOptional: <boolean>
Esempi
Solo https in entrata
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-allowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- {}
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
Ingress-https-only-tls-optional
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only-tls-optional
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
parameters:
tlsOptional: true
Consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-allowed-tls-optional
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo-disallowed-tls-optional
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
K8sImageDigest
Digest immagine v1.0.0
Richiede che le immagini container contengano un digest. https://kubernetes.io/docs/concepts/containers/images/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
container-image-Must-have-digest
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
Consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
name: opa
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opainit
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opainit
K8sLocalStorageRichiediSicurezzaPerRimozione
L'archiviazione locale richiede l'eliminazione sicura v1.0.1
Richiede che i pod che utilizzano lo spazio di archiviazione locale (emptyDir o hostPath) abbiano l'annotazione "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Il gestore della scalabilità automatica dei cluster non eliminerà i pod senza questa annotazione.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
spazio-archiviazione-locale-richiede-sicurezza-per-evict
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
excludedNamespaces:
- kube-system
- istio-system
- gatekeeper-system
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
name: good-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
K8sMemoryRequestEqualsLimit
La richiesta di memoria è uguale al limite v1.0.1
Promuove la stabilità dei pod richiedendo che la memoria richiesta di tutti i container corrisponda esattamente al limite di memoria, in modo che i pod non si trovino mai in uno stato in cui la memoria utilizzata supera la quantità richiesta. In caso contrario, Kubernetes può terminare i pod che richiedono memoria aggiuntiva se è necessaria memoria sul nodo.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptContainersRegex <array>: Exempt Container names as regex match.
exemptContainersRegex:
- <string>
Esempi
container-Must-request-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: container-must-request-limit
spec:
match:
excludedNamespaces:
- kube-system
- resource-group-system
- asm-system
- istio-system
- config-management-system
- config-management-monitoring
parameters:
exemptContainersRegex:
- ^istio-[a-z]+$
Consentita
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 4Gi
apiVersion: v1
kind: Pod
metadata:
name: exempt-pod
namespace: default
spec:
containers:
- image: auto
name: istio-proxy
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
VarSecret K8sNoEnv
Nessun secret delle variabili di ambiente v1.0.1
Proibisce i secret come variabili di ambiente nelle definizioni dei container dei pod. Utilizza invece i file secret montati nei volumi di dati: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
nessun-segreto-as-env-vars-campione
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
Consentita
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: redis
name: test
volumeMounts:
- mountPath: /etc/test
name: test
readOnly: true
volumes:
- name: test
secret:
secretName: mysecret
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysecret
image: redis
name: test
K8sSenzaServizi Esterni
Nessun servizio esterno v1.0.1
Vieta la creazione di risorse note che espongono carichi di lavoro a IP esterni. Sono incluse le risorse del gateway Istio e le risorse Kubernetes Ingress. Inoltre, i servizi Kubernetes non sono consentiti, a meno che non soddisfino i seguenti criteri:
Qualsiasi servizio di tipo LoadBalancer in Google Cloud deve avere un'annotazione "cloud.google.com/load-balancer-type": "Internal".
Qualsiasi servizio di tipo LoadBalancer in AWS deve avere un'annotazione service.beta.kubernetes.io/aws-load-balancer-internal: "true.
Tutti gli "IP esterni" (esterni al cluster) associati al servizio devono essere membri di un intervallo di CIDR interni fornito al vincolo.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
# are supported currently.
cloudPlatform: <string>
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
Esempi
nessun-esterno
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external
spec:
parameters:
internalCIDRs:
- 10.0.0.1/32
Consentita
apiVersion: v1
kind: Service
metadata:
name: good-service
namespace: default
spec:
externalIPs:
- 10.0.0.1
ports:
- port: 8888
protocol: TCP
targetPort: 8888
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
name: bad-service
namespace: default
spec:
externalIPs:
- 10.0.0.2
ports:
- port: 8888
protocol: TCP
targetPort: 8888
senza-aws-esterno
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external-aws
spec:
parameters:
cloudPlatform: AWS
Consentita
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
name: good-aws-service
namespace: default
spec:
type: LoadBalancer
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
annotations:
cloud.google.com/load-balancer-type: Internal
name: bad-aws-service
namespace: default
spec:
type: LoadBalancer
Contenitore K8sPSPAllowPrivilegeEscalation
Consenti riassegnazione privilegi nel contenitore v1.0.0
Controlli che limitano la riassegnazione ai privilegi root. Corrisponde al campo allowPrivilegeEscalation in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-allow-privilege-escalation-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
Utenti consentiti
Utenti consentiti v1.0.0
Controlla gli ID utente e gruppo del contenitore e alcuni volumi. Corrisponde ai campi runAsUser, runAsGroup, supplementalGroups e fsGroup in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
Esempi
intervalli-utente-consentiti-pps-pods
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
fsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsUser:
ranges:
- max: 200
min: 100
rule: MustRunAs
supplementalGroups:
ranges:
- max: 200
min: 100
rule: MustRunAs
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 199
runAsUser: 199
securityContext:
fsGroup: 199
supplementalGroups:
- 199
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
K8sPSPAppArmor
App Armor v1.0.0
Consente di configurare una lista consentita di profili AppArmor per l'utilizzo da parte dei container. Corrisponde ad annotazioni specifiche applicate a un PodSecurityPolicy. Per informazioni su AppArmor, visita la pagina https://kubernetes.io/docs/tutorials/clusters/apparmor/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
Apparmor-PSP
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
name: nginx-apparmor-allowed
spec:
containers:
- image: nginx
name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
K8sPSPAutomountServiceAccountTokenPod
Montaggio automatico Token dell'account di servizio per pod v1.0.0
Controlla la capacità di qualsiasi pod di abilitare automountServiceAccountToken.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Esempi
psp-automount-serviceaccount-token-pod
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-not-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-allowed
spec:
automountServiceAccountToken: false
containers:
- image: nginx
name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-disallowed
spec:
automountServiceAccountToken: true
containers:
- image: nginx
name: nginx
Funzionalità K8sPSPSP
Funzionalità v1.0.0
Consente di controllare le funzionalità di Linux sui container. Corrisponde ai campi allowedCapabilities e requiredDropCapabilities in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
Esempi
funzionalità-demo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: capabilities-demo
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
allowedCapabilities:
- something
requiredDropCapabilities:
- must_drop
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- something
drop:
- must_drop
- another_one
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
Gruppo K8sPSPFS
Gruppo FS v1.0.0
Controlli per l'allocazione di un FSGroup proprietario dei volumi del pod. Corrisponde al campo fsGroup in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
Esempi
Gruppo psp-fs
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ranges:
- max: 1000
min: 1
rule: MayRunAs
Consentita
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 500
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 2000
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
VolumiK8sPSPFlexVolumes
Volumi flessibili v1.0.0
Consente di gestire la lista consentita dei driver FlexVolume. Corrisponde al campo allowedFlexVolumes in PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
Esempi
driver-volume-psp-flex
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/lvm
name: test-volume
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/testdriver
name: test-volume
Sisctl Vietato
Sysctls vietato v1.1.1
Consente di controllare il profilo sysctl utilizzato dai container. Corrisponde ai campi allowedUnsafeSysctls e forbiddenSysctls in un PodSecurityPolicy. Se specificato, qualsiasi sysctl non incluso nel parametro allowedSysctls è considerato vietato. Il parametro forbiddenSysctls ha la precedenza sul parametro allowedSysctls. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
# not listed in the `forbiddenSysctls` parameter.
allowedSysctls:
- <string>
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
Esempi
Sist.-PSP-vietato
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSysctls:
- '*'
forbiddenSysctls:
- kernel.*
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
- name: net.core.somaxconn
value: "1024"
File system host K8sPSP
File system host v1.0.0
Consente di controllare l'utilizzo del file system dell'host. Corrisponde al campo allowedHostPaths in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
Esempi
file system-host-psp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedHostPaths:
- pathPrefix: /foo
readOnly: true
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /foo/bar
name: cache-volume
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
ephemeralContainers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
Spazio dei nomi host K8sPSP
Spazio dei nomi host v1.0.0
Non consente la condivisione degli spazi dei nomi PID e IPC dell'host da parte dei container di pod. Corrisponde ai campi hostPID e hostIPC in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Esempi
psp-host-namespace-esempio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-allowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: false
hostPID: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-disallowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: true
hostPID: true
Porte di rete host K8sPSP
Porte di networking host v1.0.0
Controlla l'utilizzo dello spazio dei nomi di rete host da parte dei container di pod. È necessario specificare porte specifiche. Corrisponde ai campi hostNetwork e hostPorts in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
Esempi
esempio-porte-rete-host-psp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
hostNetwork: true
max: 9000
min: 80
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-allowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9000
hostPort: 80
hostNetwork: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
K8sPSPPrivilegedContainer
Contenitore con privilegi v1.0.0
Controlla la capacità di qualsiasi container di attivare la modalità con privilegi. Corrisponde al campo privileged in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-privileged-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container-sample
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: false
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
privileged: true
Montaggio Proc.K8sPSP
Montaggio Proc v1.0.1
Consente di controllare i tipi procMount consentiti per il contenitore. Corrisponde al campo allowedProcMountTypes in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
Esempi
montaggio-proc-psp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
procMount: Default
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Default
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
File system radice K8sPSPReadOnly
File system radice di sola lettura v1.0.0
Richiede l'utilizzo di un file system radice di sola lettura da parte dei container dei pod. Corrisponde al campo readOnlyRootFilesystem in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
filesystem radice di sola lettura psp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: true
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
K8sPSPSELinuxV2
SELinux V2 v1.0.0
Definisce una lista consentita di configurazioni seLinuxOptions per i contenitori dei pod. Corrisponde a un PodSecurityPolicy che richiede configurazioni SELinux. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-selinux-v2
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
K8sPSPSeccomp
Seccomp v1.0.0
Controlla il profilo seccomp utilizzato dai container. Corrisponde all'annotazione seccomp.security.alpha.kubernetes.io/allowedProfileNames su PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-seccomp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
- docker/default
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed2
spec:
containers:
- image: nginx
name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed2
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
K8sPSPVolumeType
Tipi di volume v1.0.0
Limita i tipi di volume montabili a quelli specificati dall'utente. Corrisponde al campo volumes in un PodSecurityPolicy. Per ulteriori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
Esempi
psp-volume-tipi
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
- flexVolume
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- emptyDir: {}
name: cache-volume
- emptyDir: {}
name: demo-vol
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- hostPath:
path: /tmp
name: cache-volume
- emptyDir: {}
name: demo-vol
BudgetDisruptionK8sPod
Budget per l'interruzione dei pod v1.0.3
Non consentire gli scenari seguenti durante il deployment di PodDisruptionBudget o di risorse che implementano la sottorisorsa di replica (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment di PodDisruptionBudgets con .spec.maxavailable == 0 2. Deployment di PodDisruptionBudgets con .spec.minAvailable == .spec.replicas della risorsa con una sottorisorsa di replica. Ciò impedirà a PodDisruptionBudgets di bloccare interruzioni volontarie, come lo svuotamento dei nodi. https://kubernetes.io/docs/concepts/workloads/pods/pauseions/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "policy"
version: "v1"
kind: "PodDisruptionBudget"
Esempi
budget-distruzione-pod
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: pod-distruption-budget
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- apiGroups:
- policy
kinds:
- PodDisruptionBudget
- apiGroups:
- ""
kinds:
- ReplicationController
Consentita
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-allowed
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-1
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
template:
metadata:
labels:
app: nginx
example: allowed-deployment-1
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-1
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-2
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
template:
metadata:
labels:
app: nginx
example: allowed-deployment-2
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-2
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-3
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-3
template:
metadata:
labels:
app: nginx
example: allowed-deployment-3
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-3
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: non-matching-nginx
name: nginx-deployment-allowed-4
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: non-matching-nginx
example: allowed-deployment-4
template:
metadata:
labels:
app: non-matching-nginx
example: allowed-deployment-4
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-mongo-pdb-allowed-3
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: mongo
example: non-matching-deployment-3
Operazione non consentita
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-disallowed
namespace: default
spec:
maxUnavailable: 0
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-disallowed
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
template:
metadata:
labels:
app: nginx
example: disallowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-disallowed
namespace: default
spec:
minAvailable: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
Best practice per K8sPodResources
I container sono richiesti non secondo il criterio del "best effort" e "seguono le best practice di Burstable v1.0.2"
Richiede che i container non siano il "best effort" (impostando richieste di CPU e memoria) e che seguano le best practice per il burst (la richiesta di memoria deve essere esattamente uguale al limite). Facoltativamente, le chiavi di annotazione possono essere configurate per consentire di saltare le varie convalide.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
# skipBestEffortValidationAnnotationKey <string>: Optional annotation key
# to skip best-effort container validation.
skipBestEffortValidationAnnotationKey: <string>
# skipBurstableValidationAnnotationKey <string>: Optional annotation key to
# skip burstable container validation.
skipBurstableValidationAnnotationKey: <string>
# skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
# annotation key to skip both best-effort and burstable validation.
skipResourcesBestPracticesValidationAnnotationKey: <string>
Esempi
best-practice-gke-pod-resources
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
name: gke-pod-resources-best-practices
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
skipBestEffortValidationAnnotationKey: skip_besteffort_validation
skipBurstableValidationAnnotationKey: skip_burstable_validation
skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
Consentita
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-cpu-requests-memory-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 500Mi
requests:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-limits-only
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 250m
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-requests-memory-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 100Mi
requests:
cpu: 250m
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
annotations:
skip_besteffort_validation: "true"
skip_burstable_validation: "true"
skip_resources_best_practices_validation: "false"
name: pod-skip-validation
spec:
containers:
- image: nginx
name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: pod-not-setting-cpu-burstable-on-memory
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 500Mi
requests:
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-not-setting-requests
spec:
containers:
- image: nginx
name: nginx
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-cpu-not-burstable-on-memory
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 500Mi
requests:
cpu: 250m
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-memory-requests-cpu-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 30m
requests:
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-cpu-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-cpu-requests
spec:
containers:
- image: nginx
name: nginx
resources:
requests:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-cpu
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 500m
requests:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-memory-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 250Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-memory-requests
spec:
containers:
- image: nginx
name: nginx
resources:
requests:
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-memory
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 100Mi
requests:
memory: 100Mi
K8sPodsRequireSecurityContext
I pod richiedono il contesto di sicurezza v1.1.1
Richiede a tutti i pod di definire securityContext. Richiede che tutti i container definiti nei pod abbiano un valore SecurityContext definito a livello di pod o container.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
Esempi
pod-request-security-context-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: pods-require-security-context-sample
spec:
enforcementAction: dryrun
parameters:
exemptImages:
- nginix-exempt
- alpine*
Consentita
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsUser: 2000
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-exemptImage
spec:
containers:
- image: nginix-exempt
name: nginx
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-exemptImage-wildcard
spec:
containers:
- image: alpine17
name: alpine
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- image: nginx
name: nginx
Accesso tramite caratteri jolly K8sProhibitRole
Vieta accesso con caratteri jolly nel ruolo v1.0.2
Richiede che Roles e ClusterRoles non impostino l 'accesso alle risorse su un valore con carattere jolly """, ad eccezione dei Role e ClusterRole esenti forniti come esenzioni. Non limita l'accesso con caratteri jolly alle risorse secondarie, ad esempio ""/status"".
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression
# based match on the name.
regexMatch: <boolean>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
Esempi
divieto-ruolo-caratteri jolly-accesso-esempio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
divieto-carattere-selvatico-tranne-ruolo-cluster-esente
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: prohibit-wildcard-except-exempted-cluster-role
spec:
enforcementAction: dryrun
parameters:
exemptions:
clusterRoles:
- name: cluster-role-allowed-example
roles:
- name: role-allowed-example
namespace: role-ns-allowed-example
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Limiti di replica v1.0.1
Richiede che gli oggetti con il campo spec.replicas (Deployment, ReplicaSet e così via) specifichino un numero di repliche all'interno di intervalli definiti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Esempi
limiti-di-repliche
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
parameters:
ranges:
- max_replicas: 50
min_replicas: 3
Consentita
apiVersion: apps/v1
kind: Deployment
metadata:
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Operazione non consentita
apiVersion: apps/v1
kind: Deployment
metadata:
name: disallowed-deployment
spec:
replicas: 100
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
RichiediBinAuthZ
Richiede Autorizzazione binaria v1.0.2
Richiede il webhook di convalida di ammissione binaria. I vincoli che utilizzano questo ConstraintTemplate verranno sottoposti a controllo solo indipendentemente dal valore di enforcementAction.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "admissionregistration.k8s.io"
version: "v1" OR "v1beta1"
kind: "ValidatingWebhookConfiguration"
Esempi
richiesta-binauthz
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
name: require-binauthz
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
Consentita
apiVersion: v1
kind: Namespace
metadata:
name: default
---
# Referential Data
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: binauthz-admission-controller
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview
name: imagepolicywebhook.image-policy.k8s.io
rules:
- operations:
- CREATE
- UPDATE
- apiVersion:
- v1
sideEffects: None
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: default
Immagine K8sRequireCosNode
Richiedi immagine nodo COS v1.1.1
Applica ai nodi l'utilizzo di Container-Optimized OS di Google.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptOsImages <array>: A list of exempt OS Images.
exemptOsImages:
- <string>
Esempi
nodi-hanno-tempo-coerente
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: nodes-have-consistent-time
spec:
enforcementAction: dryrun
parameters:
exemptOsImages:
- Debian
- Ubuntu*
Consentita
apiVersion: v1
kind: Node
metadata:
name: allowed-example
status:
nodeInfo:
osImage: Container-Optimized OS from Google
apiVersion: v1
kind: Node
metadata:
name: example-exempt
status:
nodeInfo:
osImage: Debian
apiVersion: v1
kind: Node
metadata:
name: example-exempt-wildcard
status:
nodeInfo:
osImage: Ubuntu 18.04.5 LTS
Operazione non consentita
apiVersion: v1
kind: Node
metadata:
name: disallowed-example
status:
nodeInfo:
osImage: Debian GNUv1.0
Daemonsets richiesti per K8s
Daemonsets richiesti v1.1.0
Richiede la presenza dell'elenco di daemonsset specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# requiredDaemonsets <array>: A list of names and namespaces of the
# required daemonsets.
requiredDaemonsets:
- # name <string>: The name of the required daemonset.
name: <string>
# namespace <string>: The namespace for the required daemonset.
namespace: <string>
# restrictNodeSelector <boolean>: The daemonsets cannot include
# `NodeSelector`.
restrictNodeSelector: <boolean>
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "DaemonSet"
OR
- group: "apps"
version: "v1beta2" OR "v1"
kind: "DaemonSet"
Esempi
richiedere-daemonset
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: require-daemonset
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
requiredDaemonsets:
- name: clamav
namespace: pci-dss-av
restrictNodeSelector: true
Consentita
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: other
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: other
template:
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: other
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: clamav-host-scanner
name: clamav
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: clamav
template:
metadata:
labels:
name: clamav
spec:
containers:
- image: us.gcr.io/{your-project-id}/clamav:latest
livenessProbe:
exec:
command:
- /health.sh
initialDelaySeconds: 60
periodSeconds: 30
name: clamav-scanner
resources:
limits:
memory: 3Gi
requests:
cpu: 500m
memory: 2Gi
volumeMounts:
- mountPath: /data
name: data-vol
- mountPath: /host-fs
name: host-fs
readOnly: true
- mountPath: /logs
name: logs
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- emptyDir: {}
name: data-vol
- hostPath:
path: /
name: host-fs
- hostPath:
path: /var/log/clamav
name: logs
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: other
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: other
template:
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: other
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: clamav
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: clamav
template:
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: clamav
nodeSelector:
cloud.google.com/gke-spot: "true"
K8sRequireDefaultDenyTrafficoPolicy
Richiedi criterio di negazione in uscita predefinito v1.0.3
Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy predefinito per il traffico in uscita.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
Esempi
richiedere-default-deny-network-policies
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
Consentita
apiVersion: v1
kind: Namespace
metadata:
name: example-namespace
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: example-namespace
spec:
podSelector: {}
policyTypes:
- Egress
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1
kind: Namespace
metadata:
name: example-namespace2
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: example-namespace
spec:
podSelector: {}
policyTypes:
- Egress
K8sRequireNamespaceNetworkPolicies
Richiedi criteri di rete dello spazio dei nomi v1.0.4
Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
Esempi
richiedi-spazio dei nomi-rete-criteri-esempio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
Consentita
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Richiedi intervalli validi per reti v1.0.1
Applica in modo forzato i blocchi CIDR consentiti per il traffico in entrata e in uscita dalla rete.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for egress.
allowedEgress:
- <string>
# allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for ingress.
allowedIngress:
- <string>
Esempi
richiedere-intervalli-rete-validi
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: require-valid-network-ranges
spec:
enforcementAction: dryrun
parameters:
allowedEgress:
- 1.1.2.0/32
allowedIngress:
- 1.1.2.0/24
Consentita
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
egress:
- ports:
- port: 5978
protocol: TCP
to:
- ipBlock:
cidr: 1.1.2.0/32
ingress:
- from:
- ipBlock:
cidr: 1.1.2.0/29
- ipBlock:
cidr: 1.1.2.100/29
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
Operazione non consentita
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy-disallowed
namespace: default
spec:
egress:
- ports:
- port: 5978
protocol: TCP
to:
- ipBlock:
cidr: 1.1.2.0/31
ingress:
- from:
- ipBlock:
cidr: 1.1.2.0/24
- ipBlock:
cidr: 2.1.2.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
Annotazioni K8sRequired
Annotazioni richieste v1.0.0
Richiede che le risorse contengano annotazioni specificate, con valori corrispondenti alle espressioni regolari fornite.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
Esempi
tutte-devono-avere-un-insieme-di-annotazioni
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: all-must-have-certain-set-of-annotations
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
annotations:
- allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
key: a8r.io/owner
- allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
key: a8r.io/runbook
message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Consentita
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/owner: dev-team-alfa@contoso.com
a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
name: allowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
Operazione non consentita
apiVersion: v1
kind: Service
metadata:
name: disallowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
Etichette obbligatorie
Etichette richieste v1.0.0
Richiede che le risorse contengano etichette specificate, con valori corrispondenti alle espressioni regolari fornite.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
Esempi
tutti-devono-avere-proprietario
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
labels:
- allowedRegex: ^[a-zA-Z]+.agilebank.demo$
key: owner
message: All namespaces must have an `owner` label that points to your company
username
Consentita
apiVersion: v1
kind: Namespace
metadata:
labels:
owner: user.agilebank.demo
name: allowed-namespace
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Probe richieste v1.0.0
Richiede che i pod dispongano di probe di idoneità e/o di attività.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# probeTypes <array>: The probe must define a field listed in `probeType`
# in order to satisfy the constraint (ex. `tcpSocket` satisfies
# `['tcpSocket', 'exec']`)
probeTypes:
- <string>
# probes <array>: A list of probes that are required (ex: `readinessProbe`)
probes:
- <string>
Esempi
probe da non perdere
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
probeTypes:
- tcpSocket
- httpGet
- exec
probes:
- readinessProbe
- livenessProbe
Consentita
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: tomcat
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: nginx:1.7.9
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
name: test-pod2
spec:
containers:
- image: nginx:1.7.9
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
Risorse richieste K8s
Risorse richieste v1.0.1
Richiede che i container abbiano un set di risorse definite. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# limits <array>: A list of limits that should be enforced (`cpu`,
# `memory`, or both).
limits:
# Allowed Values: cpu, memory
- <string>
# requests <array>: A list of requests that should be enforced (`cpu`,
# `memory`, or both).
requests:
# Allowed Values: cpu, memory
- <string>
Esempi
contenitore-deve-avere-limiti-e-richieste
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: container-must-have-limits-and-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
limits:
- cpu
- memory
requests:
- cpu
- memory
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
container-Must-have-cpu-requests-memory-limits-and-requests
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
limits:
- memory
requests:
- cpu
- memory
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources: {}
nessuna applicazione
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: no-enforcements
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources: {}
K8sRestrictAutomountServiceAccountTokens
Limita token account di servizio v1.0.1
Limita l'utilizzo dei token degli account di servizio.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
limitazione-serviceaccounttokens
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
name: restrict-serviceaccounttokens
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
- ServiceAccount
Consentita
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-pod
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1 kind: ServiceAccount metadata: name: disallowed-example-serviceaccount
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example-pod
spec:
automountServiceAccountToken: true
containers:
- image: nginx
name: nginx
apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: name: allowed-example-serviceaccount
K8sRestrictLabels
Limita etichette v1.0.1
Non consente alle risorse di contenere etichette specificate, a meno che non esista un'eccezione per la risorsa specifica.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
Esempi
esempio-etichetta-limitata
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
exceptions:
- group: ""
kind: Pod
name: allowed-example
namespace: default
restrictedLabels:
- label-example
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
Spazi dei nomi K8sRestrictName
Limita spazi dei nomi v1.0.1
Limita le risorse dall'utilizzo degli spazi dei nomi elencati nel parametro restrictedNamespaces.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
Esempi
limitazione-default-spazio-dei-nomi-esempio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: restrict-default-namespace-sample
spec:
enforcementAction: dryrun
parameters:
restrictedNamespaces:
- default
Consentita
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
namespace: test-namespace
spec:
containers:
- image: nginx
name: nginx
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictNfsUrls
Limita URL NFS v1.0.1
Non consente alle risorse di contenere URL NFS, se non diversamente specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedNfsUrls <array>: A list of allowed NFS URLs
allowedNfsUrls:
- <string>
Esempi
esempio-etichetta-limitata
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
allowedNfsUrls:
- my-nfs-server.example.com/my-nfs-volume
- my-nfs-server.example.com/my-wildcard-nfs-volume/*
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example-nfs
namespace: default
spec:
containers:
- image: nginx
name: nginx
- name: test-volume
nfs:
path: /my-nfs-volume
server: my-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example-nfs-wildcard
namespace: default
spec:
containers:
- image: nginx
name: nginx
- name: test-volume
nfs:
path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path
server: my-nfs-server.example.com
Operazione non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example-nfs
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- name: test-volume
nfs:
path: /my-nfs-volume
server: disallowed-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example-nfs-mixed
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- name: test-volume-allowed
nfs:
path: /my-nfs-volume
server: my-nfs-server.example.com
- name: test-volume-disallowed
nfs:
path: /my-nfs-volume
server: disallowed-nfs-server.example.com
K8sRestrictRbacSubjects
Limita soggetti RBAC v1.0.2
Limita l'uso dei nomi in RBAC in base ai valori consentiti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of names permitted in RBAC subjects.
allowedSubjects:
- # name <string>: The exact-name or the pattern of the allowed subject
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
Esempi
limita-argomenti-rbac
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: restrict-rbac-subjects
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
- ClusterRoleBinding
parameters:
allowedSubjects:
- name: system:masters
- name: ^.+@gcp-sa-mcmetering.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@gcp-sa-gkehub.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@gcp-sa-servicemesh.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@system.gserviceaccount.com$
regexMatch: true
- name: ^.+@google.com$
regexMatch: true
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user@google.com - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1@example.com - apiGroup: rbac.authorization.k8s.io kind: User name: user2@example.com
Associazioni K8sRestrictRole
Limita associazioni ruoli v1.0.1
Limita i soggetti specificati in ClusterRoleBindings e RoleBindings a un elenco di soggetti consentiti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
Esempi
limitazione-clusteradmin-rolebindings-esempio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-sample
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
limitazione-clusteradmin-rolebindings-regex
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-regex
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
regexMatch: true
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Regole K8sRestrictRole
Limitazione delle regole Role e ClusterRole. v1.0.1
Limita le regole che possono essere impostate sugli oggetti Role e ClusterRole.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRules <array>: AllowedRules is the list of rules that are allowed
# on Role or ClusterRole objects. If set, any item off this list will be
# rejected.
allowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be allowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# disallowedRules <array>: DisallowedRules is the list of rules that are
# NOT allowed on Role or ClusterRole objects. If set, any item on this list
# will be rejected.
disallowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be disallowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
# names that are allowed to violate this policy.
exemptions:
clusterRoles:
- # name <string>: Name is the name or a pattern of the ClusterRole
# to be exempted.
name: <string>
# regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
# regex match of the ClusterRole name.
regexMatch: <boolean>
roles:
- # name <string>: Name is the name of the Role to be exempted.
name: <string>
# namespace <string>: Namespace is the namespace of the Role to be
# exempted.
namespace: <string>
Esempi
limitazione-pods-exec
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: restrict-pods-exec
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- Role
- ClusterRole
parameters:
disallowedRules:
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allowed-role-example rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: disallowed-cluster-role-example rules: - apiGroups: - "" resources: - pods/exec verbs: - '*'
Classe di archiviazione K8s
Classe di archiviazione v1.1.1
Richiede l'indicazione delle classi di archiviazione al momento dell'utilizzo. È supportato solo il gatekeeper 3.9 o versioni successive.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedStorageClasses <array>: An optional allow-list of storage classes.
# If specified, any storage class not in the `allowedStorageClasses`
# parameter is disallowed.
allowedStorageClasses:
- <string>
includeStorageClassesInMessage: <boolean>
Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi attivare i vincoli referenziali e creare una configurazione che indichi a Policy Controller i tipi di oggetti da controllare.
Policy Controller Config richiederà una voce syncOnly simile a:
spec:
sync:
syncOnly:
- group: "storage.k8s.io"
version: "v1"
kind: "StorageClass"
Esempi
storageclass
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: storageclass
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeClaim
- apiGroups:
- apps
kinds:
- StatefulSet
parameters:
includeStorageClassesInMessage: true
Consentita
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ok
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: somestorageclass
volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: somestorageclass
provisioner: foo