Libreria di modelli del vincolo
I modelli di vincolo consentono di definire il funzionamento di un vincolo, ma di delegare la definizione dei dettagli del vincolo a una persona o a un gruppo con competenze in materia. oltre a separare le preoccupazioni, separa anche la logica del vincolo dalla sua definizione.
Per aiutarti a vedere come funzionano i modelli di vincolo, ogni modello include un vincolo di esempio e una risorsa che viola il vincolo.
Non tutti i modelli di vincolo sono disponibili per tutte le versioni di Anthos Config Management. Inoltre, i modelli possono cambiare versione. Per comprendere meglio la cronologia di un modello, puoi accedere agli archivi di Anthos Config Management per visualizzare le versioni precedenti di questa pagina.
Tutti i vincoli contengono una sezione match, che definisce gli oggetti a cui si applica un vincolo. Per maggiori dettagli su come configurare la sezione, consulta la sezione Corrispondenza vincolo.
Link a versioni precedenti di questa pagina
ConsentitoServicePortName
Richiede che i nomi delle porte dei servizi abbiano un prefisso proveniente da un elenco specificato.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
Esempi
vincolo nome-porta
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: port-name-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
prefixes:
- http-
- http2-
- grpc-
- mongo-
- redis-
- tcp-
Consentita
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-http
spec:
ports:
- name: http-helloport
port: 5000
selector:
app: helloworld
Non consentita
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-tcp
spec:
ports:
- name: foo-helloport
port: 5000
selector:
app: helloworld
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-bad
spec:
ports:
- name: helloport
port: 5000
selector:
app: helloworld
AsmAuthzPolicyDefaultNega
Applica il valore predefinito di AuthorizationPolicy a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
asm-authz-policy-default-deny-con-vincolo-di-input
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
asm-authz-policy-default-deny-no-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
AsmAuthzPolicyDisallowedPrefix
Richiede che le entità e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso da un elenco specificato.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
disallowedNamespacePrefixes:
- <string>
# disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
disallowedPrincipalPrefixes:
- <string>
Esempi
asm-authz-policy-disallowed-prefix-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: asm-authz-policy-disallowed-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedNamespacePrefixes:
- bad-ns-prefix
- worse-ns-prefix
disallowedPrincipalPrefixes:
- bad-principal-prefix
- worse-principal-prefix
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
Non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/worse-principal-prefix-sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- bad-ns-prefix-test
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
Richiede che il campo Istio AuthorizationPolicy "from" di, se definito, abbia principi di origine, che devono essere impostati su un valore diverso da "*" .https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
asm-authz-policy-enforce-source-principals-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: asm-authz-policy-enforce-source-principals-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
Non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: no-source-principals
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-wildcard
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-contains-wildcard
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyNormalization
Applica la normalizzazione AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/reference/config/security/normalization/.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
asm-authz-policy-normalization-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: asm-authz-policy-normalization-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
Non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-method-lowercase
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- get
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-request-header-whitespace
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Ag ent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: path-unnormalized
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test\/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
AsmAuthzPolicySafePattern
Applica i pattern sicuri di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
asm-authz-policy-safe-pattern-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: asm-authz-policy-safe-pattern-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
strictnessLevel: High
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-istio-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-asm-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
asm: ingressgateway
Non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: hosts-on-noningress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: invalid-hosts
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-negative-match
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
notMethods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-positive-match
spec:
action: DENY
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
Etichetta AsmIngressgateway
Applica l'utilizzo dell'etichetta ingresso gateway istio solo ai pod in entrata.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
asm-ingressgateway-etichetta-campione
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: asm-ingressgateway-label-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: istio
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: asm-ingressgateway
asm: ingressgateway
name: asm-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
asm: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
AsmPeerAuthnMeshStrictMtls
Applica il livello massimo di peer Peerls a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
asm-peer-authn-mesh-strict-mtls-con-vincolo-di-input
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: asm-root
spec:
mtls:
mode: STRICT
Non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: asm-root
spec:
mtls:
mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-nessun vincolo-di-input
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: istio-system
spec:
mtls:
mode: STRICT
Non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
AsmPeerAuthnStrictMtls
L'applicazione forzata di tutti i peerPeers non può sovrascrivere i criteri rigorosi. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
asm-peer-authn-strict-mtls-vincolo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: asm-peer-authn-strict-mtls-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
parameters:
strictnessLevel: High
Consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: valid-strict-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
Non consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-permissive-mtls-pa
namespace: foo
spec:
mtls:
mode: PERMISSIVE
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-port-disable-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: DISABLE
"443":
mode: STRICT
selector:
matchLabels:
app: bar
AsmRequestAuthnProhibitedOutputHeaders
In RequestAuthentication, applica il campo jwtRules.outPayloadToHeader in modo che non contenga intestazioni di richiesta HTTP ben note o intestazioni personalizzate vietate. Fai riferimento a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
Esempi
asm-request-authn-prohibited-output-headers-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: asm-request-authn-prohibited-output-headers-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- RequestAuthentication
parameters:
prohibitedHeaders:
- Bad-Header
- X-Bad-Header
Consentita
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: valid-request-authn
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Good-Header
selector:
matchLabels:
app: istio-ingressgateway
Non consentita
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Host
selector:
matchLabels:
app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: X-Bad-Header
selector:
matchLabels:
app: istio-ingressgateway
Iniezione AsmSidecar
Applica sempre il sidecar proxy istio ai pod del carico di lavoro.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of sidecar injection strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Esempi
campione-iniezione-asm-sidecar
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: asm-sidecar-injection-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
strictnessLevel: High
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "true"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
annotations:
"false": "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Non consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
DestinationRuleTLSEnabled
Proibisce la disabilitazione di TLS per tutti gli host e i sottoinsiemi di host in Istio DestinationRule.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
dr-tls-attivato
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: dr-tls-enabled
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- networking.istio.io
kinds:
- DestinationRule
Non consentita
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-subset-tls-disable
namespace: default
spec:
host: myservice
subsets:
- name: v1
trafficPolicy:
tls:
mode: DISABLE
- name: v2
trafficPolicy:
tls:
mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-traffic-tls-disable
namespace: default
spec:
host: myservice
trafficPolicy:
tls:
mode: DISABLE
DisallowedAuthzPrefix
Richiede che le entità e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso da un elenco specificato.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
Esempi
vincolo-authz-prefix-authz
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: disallowed-authz-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedprefixes:
- badprefix
- reallybadprefix
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/badprefix-sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- badprefix-test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
GCPStorageLocationVstrastraint1
Limita le risorse consentite per locations per StorageConfig Config Connector all'elenco di località fornite nel vincolo. I nomi dei bucket nell'elenco exemptions sono esenti.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
Esempi
solo singapore-e-jakarta
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: singapore-and-jakarta-only
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- storage.cnrm.cloud.google.com
kinds:
- StorageBucket
parameters:
exemptions:
- my_project_id_cloudbuild
locations:
- asia-southeast1
- asia-southeast2
Consentita
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Non consentita
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
Repository K8s
Richiede immagini container che inizino con una stringa dell'elenco specificato.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Esempi
repository-is-openpolicyagent
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: repo-is-openpolicyagent
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
repos:
- openpolicyagent/
Consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers: []
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
K8sBlockEndpointEditDefaultRole
Molte installazioni Kubernetes per impostazione predefinita dispongono di un ClusterRole system:aggregate-to-edit che non limita correttamente l'accesso alla modifica degli endpoint. Questo ConstraintTemplate vieta al system:aggregate-to-edit ClusterRole di concedere l'autorizzazione per creare/patch/aggiornare endpoint. ClusterRole/system:aggregate-to-edit non deve consentire le autorizzazioni di modifica degli endpoint a causa di CVE-2021-25740, Endpoint & le autorizzazioni EndpointSlice consentono l'inoltro cross-Namespace, https://github.com/kubernetes/kubernetes/issues/103675
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
blocca-endpoint-modifica-ruolo-predefinito
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: block-endpoint-edit-default-role
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
Consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
Non consentita
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- endpoints
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
K8sBlockNodePort
Non consente tutti i servizi con tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
porta-nodo a blocchi
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
Non consentita
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: NodePort
K8sBlockProcessNamespacesharing
Proibisce le specifiche dei pod con shareProcessNamespace impostato su true. In questo modo, è possibile evitare che tutti i container in un pod condividano uno spazio dei nomi PID e possano accedere tra loro al file system e alla memoria.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
blocco-processo-condivisione-spazi
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Consentita
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
shareProcessNamespace: true
K8sBlockWildcardIngress
Gli utenti non dovrebbero essere in grado di creare risorse Ingress con un nome host vuoto o con caratteri jolly (*), perché ciò consentirebbe di intercettare il traffico per altri servizi nel cluster, anche se non hanno accesso a tali servizi.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
blocco-wildcard-ingress
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: block-wildcard-ingress
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: non-wildcard-ingress
spec:
rules:
- host: myservice.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
Non consentita
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: ""
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
- host: valid.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
K8sContainerLimits
Richiede che per i container siano impostati limiti di memoria e CPU e che i limiti siano compresi nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
Esempi
container-must-have-limits
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
Rapporto K8sContainer
Imposta un rapporto massimo per i limiti delle risorse container e le richieste. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
# `resources.requests.cpu` on a container. If not specified, equal to
# `ratio`.
cpuRatio: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
Esempi
container-must-meet-ratio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ratio: "2"
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 800m
memory: 2Gi
requests:
cpu: 100m
memory: 100Mi
container-must-meet-memory-e-cpu-ratio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-memory-and-cpu-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpuRatio: "10"
ratio: "1"
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: "1"
memory: 2Gi
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
Richieste container K8s
Richiede che i container abbiano le richieste di memoria e CPU impostate e limitino le richieste in modo che rientrino nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory request on a Pod, exclusive.
memory: <string>
Esempi
container-must-have-richieste
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: container-must-have-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 1Gi
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
K8sDisallowAnonimo
Non consente di associare le risorse ClusterRole e Role al gruppo system:anonimo e system:unauthenticated.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRoles <array>: The list of ClusterRoles and Roles that may be
# associated with the `system:unauthenticated` group and `system:anonymous`
# user.
allowedRoles:
- <string>
Esempi
no-anonimo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: no-anonymous
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRoleBinding
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
parameters:
allowedRoles:
- cluster-role-1
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedRoleBindingSubjects
Proibisce RoleBindings o ClusterRoleBindings con oggetti corrispondenti a disallowedSubjects trasmessi come parametri.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
Esempi
non-ruolo-binbinding-subjects
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: disallowed-rolebinding-subjects
spec:
parameters:
disallowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Tag K8sDisallowed
Richiede che le immagini container abbiano un tag immagine diverso da quelli nell'elenco specificato. https://kubernetes.io/docs/concepts/containers/images/#image-names
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# tags <array>: Disallowed container image tags.
tags:
- <string>
Esempi
container-image-must-not-have-latest-tag
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: container-image-must-not-have-latest-tag
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
exemptImages:
- openpolicyagent/opa-exp:latest
- openpolicyagent/opa-exp2:latest
tags:
- latest
Consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-exempt-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa-exp
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:v1
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-2
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-3
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:latest
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/monitor:latest
name: opa-monitor
K8sEmptyDirHasSizeLimit
Richiede che qualsiasi volume emptyDir specifichi un sizeLimit. Facoltativamente, nel parametro può essere fornito un parametro maxSizeLimit per specificare un limite massimo di dimensioni consentite.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
Esempi
empty-dir-has-size-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-size-limit
spec:
parameters:
maxSizeLimit: 4Gi
Consentita
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir:
sizeLimit: 2Gi
name: good-pod-volume
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: bad-pod-volume
K8sIP esterni
Limita gli IP esterni del servizio a un elenco consentito di indirizzi IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
Esempi
IP esterni
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
allowedIPs:
- 203.0.113.0
Consentita
apiVersion: v1
kind: Service
metadata:
name: allowed-external-ip
spec:
externalIPs:
- 203.0.113.0
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
Non consentita
apiVersion: v1
kind: Service
metadata:
name: disallowed-external-ip
spec:
externalIPs:
- 1.1.1.1
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
Solo HTTPS K8s
Richiede risorse Ingress solo per HTTPS.
Le risorse Ingress devono: includere una configurazione TLS valida e includere l'annotazione kubernetes.io/ingress.allow-http impostata su false.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
solo in entrata (https://)
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Consentita
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
tls:
- {}
Non consentita
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
K8sImageDigest
Richiede immagini container contenenti un digest. https://kubernetes.io/docs/concepts/containers/images/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
container-image-must-have-digest
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
Consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
name: opa
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
K8sLocalStorageRequestSafeToEvict
Richiede ai pod che utilizzano l'archiviazione locale (emptyDir o hostPath) l'annotazione "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Il gestore della scalabilità automatica dei cluster non eliminerà i pod senza questa annotazione.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
richiesta-spazio-di-archiviazione-locale-da-evitare
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
name: good-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
K8sMemoryRequestEqualsLimit
Promuovono la stabilità dei pod richiedendo che la memoria richiesta per tutti i container corrisponda esattamente al limite di memoria, in modo che i pod non si trovino mai in uno stato in cui l'utilizzo della memoria supera la quantità richiesta. In caso contrario, Kubernetes può terminare i pod richiedendo una memoria supplementare se è necessaria memoria sul nodo.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
container-must-request-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit
Consentita
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 4Gi
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
K8sNoEnvVarSecret
Impedisce i secret come variabili di ambiente nelle definizioni di container del pod. Usa invece file secret montati in volumi di dati: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
no-secrets-as-env-vars-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
Consentita
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: redis
name: test
volumeMounts:
- mountPath: /etc/test
name: test
readOnly: true
volumes:
- name: test
secret:
secretName: mysecret
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysecret
image: redis
name: test
K8sNessun servizio esterno
Proibisce la creazione di risorse note che espongono i carichi di lavoro a IP esterni. Include le risorse Istio Gateway e Kubernetes Ingress. Sono inoltre vietati i servizi Kubernetes, a meno che non soddisfino i seguenti criteri:
Qualsiasi servizio di tipo LoadBalancer deve avere un'annotazione "cloud.google.com/load-balancer-type": "Internal".
Qualsiasi IP "esterno" (esterno al cluster) associato al servizio deve essere membro di un intervallo di CIDR interni forniti al vincolo.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
Esempi
no-esterno
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external
spec:
parameters:
internalCIDRs:
- 10.0.0.1/32
Consentita
apiVersion: v1
kind: Service
metadata:
name: good-service
namespace: default
spec:
externalIPs:
- 10.0.0.1
ports:
- port: 8888
protocol: TCP
targetPort: 8888
Non consentita
apiVersion: v1
kind: Service
metadata:
name: bad-service
namespace: default
spec:
externalIPs:
- 10.0.0.2
ports:
- port: 8888
protocol: TCP
targetPort: 8888
K8sPSPAllowPrivilegeEscalationContainer
Controlli che limitano la riassegnazione ai privilegi root. Corrisponde al campo allowPrivilegeEscalation in un PodSecurityPolicy. Per maggiori informazioni, visita la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-allow-privilege-escalation-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: false
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
K8sPSPUtenti consentiti
Controlla gli ID utente e gruppo del container e alcuni volumi. Corrisponde ai campi runAsUser, runAsGroup, supplementalGroups e fsGroup in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
Esempi
psp-pod-consentiti-intervalli-utente
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
fsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsUser:
ranges:
- max: 200
min: 100
rule: MustRunAs
supplementalGroups:
ranges:
- max: 200
min: 100
rule: MustRunAs
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 199
runAsUser: 199
securityContext:
fsGroup: 199
supplementalGroups:
- 199
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
K8sPSPAppArmor
Consente di configurare una lista consentita di profili AppArmor per l'utilizzo da parte dei container. Corrisponde ad annotazioni specifiche applicate a un PodSecurityPolicy. Per informazioni su AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-apparmor
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
name: nginx-apparmor-allowed
spec:
containers:
- image: nginx
name: nginx
Non consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
containers:
- image: nginx
name: nginx
K8sPSPAutomountServiceAccountTokenPod
Controlla la possibilità di qualsiasi pod di abilitare automountServiceAccountToken.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Esempi
psp-automount-serviceaccount-token-pod
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-not-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-allowed
spec:
automountServiceAccountToken: false
containers:
- image: nginx
name: nginx
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-disallowed
spec:
automountServiceAccountToken: true
containers:
- image: nginx
name: nginx
K8sPSP
Controlla le funzionalità di Linux sui container. Corrisponde ai campi allowedCapabilities e requiredDropCapabilities in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
Esempi
funzionalità-demo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: capabilities-demo
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
allowedCapabilities:
- something
requiredDropCapabilities:
- must_drop
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- something
drop:
- must_drop
- another_one
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
K8sPSPFSGroup
Controlla l'allocazione di un FSGroup proprietario dei volumi del pod. Corrisponde al campo fsGroup in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
Esempi
psp-fsgroup
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ranges:
- max: 1000
min: 1
rule: MayRunAs
Consentita
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 500
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 2000
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
K8sPSPFlexVolume
Consente di controllare la lista consentita dei driver FlexVolume. Corrisponde al campo allowedFlexVolumes in PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
Esempi
driver-volume-psp-flex
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/lvm
name: test-volume
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/testdriver
name: test-volume
K8sPSPForbiddenSysctls
Controlla il profilo sysctl utilizzato dai container. Corrisponde al campo forbiddenSysctls in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
Esempi
psp-forbidden-sysctls
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
forbiddenSysctls:
- kernel.*
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
- name: net.core.somaxconn
value: "1024"
K8sPSPHostFilesystem
Controlla l'utilizzo del file system dell'host. Corrisponde al campo allowedHostPaths in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
Esempi
file-host psp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedHostPaths:
- pathPrefix: /foo
readOnly: true
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /foo/bar
name: cache-volume
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
Spazio dei nomi host K8sPSP
Non consente la condivisione degli spazi dei nomi PID e IPC dell'host da parte dei container dei pod. Corrisponde ai campi hostPID e hostIPC in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Esempi
psp-host-nomespazio-campione
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-allowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: false
hostPID: false
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-disallowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: true
hostPID: true
Porte K8sPSPHostNetworking
Controlla l'utilizzo dello spazio dei nomi di rete host da parte dei container dei pod. È necessario specificare porte specifiche. Corrisponde ai campi hostNetwork e hostPorts in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
Esempi
psp-host-rete-porte-campione
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
hostNetwork: true
max: 9000
min: 80
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-allowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9000
hostPort: 80
hostNetwork: false
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
Contenitore con privilegi K8sPSP
Controlla la possibilità di qualsiasi container di abilitare la modalità con privilegi. Corrisponde al campo privileged in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-privileged-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container-sample
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: false
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
K8sPSPProcMount
Consente di controllare i tipi di procMount consentiti per il contenitore. Corrisponde al campo allowedProcMountTypes in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
Esempi
montaggio psp-proc
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
procMount: Default
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Default
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Richiede l'utilizzo di un file system radice di sola lettura da parte dei container pod. Corrisponde al campo readOnlyRootFilesystem in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-readonlyrootfilesystem
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: true
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
K8sPSPSELinuxV2
Definisce una lista consentita di configurazioni seLinuxOptions per i container pod. Corrisponde a un PodSecurityPolicy che richiede configurazioni SELinux. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-selinux-v2
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
K8sPSPSecpp
Controlla il profilo seccomp utilizzato dai container. Corrisponde all'annotazione seccomp.security.alpha.kubernetes.io/allowedProfileNames su un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Esempi
psp-sec.com
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
- docker/default
Consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed2
spec:
containers:
- image: nginx
name: nginx
Non consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed2
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
containers:
- image: nginx
name: nginx
K8sPSPVolumeTypes
Consente di limitare i tipi di volume montabili a quelli specificati dall'utente. Corrisponde al campo volumes in un PodSecurityPolicy. Per saperne di più, vedi https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
Esempi
tipo-volume-psp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
- flexVolume
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- emptyDir: {}
name: cache-volume
- emptyDir: {}
name: demo-vol
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- hostPath:
path: /tmp
name: cache-volume
- emptyDir: {}
name: demo-vol
K8sPodDisruptionBudget
Non consentire i seguenti scenari quando si esegue il deployment di PodDisruptionBudget o le risorse che implementano la risorsa secondaria replica (ad esempio Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment dei podDisruptionBudget con .spec.maxUnavailable. == 0 2. Deployment dei podDisruptionBudget con .spec.minAvailable == .spec.replicas della risorsa con risorsa secondaria replica Questo impedirà ai PodDisruptionBudget di bloccare le interruzioni volontarie, come lo svuotamento dei nodi. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
budget-distruption-budget
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: pod-distruption-budget
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- apiGroups:
- policy
kinds:
- PodDisruptionBudget
- apiGroups:
- ""
kinds:
- ReplicationController
Consentita
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-allowed
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-1
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
template:
metadata:
labels:
app: nginx
example: allowed-deployment-1
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-1
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-2
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
template:
metadata:
labels:
app: nginx
example: allowed-deployment-2
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-2
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
Non consentita
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-disallowed
namespace: default
spec:
maxUnavailable: 0
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-disallowed
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
template:
metadata:
labels:
app: nginx
example: disallowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-disallowed
namespace: default
spec:
minAvailable: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
K8sPodsrequireSecurityContext
Richiede che tutti i pod definiscano securityContext. Richiede che a tutti i container definiti nei pod sia definito un valore SecurityContext a livello di pod o container.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
pod-require-security-context-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context-sample spec: enforcementAction: dryrun
Consentita
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsUser: 2000
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- image: nginx
name: nginx
K8sProhibitRoleWildcardAccess
Richiede che Role e ClusterRole non impostino l'accesso alle risorse a un valore jolly (") ad eccezione dei Role e ClusterRole esenti forniti come esenzioni. Non limita l'accesso con caratteri jolly alle risorse secondarie, come "/status".
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
Esempi
proibito-role-wildcard-access-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
divieto-wildcard-except-excludeded-cluster-role
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: prohibit-wildcard-except-exempted-cluster-role
spec:
enforcementAction: dryrun
parameters:
exemptions:
clusterRoles:
- name: cluster-role-allowed-example
roles:
- name: role-allowed-example
namespace: role-ns-allowed-example
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
Non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Richiede che gli oggetti con il campo spec.replicas (Deployment, ReplicaSet, ecc.) specifichino un determinato numero di repliche all'interno degli intervalli definiti.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Esempi
limiti-repliche
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
parameters:
ranges:
- max_replicas: 50
min_replicas: 3
Consentita
apiVersion: apps/v1
kind: Deployment
metadata:
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Non consentita
apiVersion: apps/v1
kind: Deployment
metadata:
name: disallowed-deployment
spec:
replicas: 100
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
K8srequireNamespaceNetworkPolicies
Richiede che ogni spazio dei nomi definito nel cluster abbia un criterio NetworkPolicy. Nota: questo vincolo è referenziale. Per maggiori dettagli, visita la pagina https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#referential.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
richieda-nomespazio-rete-norme-campione
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
Consentita
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
Non consentita
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
Annotazioni K8sRequired
Richiede risorse che contengano annotazioni specifiche, con valori corrispondenti alle espressioni regolari fornite.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
Esempi
tutto-necessario-determinato-insieme-di-annotazioni
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: all-must-have-certain-set-of-annotations
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
annotations:
- allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
key: a8r.io/owner
- allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
key: a8r.io/runbook
message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Consentita
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/owner: dev-team-alfa@contoso.com
a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
name: allowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
Non consentita
apiVersion: v1
kind: Service
metadata:
name: disallowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
Etichette K8sRequired
Richiede risorse per contenere le etichette specificate, con valori corrispondenti alle espressioni regolari fornite.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
Esempi
proprietario-e-dipendente
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
labels:
- allowedRegex: ^[a-zA-Z]+.agilebank.demo$
key: owner
message: All namespaces must have an `owner` label that points to your company
username
Consentita
apiVersion: v1
kind: Namespace
metadata:
labels:
owner: user.agilebank.demo
name: allowed-namespace
Non consentita
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
Probe K8sRequired
Richiede che i pod abbiano probe di idoneità e/o di attività.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# probeTypes <array>: The probe must define a field listed in `probeType`
# in order to satisfy the constraint (ex. `tcpSocket` satisfies
# `['tcpSocket', 'exec']`)
probeTypes:
- <string>
# probes <array>: A list of probes that are required (ex: `readinessProbe`)
probes:
- <string>
Esempi
probe da non perdere
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
probeTypes:
- tcpSocket
- httpGet
- exec
probes:
- readinessProbe
- livenessProbe
Consentita
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: tomcat
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: nginx:1.7.9
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
name: test-pod2
spec:
containers:
- image: nginx:1.7.9
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
K8sRestrictLabels
Non consente alle risorse di contenere etichette specificate, a meno che non esista un'eccezione per la risorsa specifica.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
Esempi
limita-etichetta-esempio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
exceptions:
- group: ""
kind: Pod
name: allowed-example
namespace: default
restrictedLabels:
- label-example
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
Non consentita
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictNamespaces
Impedisce alle risorse di utilizzare gli spazi dei nomi elencati nel parametro restrictedNamespaces.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
Esempi
Limit-default-namespace-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: restrict-default-namespace-sample
spec:
enforcementAction: dryrun
parameters:
restrictedNamespaces:
- default
Consentita
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
namespace: test-namespace
spec:
containers:
- image: nginx
name: nginx
Non consentita
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictRoleBindings
Limita gli oggetti specificati in ClusterRoleBindings e RoleBindings a un elenco di oggetti consentiti.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
Esempi
Limit-clusteradmin-rolebindings-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-sample
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restricted-clusteradmin-rolebindings-regex
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-regex
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
regexMatch: true
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sHost Ingress unico
Richiede che tutti gli host delle regole Ingress siano univoci. Non gestisce i caratteri jolly del nome host: https://kubernetes.io/docs/concepts/services-networking/ingress/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
host-ingress-univoco
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: unique-ingress-host
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Consentita
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-host-disallowed
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
- host: example-host1.example.com
http:
paths:
- backend:
serviceName: nginx2
servicePort: 80
Non consentita
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-host-disallowed
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
---
# Referential Data
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-host-example
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-host-disallowed2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
- host: example-host3.example.com
http:
paths:
- backend:
serviceName: nginx2
servicePort: 80
---
# Referential Data
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-host-example2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
K8sUniqueServiceSelector
Richiede servizi che abbiano selettori univoci all'interno di uno spazio dei nomi. I selettori sono considerati uguali se hanno chiavi e valori identici. I selettori possono condividere una coppia chiave-valore purché sia presente almeno una coppia chiave-valore distinta. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
selettore-servizio-univoco
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
labels:
owner: admin.agilebank.demo
name: unique-service-selector
Consentita
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: other-value
Non consentita
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-example
namespace: default
spec:
ports:
- port: 443
selector:
key: value
AccountNoUpdateService
Blocchi che aggiornano l'account di servizio sulle risorse che astraggono sui pod. Questo criterio viene ignorato in modalità di controllo.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedGroups <array>: Groups that should be allowed to bypass the
# policy.
allowedGroups:
- <string>
# allowedUsers <array>: Users that should be allowed to bypass the policy.
allowedUsers:
- <string>
Esempi
nessun-aggiornamento-kube-system-service-account
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: no-update-kube-system-service-account
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- ReplicationController
- apiGroups:
- apps
kinds:
- ReplicaSet
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- CronJob
namespaces:
- kube-system
parameters:
allowedGroups: []
allowedUsers: []
Consentita
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: policy-test
name: policy-test
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: policy-test-deploy
template:
metadata:
labels:
app: policy-test-deploy
spec:
containers:
- command:
- /bin/bash
- -c
- sleep 99999
image: ubuntu
name: policy-test
serviceAccountName: policy-test-sa-1
SoloRigidoCriterio
Richiede che STRICT Istio sia sempre specificato quando si utilizza PeerAuthentication. Questo vincolo garantisce anche che le risorse deprecate Policy e MeshPolicy applichino lo standard TLS reciproco STRICT. Vedi: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
vincolo di autenticazione peer-peer
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: peerauthentication-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
namespaces:
- default
Consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict
namespace: default
spec:
mtls:
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-level
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-unset
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: UNSET
Non consentita
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: empty-mtls
namespace: default
spec:
mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-null
namespace: default
spec:
mtls:
mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-permissive
namespace: default
spec:
mtls:
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
"8081":
mode: STRICT
ritiro-criterio-stritto-vincolo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: deprecated-policy-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- authentication.istio.io
kinds:
- Policy
namespaces:
- default
Consentita
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mode-strict
namespace: default
spec:
peers:
- mtls:
mode: STRICT
Non consentita
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mtls-empty
namespace: default
spec:
peers:
- mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: policy-permissive
namespace: default
spec:
peers:
- mtls:
mode: PERMISSIVE
Limita reteEsclusioni
Controlla quali porte in entrata, porte in uscita e intervalli IP in uscita possono essere esclusi dall'acquisizione della rete Istio. Le porte e gli intervalli IP che ignorano l'acquisizione della rete Istio non sono gestiti dal proxy Istio e non sono soggetti all'autenticazione TLS, al criterio di autorizzazione e ad altre funzionalità di Istio. Questo vincolo può essere utilizzato per applicare limitazioni all'uso delle seguenti annotazioni:
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
Vedi https://istio.io/latest/docs/reference/config/annotations/.
Quando si limita gli intervalli IP in uscita, il vincolo calcola se gli intervalli IP esclusi corrispondono o sono un sottoinsieme delle esclusioni di intervalli IP consentite.
Se utilizzi questo vincolo, tutte le porte in entrata e gli intervalli IP in uscita devono essere sempre inclusi impostando le annotazioni "Includi" corrispondenti in "*" o lasciandole non impostate. Non è consentito impostare le seguenti annotazioni su elementi diversi da "*":
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
Questo vincolo consente sempre di escludere la porta 15020 perché l'iniettore sidecar Istio li aggiunge sempre all'annotazione traffic.sidecar.istio.io/excludeInboundPorts in modo che possa essere utilizzato per il controllo di integrità.
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedInboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
allowedInboundPortExclusions:
- <string>
# allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
# constraint calculates whether excluded IP ranges match or are a subset of
# the ranges in this list.
allowedOutboundIPRangeExclusions:
- <string>
# allowedOutboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
allowedOutboundPortExclusions:
- <string>
Esempi
restrizione-esclusioni-rete
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: restrict-network-exclusions
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedInboundPortExclusions:
- "80"
allowedOutboundIPRangeExclusions:
- 169.254.169.254/32
allowedOutboundPortExclusions:
- "8888"
Consentita
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx
name: nothing-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeInboundPorts: "80"
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
labels:
app: nginx
name: allowed-port-and-ip-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
labels:
app: nginx
name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: '*'
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
traffic.sidecar.istio.io/includeOutboundPorts: '*'
labels:
app: nginx
name: everything-included-with-no-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
Non consentita
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
labels:
app: nginx
name: disallowed-ip-range-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
labels:
app: nginx
name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: 80,443
traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundPorts: "8888"
labels:
app: nginx
name: disallowed-specific-port-and-ip-inclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
Origine origine non autorizzata
Le regole di origine di Istio AuthorizationPolicy richiedono l'impostazione di un'entità diversa da quella di "*".https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema di vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Esempi
vincolo-di-autenticazione-di-origine
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: sourcenotall-authz-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Non consentita
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-dne
namespace: foo
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-all
namespace: foo
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-someall
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Passaggi successivi
- Scopri di più sul controller delle norme
- Installa Policy Controller
- Scopri come utilizzare i vincoli anziché i PodSecurityPolicy
- Visualizza la libreria open source dei modelli di vincolo nel repository Gategateer-Library