Biblioteca de modelos de restrição
Os modelos de restrição permitem definir como uma restrição funciona, mas delegar a definição das especificidades da restrição a um indivíduo ou grupo com experiência no assunto. Além de separar as preocupações, isso também separa a lógica da restrição de sua definição.
Todas as restrições contêm uma seção match, que define os objetos aos quais uma
restrição se aplica. Para detalhes sobre como configurar essa seção, consulte
a seção de correspondência de restrição.
Nem todos os modelos de restrição estão disponíveis para todas as versões do Anthos Config Management e os modelos podem mudar entre as versões. Use os links a seguir para comparar as restrições de versões compatíveis do Anthos Config Management:
Links para versões anteriores desta página
Para receber suporte total, recomendamos o uso de modelos de restrição de uma versão compatível do Anthos Config Management.
Para ajudar você a ver como os modelos de restrição funcionam, cada modelo inclui um exemplo de restrição e um recurso que viola a restrição.
AllowedServicePortName
Exige que os nomes das portas de serviço tenham um prefixo de uma lista especificada.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
Exemplos
port-name-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: port-name-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
prefixes:
- http-
- http2-
- grpc-
- mongo-
- redis-
- tcp-
Permitido
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-http
spec:
ports:
- name: http-helloport
port: 5000
selector:
app: helloworld
Bloqueada
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-tcp
spec:
ports:
- name: foo-helloport
port: 5000
selector:
app: helloworld
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-bad
spec:
ports:
- name: helloport
port: 5000
selector:
app: helloworld
AsmAuthzPolicyDefaultDeny
Aplique a política de negação de autorização padrão na malha. Consulte https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns. Observação: essa restrição é referencial. Veja mais detalhes em Ativar restrições referenciais.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-authz-policy-default-deny-with-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Bloqueada
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
asm-authz-policy-default-deny-no-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Bloqueada
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
AsmAuthzPolicyDisallowedPrefix
Requer que os principais e os namespaces nas regras AuthorizationPolicy do Istio não tenham o prefixo de uma lista especificada.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
disallowedNamespacePrefixes:
- <string>
# disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
disallowedPrincipalPrefixes:
- <string>
Examples
asm-authz-policy-disallowed-prefix-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: asm-authz-policy-disallowed-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedNamespacePrefixes:
- bad-ns-prefix
- worse-ns-prefix
disallowedPrincipalPrefixes:
- bad-principal-prefix
- worse-principal-prefix
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/worse-principal-prefix-sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- bad-ns-prefix-test
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
Requer que o campo "from" da AuthorizationPolicy do Istio, quando definido, tenha princípios de origem, que precisam ser definidos como algo diferente de "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
asm-authz-policy-enforce-source-principals-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: asm-authz-policy-enforce-source-principals-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: no-source-principals
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-wildcard
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-contains-wildcard
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyNormalization
Aplicar a normalização de AuthorizationPolicy. Consulte https://istio.io/latest/docs/reference/config/security/normalization/.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
asm-authz-policy-normalization-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: asm-authz-policy-normalization-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-method-lowercase
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- get
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-request-header-whitespace
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Ag ent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: path-unnormalized
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test\/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
AsmAuthzPolicySafePattern
Aplicar os padrões seguros do AuthorizationPolicy. Consulte https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-authz-policy-safe-pattern-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: asm-authz-policy-safe-pattern-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-istio-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-asm-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
asm: ingressgateway
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: hosts-on-noningress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: invalid-hosts
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-negative-match
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
notMethods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-positive-match
spec:
action: DENY
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
AsmIngressgatewayLabel
Aplique o uso do rótulo ingressgateway do istio apenas nos pods do ingressgateway.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
asm-ingressgateway-label-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: asm-ingressgateway-label-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: istio
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: asm-ingressgateway
asm: ingressgateway
name: asm-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
asm: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
AsmPeerAuthnMeshStrictMtls
Aplique o peering de mtls restrito na malha. Consulte https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. Observação: essa restrição é referencial. Veja mais detalhes em Ativar restrições referenciais.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-peer-authn-mesh-strict-mtls-with-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: asm-root
spec:
mtls:
mode: STRICT
Bloqueada
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: asm-root
spec:
mtls:
mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: istio-system
spec:
mtls:
mode: STRICT
Bloqueada
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
AsmPeerAuthnStrictMtls
A aplicação de todos os PeerAuthentications não pode substituir mtls rígidos. Consulte https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-peer-authn-strict-mtls-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: asm-peer-authn-strict-mtls-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
parameters:
strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: valid-strict-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-permissive-mtls-pa
namespace: foo
spec:
mtls:
mode: PERMISSIVE
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-port-disable-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: DISABLE
"443":
mode: STRICT
selector:
matchLabels:
app: bar
AsmRequestAuthnProhibitedOutputHeaders
Em RequestAuthentication, aplique o campo jwtRules.outPayloadToHeader para não conter cabeçalhos de solicitação HTTP conhecidos ou cabeçalhos proibidos personalizados. Referência a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
Examples
asm-request-authn-prohibited-output-headers-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: asm-request-authn-prohibited-output-headers-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- RequestAuthentication
parameters:
prohibitedHeaders:
- Bad-Header
- X-Bad-Header
Permitido
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: valid-request-authn
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Good-Header
selector:
matchLabels:
app: istio-ingressgateway
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Host
selector:
matchLabels:
app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: X-Bad-Header
selector:
matchLabels:
app: istio-ingressgateway
AsmSidecarInjection
Aplique o arquivo secundário do proxy do Istio que sempre foi injetado nos pods de carga de trabalho.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of sidecar injection strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-sidecar-injection-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: asm-sidecar-injection-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
strictnessLevel: High
Permitido
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "true"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
annotations:
"false": "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Bloqueada
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
DestinationRuleTLSEnabled
Proíbe a desativação do TLS para todos os hosts e subconjuntos de hosts no Istio DestinationRules.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
dr-tls-enabled
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: dr-tls-enabled
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- networking.istio.io
kinds:
- DestinationRule
Bloqueada
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-subset-tls-disable
namespace: default
spec:
host: myservice
subsets:
- name: v1
trafficPolicy:
tls:
mode: DISABLE
- name: v2
trafficPolicy:
tls:
mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-traffic-tls-disable
namespace: default
spec:
host: myservice
trafficPolicy:
tls:
mode: DISABLE
DisallowedAuthzPrefix
Requer que os principais e os namespaces nas regras AuthorizationPolicy do Istio não tenham o prefixo de uma lista especificada.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
Exemplos
disallowed-authz-prefix-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: disallowed-authz-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedprefixes:
- badprefix
- reallybadprefix
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/badprefix-sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- badprefix-test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
GCPStorageLocationConstraintV1
Restringe o locations permitido para recursos do Storagebucket Config Connector à lista de locais fornecidos na restrição. Os nomes de bucket na lista exemptions estão isentos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
Exemplos
singapore-and-jakarta-only
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: singapore-and-jakarta-only
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- storage.cnrm.cloud.google.com
kinds:
- StorageBucket
parameters:
exemptions:
- my_project_id_cloudbuild
locations:
- asia-southeast1
- asia-southeast2
Permitido
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Bloqueada
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
K8sAllowedRepos
Requer imagens de contêiner para começar com uma string da lista especificada.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Exemplos
repo-is-openpolicyagent
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: repo-is-openpolicyagent
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
repos:
- openpolicyagent/
Permitido
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
ephemeralContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
K8sBlockAllIngress
Não permite a criação de objetos de Entrada (tipos de Ingress, Gateway e Service de NodePort e LoadBalancer).
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowList <array>: A list of regular expressions for the Ingress object
# names that are exempt from the constraint.
allowList:
- <string>
Examples
block-all-ingress
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: block-all-ingress
spec:
enforcementAction: dryrun
parameters:
allowList:
- name1
- name2
- name3
- my-*
Permitido
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: allowed-clusterip-service-example
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: ClusterIP
Bloqueada
apiVersion: v1
kind: Service
metadata:
name: disallowed-service-example
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: LoadBalancer
K8sBlockCreationWithDefaultServiceAccount
Não permite a criação de recursos usando uma conta de serviço padrão.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-creation-with-default-serviceaccount
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockEndpointEditDefaultRole
Por padrão, muitas instalações do Kubernetes têm um ClusterRole system:aggregate-to-edit que não restringe corretamente o acesso à edição do Endpoints. Esse ConstraintTemplate impede que o ClusterRole system:aggregate-to-edit conceda permissão para criar/patch/atualizar endpoints. ClusterRole/system:aggregate-to-edit não deve permitir permissões de edição de endpoint devido à CVE-2021-25740, que as permissões de Endpoint e EndpointSlice permitem encaminhamento de namespace https://github.com/kubernetes/kubernetes/issues/103675
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
block-endpoint-edit-default-role
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: block-endpoint-edit-default-role
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
Permitido
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- endpoints
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
K8sBlockLoadBalancer
Não permite todos os serviços com o tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-load-balancer
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
excludedNamespaces:
- ingress-nginx-private
- ingress-nginx-public
kinds:
- apiGroups:
- ""
kinds:
- Service
Permitido
apiVersion: v1
kind: Service
metadata:
name: my-service-allowed
spec:
ports:
- port: 80
targetPort: 80
type: ClusterIP
Bloqueada
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: LoadBalancer
K8sBlockNodePort
Não permite todos os Serviços do tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
block-node-port
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
Bloqueada
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: NodePort
K8sBlockObjectsOfType
Não permite o objeto de tipos proibidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
forbiddenTypes:
- <string>
Examples
block-secrets-of-type-basic-auth
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: block-secrets-of-type-basic-auth
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Secret
parameters:
forbiddenTypes:
- kubernetes.io/basic-auth
Permitido
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
Bloqueada
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
K8sBlockProcessNamespaceSharing
Proíbe as especificações do pod com shareProcessNamespace definido como true. Isso evita cenários em que todos os contêineres em um pod compartilham o namespace PID e podem acessar o sistema de arquivos e a memória uns dos outros.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
block-process-namespace-sharing
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Permitido
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
shareProcessNamespace: true
K8sBlockWildcardIngress
Os usuários não devem criar entradas com um nome do host em branco ou curinga (*), porque isso permitiria a interceptação do tráfego de outros serviços no cluster, mesmo que eles não tenham acesso a esses serviços.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-wildcard-ingress
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: block-wildcard-ingress
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: non-wildcard-ingress
spec:
rules:
- host: myservice.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
Bloqueada
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: ""
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
- host: valid.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
K8sContainerLimits
Requer que os limites da memória e da CPU sejam definidos e que os limites fiquem dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
Exemplos
container-must-have-limits
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
K8sContainerRatios
Define uma proporção máxima de limites de recursos do contêiner para solicitações. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
# `resources.requests.cpu` on a container. If not specified, equal to
# `ratio`.
cpuRatio: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
Exemplos
container-must-meet-ratio
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ratio: "2"
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 800m
memory: 2Gi
requests:
cpu: 100m
memory: 100Mi
container-must-meet-memory-and-cpu-ratio
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-memory-and-cpu-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpuRatio: "10"
ratio: "1"
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: "1"
memory: 2Gi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
K8sContainerRequests
Requer que os limites da memória e da CPU sejam definidos e que os limites fiquem dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory request on a Pod, exclusive.
memory: <string>
Examples
container-must-have-requests
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: container-must-have-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 1Gi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
K8sDisallowAnonymous
Não permite associar recursos ClusterRole e Role ao usuário system:anonymous e ao grupo system:unauthenticated.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRoles <array>: The list of ClusterRoles and Roles that may be
# associated with the `system:unauthenticated` group and `system:anonymous`
# user.
allowedRoles:
- <string>
Examples
no-anonymous
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: no-anonymous
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRoleBinding
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
parameters:
allowedRoles:
- cluster-role-1
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedRoleBindingSubjects
Proíbe RoleBindings ou ClusterRoleBindings com assuntos correspondentes a qualquer disallowedSubjects transmitido como parâmetros.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
Exemplos
disallowed-rolebinding-subjects
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: disallowed-rolebinding-subjects
spec:
parameters:
disallowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Requer que as imagens de contêiner tenham uma tag de imagem diferente daquelas na lista especificada. https://kubernetes.io/docs/concepts/containers/images/#image-names
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# tags <array>: Disallowed container image tags.
tags:
- <string>
Exemplos
container-image-must-not-have-latest-tag
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: container-image-must-not-have-latest-tag
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
exemptImages:
- openpolicyagent/opa-exp:latest
- openpolicyagent/opa-exp2:latest
tags:
- latest
Permitido
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-exempt-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa-exp
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:v1
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-2
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-ephemeral
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-3
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:latest
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/monitor:latest
name: opa-monitor
K8sEmptyDirHasSizeLimit
Requer que qualquer volume emptyDir especifique um sizeLimit. Opcionalmente, um parâmetro maxSizeLimit pode ser fornecido na restrição para especificar um limite máximo de tamanho permitido.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptVolumesRegex <array>: Exempt Volume names as regex match.
exemptVolumesRegex:
- <string>
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
Exemplos
empty-dir-has-size-limit
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-size-limit
spec:
match:
excludedNamespaces:
- istio-system
- kube-system
- gatekeeper-system
parameters:
exemptVolumesRegex:
- ^istio-[a-z]+$
maxSizeLimit: 4Gi
Permitido
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir:
sizeLimit: 2Gi
name: good-pod-volume
apiVersion: v1
kind: Pod
metadata:
name: exempt-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: istio-envoy
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: bad-pod-volume
K8sEnforceCloudArmorBackendConfig
Aplica a configuração do Cloud Armor aos recursos do BackendConfig
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
enforce-cloudarmor-backendconfig
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
Permitido
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: example-security-policy
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: second-backendconfig
spec:
securityPolicy:
name: my-security-policy
Bloqueada
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: null
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: ""
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
spec:
logging:
enable: true
sampleRate: 0.5
K8sEnforceConfigManagement
Requer a presença e operação do gerenciamento de configuração.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
enforce-config-management
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: enforce-config-management spec: enforcementAction: dryrun
Permitido
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
annotations:
configmanagement.gke.io/managed-by-hub: "true"
configmanagement.gke.io/update-time: "1663586155"
name: config-management
spec:
binauthz:
enabled: true
clusterName: tec6ea817b5b4bb2-cluster
enableMultiRepo: true
git:
proxy: {}
syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
hierarchyController: {}
policyController:
auditIntervalSeconds: 60
enabled: true
monitoring:
backends:
- prometheus
- cloudmonitoring
mutation: {}
referentialRulesEnabled: true
templateLibraryInstalled: true
status:
configManagementVersion: v1.12.2-rc.2
healthy: true
Bloqueada
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
annotations:
configmanagement.gke.io/managed-by-hub: "true"
configmanagement.gke.io/update-time: "1663586155"
name: config-management
spec:
binauthz:
enabled: true
clusterName: tec6ea817b5b4bb2-cluster
enableMultiRepo: true
git:
syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
hierarchyController: {}
policyController:
auditIntervalSeconds: 60
enabled: true
monitoring:
backends:
- prometheus
- cloudmonitoring
mutation: {}
referentialRulesEnabled: true
templateLibraryInstalled: true
status:
configManagementVersion: v1.12.2-rc.2
K8sExternalIPs
Restringe os IPIPs de serviço a uma lista de endereços IP permitidos. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
Exemplos
external-ips
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
allowedIPs:
- 203.0.113.0
Permitido
apiVersion: v1
kind: Service
metadata:
name: allowed-external-ip
spec:
externalIPs:
- 203.0.113.0
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
Bloqueada
apiVersion: v1
kind: Service
metadata:
name: disallowed-external-ip
spec:
externalIPs:
- 1.1.1.1
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
K8sHttpsOnly
Exige que os recursos do Ingress sejam somente HTTPS. Os recursos de entrada precisam incluir a anotação kubernetes.io/ingress.allow-http, definida como false. Por padrão, é necessário ter uma configuração de TLS válida no {}, isso pode ser opcional definindo o parâmetro tlsOptional como true.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# tlsOptional <boolean>: When set to `true` the TLS {} is optional,
# defaults to false.
tlsOptional: <boolean>
Exemplos
ingress-https-only
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-allowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- {}
Bloqueada
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
ingress-https-only-tls-optional
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only-tls-optional
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
parameters:
tlsOptional: true
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-allowed-tls-optional
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
Bloqueada
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo-disallowed-tls-optional
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
K8sImageDigests
Requer imagens de contêiner para conter um resumo. https://kubernetes.io/docs/concepts/containers/images/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Exemplos
container-image-must-have-digest
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
Permitido
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
name: opa
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opainit
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opainit
K8sLocalStorageRequireSafeToEvict
Requer que os pods que usam o armazenamento local (emptyDir ou hostPath) tenham a anotação "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". O escalonador automático de cluster não excluirá pods sem essa anotação.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
local-storage-require-safe-to-evict
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
excludedNamespaces:
- kube-system
- istio-system
- gatekeeper-system
Permitido
apiVersion: v1
kind: Pod
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
name: good-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
K8sMemoryRequestEqualsLimit
Promove a estabilidade do pod ao exigir que a memória solicitada de todos os contêineres seja exatamente igual ao limite de memória. Assim, os pods nunca ficam em um estado em que o uso da memória excede a quantidade solicitada. Caso contrário, o Kubernetes poderá encerrar pods que solicitam memória extra se a memória for necessária no nó.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptContainersRegex <array>: Exempt Container names as regex match.
exemptContainersRegex:
- <string>
Exemplos
container-must-request-limit
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: container-must-request-limit
spec:
match:
excludedNamespaces:
- kube-system
- resource-group-system
- asm-system
- istio-system
- config-management-system
- config-management-monitoring
parameters:
exemptContainersRegex:
- ^istio-[a-z]+$
Permitido
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 4Gi
apiVersion: v1
kind: Pod
metadata:
name: exempt-pod
namespace: default
spec:
containers:
- image: auto
name: istio-proxy
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
K8sNoEnvVarSecrets
Proíbe secrets como variáveis de ambiente nas definições de contêiner do pod. Em vez disso, use arquivos secretos montados em volumes de dados: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
no-secrets-as-env-vars-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
Permitido
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: redis
name: test
volumeMounts:
- mountPath: /etc/test
name: test
readOnly: true
volumes:
- name: test
secret:
secretName: mysecret
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysecret
image: redis
name: test
K8sNoExternalServices
Proíbe a criação de recursos conhecidos que expõem cargas de trabalho a IPs externos. Isso inclui os recursos de gateway do Istio e do Ingress do Kubernetes. Os serviços do Kubernetes também não são permitidos, a menos que atendam aos seguintes critérios:
qualquer serviço do tipo LoadBalancer no Google Cloud precisa ter uma anotação "cloud.google.com/load-balancer-type": "Internal".
Qualquer serviço do tipo LoadBalancer na AWS precisa ter uma anotação service.beta.kubernetes.io/aws-load-balancer-internal: "true.
Qualquer "IP externo" (externo ao cluster) vinculado ao Serviço precisa ser membro de um intervalo de CIDRs internos, conforme fornecido à restrição.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
# are supported currently.
cloudPlatform: <string>
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
Exemplos
no-external
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external
spec:
parameters:
internalCIDRs:
- 10.0.0.1/32
Permitido
apiVersion: v1
kind: Service
metadata:
name: good-service
namespace: default
spec:
externalIPs:
- 10.0.0.1
ports:
- port: 8888
protocol: TCP
targetPort: 8888
Bloqueada
apiVersion: v1
kind: Service
metadata:
name: bad-service
namespace: default
spec:
externalIPs:
- 10.0.0.2
ports:
- port: 8888
protocol: TCP
targetPort: 8888
no-external-aws
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external-aws
spec:
parameters:
cloudPlatform: AWS
Permitido
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
name: good-aws-service
namespace: default
spec:
type: LoadBalancer
Bloqueada
apiVersion: v1
kind: Service
metadata:
annotations:
cloud.google.com/load-balancer-type: Internal
name: bad-aws-service
namespace: default
spec:
type: LoadBalancer
K8sPSPAllowPrivilegeEscalationContainer
Controla a restrição do encaminhamento a privilégios de raiz. Corresponde ao campo allowPrivilegeEscalation em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged-escalation
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-allow-privilege-escalation-container-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: false
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Controla os códigos do usuário e do grupo do contêiner e de alguns volumes. Corresponde aos campos runAsUser, runAsGroup, supplementalGroups e fsGroup em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
Exemplos
psp-pods-allowed-user-ranges
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
fsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsUser:
ranges:
- max: 200
min: 100
rule: MustRunAs
supplementalGroups:
ranges:
- max: 200
min: 100
rule: MustRunAs
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 199
runAsUser: 199
securityContext:
fsGroup: 199
supplementalGroups:
- 199
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
K8sPSPAppArmor
Configura uma lista de permissões de perfis do AppArmor para uso por contêineres. Isso corresponde a anotações específicas aplicadas a uma PodSecurityPolicy Para saber mais sobre o AppArmor, consulte https://kubernetes.io/docs/tutorials/clusters/apparmor/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Exemplos
psp-apparmor
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
Permitido
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
name: nginx-apparmor-allowed
spec:
containers:
- image: nginx
name: nginx
Bloqueada
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
K8sPSPAutomountServiceAccountTokenPod
Controla a capacidade de qualquer pod de ativar automountServiceAccountToken.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Exemplos
psp-automount-serviceaccount-token-pod
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-not-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-allowed
spec:
automountServiceAccountToken: false
containers:
- image: nginx
name: nginx
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-disallowed
spec:
automountServiceAccountToken: true
containers:
- image: nginx
name: nginx
K8sPSPCapabilities
Controla os recursos do Linux em contêineres. Corresponde aos campos allowedCapabilities e requiredDropCapabilities em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#features
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
Exemplos
capabilities-demo
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: capabilities-demo
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
allowedCapabilities:
- something
requiredDropCapabilities:
- must_drop
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- something
drop:
- must_drop
- another_one
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
K8sPSPFSGroup
Controla a alocação de um FSGroup que é proprietário dos volumes do pod. Corresponde ao campo fsGroup em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
Exemplos
psp-fsgroup
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ranges:
- max: 1000
min: 1
rule: MayRunAs
Permitido
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 500
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 2000
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
K8sPSPFlexVolumes
Controla a lista de permissões de drivers FlexVolume. Corresponde ao campo allowedFlexVolumes em PodSecurityPolicy. Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
Exemplos
psp-flexvolume-drivers
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/lvm
name: test-volume
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/testdriver
name: test-volume
K8sPSPForbiddenSysctls
Controla o perfil sysctl usado pelos contêineres. Corresponde aos campos allowedUnsafeSysctls e forbiddenSysctls em um PodSecurityPolicy. Quando especificado, qualquer sysctl que não esteja no parâmetro allowedSysctls é considerado proibido. O parâmetro forbiddenSysctls tem prioridade sobre o allowedSysctls. Para saber mais, consulte https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
# not listed in the `forbiddenSysctls` parameter.
allowedSysctls:
- <string>
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
Exemplos
psp-forbidden-sysctls
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSysctls:
- '*'
forbiddenSysctls:
- kernel.*
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
- name: net.core.somaxconn
value: "1024"
K8sPSPHostFilesystem
Controla o uso do sistema de arquivos do host. Corresponde ao campo allowedHostPaths em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
Exemplos
psp-host-filesystem
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedHostPaths:
- pathPrefix: /foo
readOnly: true
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /foo/bar
name: cache-volume
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
ephemeralContainers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
K8sPSPHostNamespace
Não permite o compartilhamento de namespaces PID de host e IPC por contêineres de pod. Corresponde aos campos hostPID e hostIPC em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Examples
psp-host-namespace-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-allowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: false
hostPID: false
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-disallowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: true
hostPID: true
K8sPSPHostNetworkingPorts
Controla o uso de namespace da rede do host por contêineres de pod. As portas precisam ser especificadas. Corresponde aos campos hostNetwork e hostPorts em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
Examples
psp-host-network-ports-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
hostNetwork: true
max: 9000
min: 80
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-allowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9000
hostPort: 80
hostNetwork: false
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
K8sPSPPrivilegedContainer
Controla a capacidade de qualquer contêiner de ativar o modo privilegiado. Corresponde ao campo privileged em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-privileged-container-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container-sample
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: false
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
privileged: true
K8sPSPProcMount
Controla os tipos procMount permitidos para o contêiner. Corresponde ao campo allowedProcMountTypes em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
Exemplos
psp-proc-mount
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
procMount: Default
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Default
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Exige o uso de um sistema de arquivos raiz somente leitura por contêineres de pod. Corresponde ao campo readOnlyRootFilesystem em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Exemplos
psp-readonlyrootfilesystem
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: true
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
K8sPSPSELinuxV2
Define uma lista de permissões de configurações seLinuxOptions para contêineres de pod. Corresponde a um PodSecurityPolicy que requer configurações do SELinux. Saiba mais em https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Exemplos
psp-selinux-v2
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
K8sPSPSeccomp
Controla o perfil seccomp usado pelos contêineres. Corresponde à anotação seccomp.security.alpha.kubernetes.io/allowedProfileNames em um PodSecurityPolicy. Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Exemplos
psp-seccomp
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
- docker/default
Permitido
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed2
spec:
containers:
- image: nginx
name: nginx
Bloqueada
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed2
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
K8sPSPVolumeTypes
Restringe os tipos de volume montáveis para aqueles especificados pelo usuário. Corresponde ao campo volumes em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
Exemplos
psp-volume-types
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
- flexVolume
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- emptyDir: {}
name: cache-volume
- emptyDir: {}
name: demo-vol
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- hostPath:
path: /tmp
name: cache-volume
- emptyDir: {}
name: demo-vol
K8sPodDisruptionBudget
Não permita os seguintes cenários ao implantar PodDisruptionBudgets ou recursos que implementam o sub-recurso de réplica (por exemplo, Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Implantação de PodDisruptionBudgets com .spec.maxUnavailable == 0 2. Implantação de PodDisruptionBudgets com .spec.minAvailable == .spec.replicas do recurso com sub-recurso de réplica. Isso impedirá que PodDisruptionBudgets bloqueie interrupções voluntárias, como a drenagem de nós. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
pod-distruption-budget
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: pod-distruption-budget
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- apiGroups:
- policy
kinds:
- PodDisruptionBudget
- apiGroups:
- ""
kinds:
- ReplicationController
Permitido
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-allowed
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-1
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
template:
metadata:
labels:
app: nginx
example: allowed-deployment-1
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-1
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-2
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
template:
metadata:
labels:
app: nginx
example: allowed-deployment-2
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-2
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-3
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-3
template:
metadata:
labels:
app: nginx
example: allowed-deployment-3
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-3
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: non-matching-nginx
name: nginx-deployment-allowed-4
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: non-matching-nginx
example: allowed-deployment-4
template:
metadata:
labels:
app: non-matching-nginx
example: allowed-deployment-4
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-mongo-pdb-allowed-3
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: mongo
example: non-matching-deployment-3
Bloqueada
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-disallowed
namespace: default
spec:
maxUnavailable: 0
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-disallowed
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
template:
metadata:
labels:
app: nginx
example: disallowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-disallowed
namespace: default
spec:
minAvailable: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
K8sPodsRequireSecurityContext
Requer que todos os pods definam securityContext. Requer que todos os contêineres definidos em pods tenham um SecurityContext definido no nível do pod ou do contêiner.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
Examples
pods-require-security-context-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: pods-require-security-context-sample
spec:
enforcementAction: dryrun
parameters:
exemptImages:
- nginix-exempt
- alpine*
Permitido
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsUser: 2000
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-exemptImage
spec:
containers:
- image: nginix-exempt
name: nginx
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-exemptImage-wildcard
spec:
containers:
- image: alpine17
name: alpine
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- image: nginx
name: nginx
K8sProhibitRoleWildcardAccess
Requer que Roles e ClusterRoles não definam o acesso a recursos com um valor de caractere curinga (""), exceto os Roles e ClusterRoles isentos fornecidos como isenções. Não restringe o acesso curinga a sub-recursos, como "/status".
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression
# based match on the name.
regexMatch: <boolean>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
Examples
prohibit-role-wildcard-access-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: prohibit-wildcard-except-exempted-cluster-role
spec:
enforcementAction: dryrun
parameters:
exemptions:
clusterRoles:
- name: cluster-role-allowed-example
roles:
- name: role-allowed-example
namespace: role-ns-allowed-example
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Requer que objetos com o campo spec.replicas (Implantações, ReplicaSets etc.) especifiquem um número de réplicas em intervalos definidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Exemplos
replica-limits
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
parameters:
ranges:
- max_replicas: 50
min_replicas: 3
Permitido
apiVersion: apps/v1
kind: Deployment
metadata:
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Bloqueada
apiVersion: apps/v1
kind: Deployment
metadata:
name: disallowed-deployment
spec:
replicas: 100
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
K8sRequireCosNodeImage
Aplica o uso do SO Container-Optimized do Google em nós.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptOsImages <array>: A list of exempt OS Images.
exemptOsImages:
- <string>
Examples
nodes-have-consistent-time
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: nodes-have-consistent-time
spec:
enforcementAction: dryrun
parameters:
exemptOsImages:
- Debian
- Ubuntu*
Permitido
apiVersion: v1
kind: Node
metadata:
name: allowed-example
status:
nodeInfo:
osImage: Container-Optimized OS from Google
apiVersion: v1
kind: Node
metadata:
name: example-exempt
status:
nodeInfo:
osImage: Debian
apiVersion: v1
kind: Node
metadata:
name: example-exempt-regex
status:
nodeInfo:
osImage: Ubuntu 18.04.5 LTS
Bloqueada
apiVersion: v1
kind: Node
metadata:
name: disallowed-example
status:
nodeInfo:
osImage: Debian GNUv1.0
K8sRequireDaemonsets
Exige a lista de daemonsets especificados como presente. Observação: essa restrição é referencial. Veja mais detalhes em Ativar restrições referenciais.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# requiredDaemonsets <array>: A list of names and namespaces of the
# required daemonsets.
requiredDaemonsets:
- # name <string>: The name of the required daemonset.
name: <string>
# namespace <string>: The namespace for the required daemonset.
namespace: <string>
Examples
require-daemonset
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: require-daemonset
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
requiredDaemonsets:
- name: clamav
namespace: pci-dss-av
Permitido
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: other
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: other
template:
metadata:
labels:
name: other
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: other
resources:
limits:
memory: 3Gi
requests:
cpu: 500m
memory: 2Gi
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: clamav-host-scanner
name: clamav
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: clamav
template:
metadata:
labels:
name: clamav
spec:
containers:
- image: us.gcr.io/{your-project-id}/clamav:latest
livenessProbe:
exec:
command:
- /health.sh
initialDelaySeconds: 60
periodSeconds: 30
name: clamav-scanner
resources:
limits:
memory: 3Gi
requests:
cpu: 500m
memory: 2Gi
volumeMounts:
- mountPath: /data
name: data-vol
- mountPath: /host-fs
name: host-fs
readOnly: true
- mountPath: /logs
name: logs
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- emptyDir: {}
name: data-vol
- hostPath:
path: /
name: host-fs
- hostPath:
path: /var/log/clamav
name: logs
Bloqueada
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: other
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: other
template:
metadata:
labels:
name: other
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: other
resources:
limits:
memory: 3Gi
requests:
cpu: 500m
memory: 2Gi
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
K8sRequireDefaultDenyEgressPolicy
Exige que cada namespace definido no cluster tenha uma NetworkPolicy de negação padrão para saída. Observação: essa restrição é referencial. Veja mais detalhes em Ativar restrições referenciais.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
require-default-deny-network-policies
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
Permitido
apiVersion: v1
kind: Namespace
metadata:
name: example-namespace
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: example-namespace
spec:
podSelector: {}
policyTypes:
- Egress
Bloqueada
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1
kind: Namespace
metadata:
name: example-namespace2
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: example-namespace
spec:
podSelector: {}
policyTypes:
- Egress
K8sRequireNamespaceNetworkPolicies
Requer que cada namespace definido no cluster tenha uma NetworkPolicy. Observação: essa restrição é referencial. Veja mais detalhes em Ativar restrições referenciais.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
require-namespace-network-policies-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
Bloqueada
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Aplica quais blocos CIDR são permitidos para entrada e saída de rede.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for egress.
allowedEgress:
- <string>
# allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for ingress.
allowedIngress:
- <string>
Examples
require-valid-network-ranges
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: require-valid-network-ranges
spec:
enforcementAction: dryrun
parameters:
allowedEgress:
- 1.1.2.0/32
allowedIngress:
- 1.1.2.0/24
Permitido
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
egress:
- ports:
- port: 5978
protocol: TCP
to:
- ipBlock:
cidr: 1.1.2.0/32
ingress:
- from:
- ipBlock:
cidr: 1.1.2.0/29
- ipBlock:
cidr: 1.1.2.100/29
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
Bloqueada
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy-disallowed
namespace: default
spec:
egress:
- ports:
- port: 5978
protocol: TCP
to:
- ipBlock:
cidr: 1.1.2.0/31
ingress:
- from:
- ipBlock:
cidr: 1.1.2.0/24
- ipBlock:
cidr: 2.1.2.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
K8sRequiredAnnotations
Exige recursos para conter anotações especificadas, com valores correspondentes às expressões regulares fornecidas.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
Exemplos
all-must-have-certain-set-of-annotations
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: all-must-have-certain-set-of-annotations
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
annotations:
- allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
key: a8r.io/owner
- allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
key: a8r.io/runbook
message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Permitido
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/owner: dev-team-alfa@contoso.com
a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
name: allowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
Bloqueada
apiVersion: v1
kind: Service
metadata:
name: disallowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
K8sRequiredLabels
Exige recursos com rótulos especificados, com valores correspondentes às expressões regulares fornecidas.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
Exemplos
all-must-have-owner
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
labels:
- allowedRegex: ^[a-zA-Z]+.agilebank.demo$
key: owner
message: All namespaces must have an `owner` label that points to your company
username
Permitido
apiVersion: v1
kind: Namespace
metadata:
labels:
owner: user.agilebank.demo
name: allowed-namespace
Bloqueada
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Requer que os pods tenham sondagens de preparo e/ou atividade.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# probeTypes <array>: The probe must define a field listed in `probeType`
# in order to satisfy the constraint (ex. `tcpSocket` satisfies
# `['tcpSocket', 'exec']`)
probeTypes:
- <string>
# probes <array>: A list of probes that are required (ex: `readinessProbe`)
probes:
- <string>
Exemplos
must-have-probes
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
probeTypes:
- tcpSocket
- httpGet
- exec
probes:
- readinessProbe
- livenessProbe
Permitido
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: tomcat
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: nginx:1.7.9
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
name: test-pod2
spec:
containers:
- image: nginx:1.7.9
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
K8sRequiredResources
Requer que os contêineres tenham recursos definidos. https://kubernetes.io/docs/Escolhas/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# limits <array>: A list of limits that should be enforced (cpu, memory or
# both).
limits:
# Allowed Values: cpu, memory
- <string>
# requests <array>: A list of requests that should be enforced (cpu, memory
# or both).
requests:
# Allowed Values: cpu, memory
- <string>
Examples
container-must-have-limits-and-requests
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: container-must-have-limits-and-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
limits:
- cpu
- memory
requests:
- cpu
- memory
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
limits:
- memory
requests:
- cpu
- memory
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources: {}
no-enforcements
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: no-enforcements
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Permitidos
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources: {}
K8sRestrictLabels
Não permite que os recursos contenham rótulos especificados, a menos que haja uma exceção para o recurso específico.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
Exemplos
restrict-label-example
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
exceptions:
- group: ""
kind: Pod
name: allowed-example
namespace: default
restrictedLabels:
- label-example
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
Bloqueada
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictNamespaces
Restringe o uso de namespaces listados no parâmetro restrictedNamespaces.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
Examples
restrict-default-namespace-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: restrict-default-namespace-sample
spec:
enforcementAction: dryrun
parameters:
restrictedNamespaces:
- default
Permitido
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
namespace: test-namespace
spec:
containers:
- image: nginx
name: nginx
Bloqueada
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictRbacSubjects
Restringe o uso de nomes nos assuntos do RBAC a valores permitidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of names permitted in RBAC subjects.
allowedSubjects:
- # name <string>: The exact-name or the pattern of the allowed subject
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
Examples
restrict-rbac-subjects
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: restrict-rbac-subjects
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
- ClusterRoleBinding
parameters:
allowedSubjects:
- name: system:masters
- name: ^.+@gcp-sa-mcmetering.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@gcp-sa-gkehub.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@gcp-sa-servicemesh.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@system.gserviceaccount.com$
regexMatch: true
- name: ^.+@google.com$
regexMatch: true
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user@google.com - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user@example.com
K8sRestrictRoleBindings
Restringe os assuntos especificados em ClusterRoleBindings e RoleBindings para uma lista de assuntos permitidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
Examples
restrict-clusteradmin-rolebindings-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-sample
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-regex
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
regexMatch: true
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Bloqueada
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sStorageClass
Requer que as classes de armazenamento sejam especificadas quando usadas. Só é possível usar o Gatekeeper 3.9 ou mais recente.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
includeStorageClassesInMessage: <boolean>
Examples
storageclass
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: storageclass
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeClaim
- apiGroups:
- apps
kinds:
- StatefulSet
parameters:
includeStorageClassesInMessage: true
Permitido
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ok
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: somestorageclass
volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: somestorageclass
provisioner: foo
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: volumeclaimstorageclass
spec:
replicas: 1
selector:
matchLabels:
app: volumeclaimstorageclass
serviceName: volumeclaimstorageclass
template:
metadata:
labels:
app: volumeclaimstorageclass
spec:
containers:
- image: registry.k8s.io/nginx-slim:0.8
name: main
volumeMounts:
- mountPath: /usr/share/nginx/html
name: data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: somestorageclass
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: somestorageclass
provisioner: foo
Bloqueada
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: badstorageclass
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: badstorageclass
volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: badvolumeclaimstorageclass
spec:
replicas: 1
selector:
matchLabels:
app: badvolumeclaimstorageclass
serviceName: badvolumeclaimstorageclass
template:
metadata:
labels:
app: badvolumeclaimstorageclass
spec:
containers:
- image: registry.k8s.io/nginx-slim:0.8
name: main
volumeMounts:
- mountPath: /usr/share/nginx/html
name: data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: badstorageclass
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nostorageclass
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: novolumeclaimstorageclass
spec:
replicas: 1
selector:
matchLabels:
app: novolumeclaimstorageclass
serviceName: novolumeclaimstorageclass
template:
metadata:
labels:
app: novolumeclaimstorageclass
spec:
containers:
- image: registry.k8s.io/nginx-slim:0.8
name: main
volumeMounts:
- mountPath: /usr/share/nginx/html
name: data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
K8sUniqueIngressHost
Exige que todos os hosts de regra de entrada sejam exclusivos. Não lida com caracteres curinga de nome do host: https://kubernetes.io/docs/concepts/services-networking/ingress/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
unique-ingress-host
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: unique-ingress-host
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-allowed
namespace: default
spec:
rules:
- host: example-allowed-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
- host: example-allowed-host1.example.com
http:
paths:
- backend:
service:
name: nginx2
port:
number: 80
path: /
pathType: Prefix
Bloqueada
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-disallowed
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-example
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-disallowed2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
- host: example-host3.example.com
http:
paths:
- backend:
service:
name: nginx2
port:
number: 80
path: /
pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-example2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
K8sUniqueServiceSelector
Requer que os Serviços tenham seletores exclusivos em um namespace. Os seletores são considerados os mesmos se tiverem chaves e valores idênticos. Os seletores podem compartilhar um par de chave-valor, desde que haja pelo menos um par de chave-valor diferente entre eles. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a- serviço
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
unique-service-selector
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
labels:
owner: admin.agilebank.demo
name: unique-service-selector
Permitido
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: other-value
Bloqueada
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-example
namespace: default
spec:
ports:
- port: 443
selector:
key: value
NoUpdateServiceAccount
Bloqueia a atualização da conta de serviço em recursos que abstraem os pods. Esta política é ignorada no modo de auditoria.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedGroups <array>: Groups that should be allowed to bypass the
# policy.
allowedGroups:
- <string>
# allowedUsers <array>: Users that should be allowed to bypass the policy.
allowedUsers:
- <string>
Examples
no-update-kube-system-service-account
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: no-update-kube-system-service-account
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- ReplicationController
- apiGroups:
- apps
kinds:
- ReplicaSet
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- CronJob
namespaces:
- kube-system
parameters:
allowedGroups: []
allowedUsers: []
Permitidos
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: policy-test
name: policy-test
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: policy-test-deploy
template:
metadata:
labels:
app: policy-test-deploy
spec:
containers:
- command:
- /bin/bash
- -c
- sleep 99999
image: ubuntu
name: policy-test
serviceAccountName: policy-test-sa-1
PolicyStrictOnly
Exige que o TLS mútuo do Istio STRICT seja sempre especificado ao usar o PeerAuthentication. Essa restrição também garante que os recursos obsoletos Policy e MeshPolicy apliquem o TLS mútuo STRICT. Consulte: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
peerauthentication-strict-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: peerauthentication-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
namespaces:
- default
Permitido
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict
namespace: default
spec:
mtls:
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-level
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-unset
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: UNSET
Bloqueada
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: empty-mtls
namespace: default
spec:
mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-null
namespace: default
spec:
mtls:
mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-permissive
namespace: default
spec:
mtls:
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
"8081":
mode: STRICT
deprecated-policy-strict-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: deprecated-policy-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- authentication.istio.io
kinds:
- Policy
namespaces:
- default
Permitido
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mode-strict
namespace: default
spec:
peers:
- mtls:
mode: STRICT
Bloqueada
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mtls-empty
namespace: default
spec:
peers:
- mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: policy-permissive
namespace: default
spec:
peers:
- mtls:
mode: PERMISSIVE
RestrictNetworkExclusions
Controla quais portas de entrada, portas de saída e intervalos de IP de saída podem ser excluídos da captura de rede do Istio. As portas e os intervalos de IP que ignoram a captura de rede do Istio não são processados pelo proxy do Istio e não estão sujeitos à autenticação mTLS do Istio, política de autorização e outros recursos do Istio. Essa restrição pode ser usada para aplicar restrições ao uso destas anotações:
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
Consulte https://istio.io/latest/docs/reference/config/annotations/.
Ao restringir os intervalos de IP de saída, a restrição calcula se os intervalos de IP excluídos correspondem ou são um subconjunto das exclusões de intervalos de IP permitidos.
Ao usar essa restrição, todas as portas de entrada e intervalos de IP de
saída sempre precisarão ser incluídos com a definição das anotações "include"
correspondentes como "*" ou sem definição. Não é permitido definir nenhuma das
anotações a seguir como algo diferente de "*":
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
Essa restrição sempre permite que a porta 15020 seja excluída porque o injetor do sidecar do Istio
sempre a adiciona à anotação traffic.sidecar.istio.io/excludeInboundPorts
para que ela possa ser usada para verificação de integridade.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedInboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
allowedInboundPortExclusions:
- <string>
# allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
# constraint calculates whether excluded IP ranges match or are a subset of
# the ranges in this list.
allowedOutboundIPRangeExclusions:
- <string>
# allowedOutboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
allowedOutboundPortExclusions:
- <string>
Exemplos
restrict-network-exclusions
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: restrict-network-exclusions
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedInboundPortExclusions:
- "80"
allowedOutboundIPRangeExclusions:
- 169.254.169.254/32
allowedOutboundPortExclusions:
- "8888"
Permitido
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx
name: nothing-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeInboundPorts: "80"
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
labels:
app: nginx
name: allowed-port-and-ip-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
labels:
app: nginx
name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: '*'
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
traffic.sidecar.istio.io/includeOutboundPorts: '*'
labels:
app: nginx
name: everything-included-with-no-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
Bloqueada
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
labels:
app: nginx
name: disallowed-ip-range-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
labels:
app: nginx
name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: 80,443
traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundPorts: "8888"
labels:
app: nginx
name: disallowed-specific-port-and-ip-inclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
SourceNotAllAuthz
Requer que as regras de autorização de Istio tenham principais de origem definidas para algo diferente de "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Exemplos
sourcenotall-authz-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: sourcenotall-authz-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Não permitido
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-dne
namespace: foo
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-all
namespace: foo
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-someall
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Verificar API descontinuada
Verifica as APIs descontinuadas do Kubernetes para garantir que todas as versões da API estejam atualizadas. Esse modelo não se aplica à auditoria, porque a auditoria analisa os recursos que já estão presentes no cluster com versões não descontinuadas da API.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Constraint match section of the
# Anthos Config Management documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# k8sVersion <number>: kubernetes version
k8sVersion: <number>
# kvs <array>: Deprecated api versions and corresponding kinds
kvs:
- # deprecatedAPI <string>: deprecated api
deprecatedAPI: <string>
# kinds <array>: impacted list of kinds
kinds:
- <string>
# targetAPI <string>: target api
targetAPI: <string>
Examples
verify-1.16
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.16
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- DaemonSet
- apiGroups:
- extensions
kinds:
- PodSecurityPolicy
- ReplicaSet
- Deployment
- DaemonSet
- NetworkPolicy
parameters:
k8sVersion: 1.16
kvs:
- deprecatedAPI: apps/v1beta1
kinds:
- Deployment
- ReplicaSet
- StatefulSet
targetAPI: apps/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- ReplicaSet
- Deployment
- DaemonSet
targetAPI: apps/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- PodSecurityPolicy
targetAPI: policy/v1beta1
- deprecatedAPI: apps/v1beta2
kinds:
- ReplicaSet
- StatefulSet
- Deployment
- DaemonSet
targetAPI: apps/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- NetworkPolicy
targetAPI: networking.k8s.io/v1
Permitido
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Não permitido
apiVersion: apps/v1beta1
kind: Deployment
metadata:
labels:
app: nginx
name: disallowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
verify-1.22
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.22
spec:
match:
kinds:
- apiGroups:
- admissionregistration.k8s.io
kinds:
- MutatingWebhookConfiguration
- ValidatingWebhookConfiguration
- apiGroups:
- apiextensions.k8s.io
kinds:
- CustomResourceDefinition
- apiGroups:
- apiregistration.k8s.io
kinds:
- APIService
- apiGroups:
- authentication.k8s.io
kinds:
- TokenReview
- apiGroups:
- authorization.k8s.io
kinds:
- SubjectAccessReview
- apiGroups:
- certificates.k8s.io
kinds:
- CertificateSigningRequest
- apiGroups:
- coordination.k8s.io
kinds:
- Lease
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
- apiGroups:
- networking.k8s.io
kinds:
- IngressClass
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
- ClusterRoleBinding
- Role
- RoleBinding
- apiGroups:
- scheduling.k8s.io/v1beta1
kinds:
- PriorityClass
- apiGroups:
- storage.k8s.io/v1beta1
kinds:
- CSIDriver
- CSINode
- StorageClass
- VolumeAttachment
parameters:
k8sVersion: 1.22
kvs:
- deprecatedAPI: admissionregistration.k8s.io/v1beta1
kinds:
- MutatingWebhookConfiguration
- ValidatingWebhookConfiguration
targetAPI: admissionregistration.k8s.io/v1
- deprecatedAPI: apiextensions.k8s.io/v1beta1
kinds:
- CustomResourceDefinition
targetAPI: apiextensions.k8s.io/v1
- deprecatedAPI: apiregistration.k8s.io/v1beta1
kinds:
- APIService
targetAPI: apiregistration.k8s.io/v1
- deprecatedAPI: authentication.k8s.io/v1beta1
kinds:
- TokenReview
targetAPI: authentication.k8s.io/v1
- deprecatedAPI: authorization.k8s.io/v1beta1
kinds:
- SubjectAccessReview
targetAPI: authorization.k8s.io/v1
- deprecatedAPI: certificates.k8s.io/v1beta1
kinds:
- CertificateSigningRequest
targetAPI: certificates.k8s.io/v1
- deprecatedAPI: coordination.k8s.io/v1beta1
kinds:
- Lease
targetAPI: coordination.k8s.io/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- Ingress
targetAPI: networking.k8s.io/v1
- deprecatedAPI: networking.k8s.io/v1beta1
kinds:
- Ingress
- IngressClass
targetAPI: networking.k8s.io/v1
- deprecatedAPI: rbac.authorization.k8s.io/v1beta1
kinds:
- ClusterRole
- ClusterRoleBinding
- Role
- RoleBinding
targetAPI: rbac.authorization.k8s.io/v1
- deprecatedAPI: scheduling.k8s.io/v1beta1
kinds:
- PriorityClass
targetAPI: scheduling.k8s.io/v1
- deprecatedAPI: storage.k8s.io/v1beta1
kinds:
- CSIDriver
- CSINode
- StorageClass
- VolumeAttachment
targetAPI: storage.k8s.io/v1
Permitido
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
name: allowed-ingress
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- backend:
service:
name: test
port:
number: 80
path: /testpath
pathType: Prefix
Não permitido
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
name: disallowed-ingress
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- backend:
service:
name: test
port:
number: 80
path: /testpath
pathType: Prefix
verify-1.25
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.25
spec:
match:
kinds:
- apiGroups:
- batch
kinds:
- CronJob
- apiGroups:
- discovery.k8s.io
kinds:
- EndpointSlice
- apiGroups:
- events.k8s.io
kinds:
- Event
- apiGroups:
- autoscaling
kinds:
- HorizontalPodAutoscaler
- apiGroups:
- policy
kinds:
- PodDisruptionBudget
- PodSecurityPolicy
parameters:
k8sVersion: 1.25
kvs:
- deprecatedAPI: batch/v1beta1
kinds:
- CronJob
targetAPI: batch/v1
- deprecatedAPI: discovery.k8s.io/v1beta1
kinds:
- EndpointSlice
targetAPI: discovery.k8s.io/v1
- deprecatedAPI: events.k8s.io/v1beta1
kinds:
- Event
targetAPI: events.k8s.io/v1
- deprecatedAPI: autoscaling/v2beta1
kinds:
- HorizontalPodAutoscaler
targetAPI: autoscaling/v2
- deprecatedAPI: policy/v1beta1
kinds:
- PodDisruptionBudget
targetAPI: policy/v1
- deprecatedAPI: policy/v1beta1
kinds:
- PodSecurityPolicy
targetAPI: None
- deprecatedAPI: node.k8s.io/v1beta1
kinds:
- RuntimeClass
targetAPI: node.k8s.io/v1
Permitido
apiVersion: batch/v1
kind: CronJob
metadata:
name: allowed-cronjob
namespace: default
spec:
jobTemplate:
spec:
template:
spec:
containers:
- command:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: hello
restartPolicy: OnFailure
schedule: '* * * * *'
Não permitido
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: disallowed-cronjob
namespace: default
spec:
jobTemplate:
spec:
template:
spec:
containers:
- command:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: hello
restartPolicy: OnFailure
schedule: '* * * * *'
verify-1.26
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.26
spec:
match:
kinds:
- apiGroups:
- flowcontrol.apiserver.k8s.io
kinds:
- FlowSchema
- PriorityLevelConfiguration
- apiGroups:
- autoscaling
kinds:
- HorizontalPodAutoscaler
parameters:
k8sVersion: 1.26
kvs:
- deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1
kinds:
- FlowSchema
- PriorityLevelConfiguration
targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
- deprecatedAPI: autoscaling/v2beta2
kinds:
- HorizontalPodAutoscaler
targetAPI: autoscaling/v2
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
name: allowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
Não permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1
kind: FlowSchema
metadata:
name: disallowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
verify-1.27
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.27
spec:
match:
kinds:
- apiGroups:
- storage.k8s.io
kinds:
- CSIStorageCapacity
parameters:
k8sVersion: 1.27
kvs:
- deprecatedAPI: storage.k8s.io/v1beta1
kinds:
- CSIStorageCapacity
targetAPI: storage.k8s.io/v1
Permitido
apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity storageClassName: standard
Não permitido
apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity namespace: default storageClassName: standard
verify-1.29
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.29
spec:
match:
kinds:
- apiGroups:
- flowcontrol.apiserver.k8s.io
kinds:
- FlowSchema
- PriorityLevelConfiguration
parameters:
k8sVersion: 1.29
kvs:
- deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2
kinds:
- FlowSchema
- PriorityLevelConfiguration
targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
name: allowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
Bloqueada
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: FlowSchema
metadata:
name: disallowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
A seguir
- Saiba mais sobre o Policy Controller
- Instale o Policy Controller.
- Saiba mais sobre como usar restrições em vez de PodSecurityPolicies
- Visualize a biblioteca de código aberto de modelos de restrição no repositório gatekeeper-library