制約テンプレート ライブラリ
制約テンプレートを使用すると、制約がどのように機能するかを定義できますが、制約の詳細な定義は、制約に関する専門知識を持つ個人またはグループに委任できます。懸念事項を分離することに加え、このことは制約のロジックをその定義からも分離します。
制約テンプレートの機能を示すため、各テンプレートには制約の例と、制約に違反するリソースが含まれています。
すべての制約テンプレートが、Anthos Config Management のすべてのバージョンで利用できるわけではありません。また、テンプレートはバージョンによって異なる場合があります。テンプレートの履歴については、Anthos Config Management のアーカイブにアクセスして、このページの以前のバージョンを確認してください。
すべての制約には match セクションが含まれます。このセクションでは、制約が適用されるオブジェクトを定義します。このセクションの構成方法については、制約の match セクションをご覧ください。
このページの以前のバージョンへのリンク
AllowedServicePortName
サービスポート名には、指定されたリストの接頭辞が必要です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
例
port-name-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: port-name-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
prefixes:
- http-
- http2-
- grpc-
- mongo-
- redis-
- tcp-
許可
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-http
spec:
ports:
- name: http-helloport
port: 5000
selector:
app: helloworld
禁止
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-tcp
spec:
ports:
- name: foo-helloport
port: 5000
selector:
app: helloworld
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-bad
spec:
ports:
- name: helloport
port: 5000
selector:
app: helloworld
AsmAuthzPolicyDefaultDeny
メッシュレベルのデフォルト拒否 AuthorizationPolicy を適用します。https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-authz-policy-default-deny-with-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
asm-authz-policy-default-deny-no-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
AsmAuthzPolicyDisallowedPrefix
Istio AuthorizationPolicy ルールのプリンシパルと名前空間に、指定されたリストの接頭辞が含まれないようにします。
https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
disallowedNamespacePrefixes:
- <string>
# disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
disallowedPrincipalPrefixes:
- <string>
例
asm-authz-policy-disallowed-prefix-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: asm-authz-policy-disallowed-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedNamespacePrefixes:
- bad-ns-prefix
- worse-ns-prefix
disallowedPrincipalPrefixes:
- bad-principal-prefix
- worse-principal-prefix
許可
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/worse-principal-prefix-sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- bad-ns-prefix-test
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
Istio AuthorizationPolicy の from フィールドが定義されている場合、参照元は * 以外に設定されている必要があります。 https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
asm-authz-policy-enforce-source-principals-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: asm-authz-policy-enforce-source-principals-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
許可
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: no-source-principals
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-wildcard
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-contains-wildcard
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyNormalization
AuthorizationPolicy normalization を適用します。https://istio.io/latest/docs/reference/config/security/normalization/ をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
asm-authz-policy-normalization-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: asm-authz-policy-normalization-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
許可
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-method-lowercase
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- get
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-request-header-whitespace
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Ag ent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: path-unnormalized
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test\/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
AsmAuthzPolicySafePattern
AuthorizationPolicy の安全なパターンを適用します。https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-authz-policy-safe-pattern-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: asm-authz-policy-safe-pattern-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
strictnessLevel: High
許可
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: hosts-on-noningress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: invalid-hosts
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-negative-match
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
notMethods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-positive-match
spec:
action: DENY
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
AsmIngressgatewayLabel
ingressgateway Pod にのみ Istio ingressgateway ラベルの使用を適用します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
asm-ingressgateway-label-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: asm-ingressgateway-label-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: istio
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
AsmPeerAuthnMeshStrictMtls
メッシュレベルの厳格な mtls PeerAuthentication を適用します。https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-peer-authn-mesh-strict-mtls-with-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: asm-root
spec:
mtls:
mode: STRICT
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: asm-root
spec:
mtls:
mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
許可
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: istio-system
spec:
mtls:
mode: STRICT
禁止
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
AsmPeerAuthnStrictMtls
すべての PeerAuthentication が厳格な mtls を上書きできないようにします。https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-peer-authn-strict-mtls-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: asm-peer-authn-strict-mtls-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
parameters:
strictnessLevel: High
許可
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: valid-strict-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
禁止
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-permissive-mtls-pa
namespace: foo
spec:
mtls:
mode: PERMISSIVE
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-port-disable-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: DISABLE
"443":
mode: STRICT
selector:
matchLabels:
app: bar
AsmRequestAuthnProhibitedOutputHeaders
RequestAuthentication で、jwtRules outputPayloadToHeader を適用し、既知の HTTP リクエスト ヘッダーやユーザー定義の禁止ヘッダーを含めないようにします。https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
例
asm-request-authn-prohibited-output-headers-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: asm-request-authn-prohibited-output-headers-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- RequestAuthentication
parameters:
prohibitedHeaders:
- Bad-Header
- X-Bad-Header
許可
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: valid-request-authn
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Good-Header
selector:
matchLabels:
app: istio-ingressgateway
禁止
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Host
selector:
matchLabels:
app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: X-Bad-Header
selector:
matchLabels:
app: istio-ingressgateway
AsmSidecarInjection
ワークロード Pod に常に Istio プロキシ サイドカーが挿入されるようにします。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of sidecar injection strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
例
asm-sidecar-injection-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: asm-sidecar-injection-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
strictnessLevel: High
許可
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "true"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
annotations:
"false": "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
禁止
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
DestinationRuleTLSEnabled
Istio DestinationRules 内のすべてのホストとホスト サブセットに対する TLS の無効化を禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
dr-tls-enabled
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: dr-tls-enabled
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- networking.istio.io
kinds:
- DestinationRule
禁止
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-subset-tls-disable
namespace: default
spec:
host: myservice
subsets:
- name: v1
trafficPolicy:
tls:
mode: DISABLE
- name: v2
trafficPolicy:
tls:
mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-traffic-tls-disable
namespace: default
spec:
host: myservice
trafficPolicy:
tls:
mode: DISABLE
DisallowedAuthzPrefix
Istio AuthorizationPolicy ルールのプリンシパルと名前空間に、指定されたリストの接頭辞が含まれないようにします。
https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
例
disallowed-authz-prefix-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: disallowed-authz-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedprefixes:
- badprefix
- reallybadprefix
許可
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/badprefix-sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- badprefix-test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
GCPStorageLocationConstraintV1
StorageBucket Config Connector リソースに許可される locations を、制約で指定されたロケーションのリストに制限します。exemptions リストにあるバケット名は対象外です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
例
singapore-and-jakarta-only
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: singapore-and-jakarta-only
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- storage.cnrm.cloud.google.com
kinds:
- StorageBucket
parameters:
exemptions:
- my_project_id_cloudbuild
locations:
- asia-southeast1
- asia-southeast2
許可
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
禁止
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
K8sAllowedRepos
コンテナ イメージは、指定されたリストにある文字列で開始する必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
例
repo-is-openpolicyagent
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: repo-is-openpolicyagent
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
repos:
- openpolicyagent/
許可
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
禁止
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers: []
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
K8sBlockEndpointEditDefaultRole
Kubernetes インストール環境の多くは、デフォルトで system:aggregate-to-edit ClusterRole を使用しているため、Endpoints の編集アクセスが適切に制限されません。この ConstraintTemplate は、system:aggregate-to-edit ClusterRole が Endpoints の作成 / パッチ / 更新の権限を付与することを禁止しています。CVE-2021-25740 のため、ClusterRole/system:aggregate-to-edit で Endpoint 編集権限を許可してはなりません。Endpoint 権限と EndpointSlice 権限は、Namespace 間の転送を許可します(https://github.com/kubernetes/kubernetes/issues/103675)。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
block-endpoint-edit-default-role
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: block-endpoint-edit-default-role
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
許可
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
禁止
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- endpoints
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
K8sBlockNodePort
NodePort タイプを持つすべての Service を禁止します。https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
block-node-port
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
禁止
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: NodePort
K8sBlockProcessNamespaceSharing
Pod 仕様で shareProcessNamespace を true に設定することを禁止します。これにより、Pod 内のすべてのコンテナが PID 名前空間を共有し、互いのファイルシステムおよびメモリにアクセスできる状況を回避できます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
block-process-namespace-sharing
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
許可
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
shareProcessNamespace: true
K8sBlockWildcardIngress
ブランクまたはワイルドカード(*)のホスト名を使用して、Ingress を作成できないようにする必要があります。ホスト名は、クラスタ内の他のサービスにアクセスできない場合でも、クラスタ内の他のサービスのトラフィックをインターセプトできます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
block-wildcard-ingress
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: block-wildcard-ingress
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
許可
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: non-wildcard-ingress
spec:
rules:
- host: myservice.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
禁止
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: ""
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
- host: valid.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
K8sContainerLimits
コンテナにメモリと CPU の上限を設定し、指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
例
container-must-have-limits
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
許可
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
K8sContainerRatios
コンテナ リソースの上限に対するリクエストの最大比率を設定します。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
# `resources.requests.cpu` on a container. If not specified, equal to
# `ratio`.
cpuRatio: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
例
container-must-meet-ratio
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ratio: "2"
許可
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 800m
memory: 2Gi
requests:
cpu: 100m
memory: 100Mi
container-must-meet-memory-and-cpu-ratio
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-memory-and-cpu-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpuRatio: "10"
ratio: "1"
許可
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: "1"
memory: 2Gi
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
K8sContainerRequests
コンテナにメモリと CPU のリクエストを設定し、指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory request on a Pod, exclusive.
memory: <string>
例
container-must-have-requests
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: container-must-have-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
許可
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 1Gi
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
K8sDisallowAnonymous
ClusterRole リソースと Role リソースを system:anonymous ユーザーと system:unauthenticated グループに関連付けることはできません。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRoles <array>: The list of ClusterRoles and Roles that may be
# associated with the `system:unauthenticated` group and `system:anonymous`
# user.
allowedRoles:
- <string>
例
no-anonymous
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: no-anonymous
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRoleBinding
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
parameters:
allowedRoles:
- cluster-role-1
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedRoleBindingSubjects
パラメータとして渡された disallowedSubjects に一致するサブジェクトを持つ RoleBindings または ClusterRoleBindings を禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
例
disallowed-rolebinding-subjects
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: disallowed-rolebinding-subjects
spec:
parameters:
disallowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
コンテナ イメージには、指定されたリストとは異なるイメージタグが必要です。 https://kubernetes.io/docs/concepts/containers/images/#image-names
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# tags <array>: Disallowed container image tags.
tags:
- <string>
例
container-image-must-not-have-latest-tag
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: container-image-must-not-have-latest-tag
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
exemptImages:
- openpolicyagent/opa-exp:latest
- openpolicyagent/opa-exp2:latest
tags:
- latest
許可
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-exempt-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa-exp
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:v1
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
禁止
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-2
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-3
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:latest
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/monitor:latest
name: opa-monitor
K8sEmptyDirHasSizeLimit
emptyDir ボリュームで sizeLimit を指定する必要があります。必要に応じて、maxSizeLimit パラメータに制約を設定して、最大サイズの上限を指定できます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
例
empty-dir-has-size-limit
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-size-limit
spec:
parameters:
maxSizeLimit: 4Gi
許可
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir:
sizeLimit: 2Gi
name: good-pod-volume
禁止
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: bad-pod-volume
K8sExternalIPs
Service の externalIPs を、許可された IP アドレスのリストに制限します。 https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
例
external-ips
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
allowedIPs:
- 203.0.113.0
許可
apiVersion: v1
kind: Service
metadata:
name: allowed-external-ip
spec:
externalIPs:
- 203.0.113.0
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
禁止
apiVersion: v1
kind: Service
metadata:
name: disallowed-external-ip
spec:
externalIPs:
- 1.1.1.1
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
K8sHttpsOnly
Ingress リソースは HTTPS のみにする必要があります。Ingress リソースは次の条件を満たしている必要があります。- 有効な TLS 構成が含まれている - kubernetes.io/ingress.allow-http アノテーションが含まれ、次の値に設定されている。
false
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
ingress-https-only
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
許可
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
tls:
- {}
禁止
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
K8sImageDigests
コンテナ イメージにダイジェストが含まれている必要があります。 https://kubernetes.io/docs/concepts/containers/images/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
container-image-must-have-digest
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
許可
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
name: opa
禁止
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
K8sLocalStorageRequireSafeToEvict
ローカル ストレージ(emptyDir または hostPath)を使用する Pod にはアノテーション "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" が必要です。このアノテーションのない Pod は、クラスタ オートスケーラーによって削除されることはありません。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
local-storage-require-safe-to-evict
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict
許可
apiVersion: v1
kind: Pod
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
name: good-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
禁止
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
K8sMemoryRequestEqualsLimit
すべてのコンテナがリクエストするメモリがメモリ制限に完全に一致することを要求することで Pod の安定性を高め、メモリ使用量がリクエストされた量を超える状態にならないようにします。そうでないと、ノードにメモリが必要なときに、Kubernetes は追加のメモリが必要な Pod を終了する可能性があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
container-must-request-limit
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit
許可
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 4Gi
禁止
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
K8sNoEnvVarSecrets
Pod コンテナ定義で環境変数としての Secret を禁止します。代わりに、マウントされた Secrets ファイルをデータ ボリュームで使用します。https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
no-secrets-as-env-vars-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
許可
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: redis
name: test
volumeMounts:
- mountPath: /etc/test
name: test
readOnly: true
volumes:
- name: test
secret:
secretName: mysecret
禁止
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysecret
image: redis
name: test
K8sNoExternalServices
ワークロードを外部 IP に公開する既知のリソースの作成を禁止します。これには、Istio Gateway リソースと Kubernetes Ingress リソースが含まれます。次の基準を満たさない限り、Kubernetes Service も許可されません。
LoadBalancer タイプの Service に "cloud.google.com/load-balancer-type": "Internal" アノテーションがある。Service にバインドされる外部 IP(クラスタ外部の IP)は、制約で提供される内部 CIDR の範囲に含まれている必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
例
no-external
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external
spec:
parameters:
internalCIDRs:
- 10.0.0.1/32
許可
apiVersion: v1
kind: Service
metadata:
name: good-service
namespace: default
spec:
externalIPs:
- 10.0.0.1
ports:
- port: 8888
protocol: TCP
targetPort: 8888
禁止
apiVersion: v1
kind: Service
metadata:
name: bad-service
namespace: default
spec:
externalIPs:
- 10.0.0.2
ports:
- port: 8888
protocol: TCP
targetPort: 8888
K8sPSPAllowPrivilegeEscalationContainer
エスカレーションの root 権限への制限を制御します。PodSecurityPolicy の allowPrivilegeEscalation フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-allow-privilege-escalation-container-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: false
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
K8sPSPAllowedUsers
コンテナと一部のボリュームのユーザー ID とグループ ID を制御します。PodSecurityPolicy の runAsUser、runAsGroup、supplementalGroups、fsGroup フィールドに対応しています。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
例
psp-pods-allowed-user-ranges
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
fsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsUser:
ranges:
- max: 200
min: 100
rule: MustRunAs
supplementalGroups:
ranges:
- max: 200
min: 100
rule: MustRunAs
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 199
runAsUser: 199
securityContext:
fsGroup: 199
supplementalGroups:
- 199
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
K8sPSPAppArmor
コンテナで使用する AppArmor プロファイルの許可リストを構成します。これは、PodSecurityPolicy に適用される特定のアノテーションに対応します。AppArmor については、https://kubernetes.io/docs/tutorials/clusters/apparmor/ をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-apparmor
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
許可
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
name: nginx-apparmor-allowed
spec:
containers:
- image: nginx
name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
containers:
- image: nginx
name: nginx
K8sPSPAutomountServiceAccountTokenPod
automountServiceAccountToken を有効にする Pod の機能を制御します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
例
psp-automount-serviceaccount-token-pod
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-not-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-allowed
spec:
automountServiceAccountToken: false
containers:
- image: nginx
name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-disallowed
spec:
automountServiceAccountToken: true
containers:
- image: nginx
name: nginx
K8sPSPCapabilities
コンテナの Linux 機能を制御します。PodSecurityPolicy の allowedCapabilities フィールドと requiredDropCapabilities フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
例
capabilities-demo
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: capabilities-demo
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
allowedCapabilities:
- something
requiredDropCapabilities:
- must_drop
許可
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- something
drop:
- must_drop
- another_one
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
K8sPSPFSGroup
Pod のボリュームを所有している FSGroup の割り当てを制御します。PodSecurityPolicy の fsGroup フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
例
psp-fsgroup
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ranges:
- max: 1000
min: 1
rule: MayRunAs
許可
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 500
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
禁止
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 2000
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
K8sPSPFlexVolumes
FlexVolume ドライバの許可リストを制御します。PodSecurityPolicy の allowedFlexVolumes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
例
psp-flexvolume-drivers
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/lvm
name: test-volume
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/testdriver
name: test-volume
K8sPSPForbiddenSysctls
コンテナで使用される sysctl プロファイルを制御します。PodSecurityPolicy の forbiddenSysctls フィールドに対応します。詳細については、https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
例
psp-forbidden-sysctls
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
forbiddenSysctls:
- kernel.*
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
- name: net.core.somaxconn
value: "1024"
K8sPSPHostFilesystem
ホスト ファイル システムの使用を制御します。PodSecurityPolicy の allowedHostPaths フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
例
psp-host-filesystem
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedHostPaths:
- pathPrefix: /foo
readOnly: true
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /foo/bar
name: cache-volume
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
K8sPSPHostNamespace
Pod コンテナによるホスト PID 名前空間と IPC 名前空間の共有を禁止します。PodSecurityPolicy の hostPID フィールドと hostIPC フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
例
psp-host-namespace-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-allowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: false
hostPID: false
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-disallowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: true
hostPID: true
K8sPSPHostNetworkingPorts
Pod コンテナによるホスト ネットワークの名前空間の使用を制御します。特定のポートを指定する必要があります。PodSecurityPolicy の hostNetwork フィールドと hostPorts フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
例
psp-host-network-ports-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
hostNetwork: true
max: 9000
min: 80
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-allowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9000
hostPort: 80
hostNetwork: false
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
K8sPSPPrivilegedContainer
特権モードを有効にするコンテナの機能を制御します。PodSecurityPolicy の privileged フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-privileged-container-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container-sample
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: false
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
K8sPSPProcMount
コンテナで許可される procMount 型を制御します。PodSecurityPolicy の allowedProcMountTypes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
例
psp-proc-mount
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
procMount: Default
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Default
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Pod コンテナで読み取り専用のルート ファイル システムを使用する必要があります。PodSecurityPolicy の readOnlyRootFilesystem フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-readonlyrootfilesystem
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: true
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
K8sPSPSELinuxV2
Pod コンテナの seLinuxOptions 構成の許可リストを定義します。SELinux 構成ファイルを必要とする PodSecurityPolicy に対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-selinux-v2
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
K8sPSPSeccomp
コンテナで使用される seccomp プロファイルを制御します。PodSecurityPolicy の seccomp.security.alpha.kubernetes.io/allowedProfileNames アノテーションに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
例
psp-seccomp
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
- docker/default
許可
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed2
spec:
containers:
- image: nginx
name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed2
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
containers:
- image: nginx
name: nginx
K8sPSPVolumeTypes
マウント可能なボリューム タイプをユーザーが指定したものに限定します。PodSecurityPolicy の volumes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
例
psp-volume-types
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
- flexVolume
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- emptyDir: {}
name: cache-volume
- emptyDir: {}
name: demo-vol
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- hostPath:
path: /tmp
name: cache-volume
- emptyDir: {}
name: demo-vol
K8sPodDisruptionBudget
PodDisruptionBudgets またはレプリカ サブリソースを実装するリソース(Deployment、ReplicationController、ReplicaSet、StatefulSet など)をデプロイする場合に、次のシナリオを許可しません。1. .spec.maxUnavailable == 0 2 を使用した PodDisruptionBudgets のデプロイ。レプリカ サブリソースを持つリソースの .spec.minAvailable == .spec.replicas を含む PodDisruptionBudgets のデプロイ。これにより、ノードのドレインなどの自発的な中断が PodDisruptionBudgets によってブロックされなくなります。 https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
pod-distruption-budget
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: pod-distruption-budget
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- apiGroups:
- policy
kinds:
- PodDisruptionBudget
- apiGroups:
- ""
kinds:
- ReplicationController
許可
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-allowed
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-1
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
template:
metadata:
labels:
app: nginx
example: allowed-deployment-1
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-1
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-2
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
template:
metadata:
labels:
app: nginx
example: allowed-deployment-2
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-2
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
禁止
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-disallowed
namespace: default
spec:
maxUnavailable: 0
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-disallowed
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
template:
metadata:
labels:
app: nginx
example: disallowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-disallowed
namespace: default
spec:
minAvailable: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
K8sPodsRequireSecurityContext
すべての Pod で securityContext を定義する必要があります。Pod で定義されたすべてのコンテナに、Pod レベルまたはコンテナレベルで SecurityContext が定義されている必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
pods-require-security-context-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context-sample spec: enforcementAction: dryrun
許可
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsUser: 2000
禁止
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- image: nginx
name: nginx
K8sProhibitRoleWildcardAccess
Roles と ClusterRoles では、免除と指定される適用除外の Roles と ClusterRoles を除き、ワイルドカード()値へのリソース アクセス権限が設定されていないことを必須にします。/status のようなサブリソースへのワイルドカード アクセスは制限しません。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
例
prohibit-role-wildcard-access-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: prohibit-wildcard-except-exempted-cluster-role
spec:
enforcementAction: dryrun
parameters:
exemptions:
clusterRoles:
- name: cluster-role-allowed-example
roles:
- name: role-allowed-example
namespace: role-ns-allowed-example
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
spec.replicas フィールドのオブジェクト(Deployments、ReplicaSets など)に、定義された範囲内のレプリカ数を指定する必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
例
replica-limits
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
parameters:
ranges:
- max_replicas: 50
min_replicas: 3
許可
apiVersion: apps/v1
kind: Deployment
metadata:
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
禁止
apiVersion: apps/v1
kind: Deployment
metadata:
name: disallowed-deployment
spec:
replicas: 100
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
K8sRequireNamespaceNetworkPolicies
クラスタで定義されているすべての名前空間に NetworkPolicy が必要です。注: この制約は参照です。詳しくは、https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#referential をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
require-namespace-network-policies-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
許可
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
禁止
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequiredAnnotations
リソースには、指定された正規表現と一致する値を持つ、指定されたアノテーションを含める必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
例
all-must-have-certain-set-of-annotations
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: all-must-have-certain-set-of-annotations
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
annotations:
- allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
key: a8r.io/owner
- allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
key: a8r.io/runbook
message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
許可
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/owner: dev-team-alfa@contoso.com
a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
name: allowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
禁止
apiVersion: v1
kind: Service
metadata:
name: disallowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
K8sRequiredLabels
リソースには、指定された正規表現と一致する値を持つ、指定されたラベルを含める必要があります。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
例
all-must-have-owner
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
labels:
- allowedRegex: ^[a-zA-Z]+.agilebank.demo$
key: owner
message: All namespaces must have an `owner` label that points to your company
username
許可
apiVersion: v1
kind: Namespace
metadata:
labels:
owner: user.agilebank.demo
name: allowed-namespace
禁止
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Pod に readiness Probe または liveness Probe が必要です。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# probeTypes <array>: The probe must define a field listed in `probeType`
# in order to satisfy the constraint (ex. `tcpSocket` satisfies
# `['tcpSocket', 'exec']`)
probeTypes:
- <string>
# probes <array>: A list of probes that are required (ex: `readinessProbe`)
probes:
- <string>
例
must-have-probes
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
probeTypes:
- tcpSocket
- httpGet
- exec
probes:
- readinessProbe
- livenessProbe
許可
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: tomcat
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
禁止
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: nginx:1.7.9
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
name: test-pod2
spec:
containers:
- image: nginx:1.7.9
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
K8sRestrictLabels
特定のリソースに例外がある場合を除き、指定されたラベルをリソースに含めることを禁止します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
例
restrict-label-example
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
exceptions:
- group: ""
kind: Pod
name: allowed-example
namespace: default
restrictedLabels:
- label-example
許可
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictNamespaces
リソースに対して、restrictedNamespaces パラメータにリストされた名前空間の使用を制限します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
例
restrict-default-namespace-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: restrict-default-namespace-sample
spec:
enforcementAction: dryrun
parameters:
restrictedNamespaces:
- default
許可
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
namespace: test-namespace
spec:
containers:
- image: nginx
name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictRoleBindings
ClusterRoleBindings と RoleBinding で指定されたサブジェクトを、許可されたサブジェクトのリストに制限します。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
例
restrict-clusteradmin-rolebindings-sample
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-sample
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-regex
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
regexMatch: true
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
許可
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
禁止
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sUniqueIngressHost
すべての Ingress ルールホストが一意となることを必須にします。ホスト名のワイルドカードは処理されません。https://kubernetes.io/docs/concepts/services-networking/ingress/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
unique-ingress-host
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: unique-ingress-host
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
許可
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-host-disallowed
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
- host: example-host1.example.com
http:
paths:
- backend:
serviceName: nginx2
servicePort: 80
禁止
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-host-disallowed
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
---
# Referential Data
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-host-example
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-host-disallowed2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
- host: example-host3.example.com
http:
paths:
- backend:
serviceName: nginx2
servicePort: 80
---
# Referential Data
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-host-example2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
serviceName: nginx
servicePort: 80
K8sUniqueServiceSelector
Service に名前空間内で一意のセレクタが必要です。セレクタのキーと値が同一の場合、セレクタは同一と見なされます。1 つ以上の異なる Key-Value ペアが存在する限り、セレクタは Key-Value ペアを共有できます。 https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
unique-service-selector
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
labels:
owner: admin.agilebank.demo
name: unique-service-selector
許可
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: other-value
禁止
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-example
namespace: default
spec:
ports:
- port: 443
selector:
key: value
NoUpdateServiceAccount
Pod で抽象化されたリソースのサービス アカウントの更新をブロックします。監査モードではこのポリシーは無視されます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedGroups <array>: Groups that should be allowed to bypass the
# policy.
allowedGroups:
- <string>
# allowedUsers <array>: Users that should be allowed to bypass the policy.
allowedUsers:
- <string>
例
no-update-kube-system-service-account
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: no-update-kube-system-service-account
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- ReplicationController
- apiGroups:
- apps
kinds:
- ReplicaSet
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- CronJob
namespaces:
- kube-system
parameters:
allowedGroups: []
allowedUsers: []
許可
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: policy-test
name: policy-test
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: policy-test-deploy
template:
metadata:
labels:
app: policy-test-deploy
spec:
containers:
- command:
- /bin/bash
- -c
- sleep 99999
image: ubuntu
name: policy-test
serviceAccountName: policy-test-sa-1
PolicyStrictOnly
PeerAuthentication を使用する場合は、STRICT Istio 相互 TLS を常に指定する必要があります。この制約により、非推奨の Policy リソースと MeshPolicy リソースでは、STRICT 相互 TLS が適用されることが保証されます。https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh をご覧ください。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
peerauthentication-strict-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: peerauthentication-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
namespaces:
- default
許可
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict
namespace: default
spec:
mtls:
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-level
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-unset
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: UNSET
禁止
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: empty-mtls
namespace: default
spec:
mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-null
namespace: default
spec:
mtls:
mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-permissive
namespace: default
spec:
mtls:
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
"8081":
mode: STRICT
deprecated-policy-strict-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: deprecated-policy-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- authentication.istio.io
kinds:
- Policy
namespaces:
- default
許可
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mode-strict
namespace: default
spec:
peers:
- mtls:
mode: STRICT
禁止
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mtls-empty
namespace: default
spec:
peers:
- mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: policy-permissive
namespace: default
spec:
peers:
- mtls:
mode: PERMISSIVE
RestrictNetworkExclusions
Istio ネットワーク キャプチャから除外する受信ポート、送信ポート、送信 IP 範囲を制御します。Istio ネットワーク キャプチャをバイパスするポートと IP 範囲は Istio プロキシで処理されないため、Istio mTLS 認証、認可ポリシー、その他の Istio 機能の対象ではありません。この制約を使用すると、次のアノテーションの使用に制限を適用できます。
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
https://istio.io/latest/docs/reference/config/annotations/ をご覧ください。
送信 IP 範囲を制限する場合、制約は除外された IP 範囲が許可された IP 範囲除外と一致するか、またはサブセットであるかを計算します。
この制約をすべての受信ポートで使用する場合は、対応する include アノテーションを "*" に設定するか未設定のままにして、送信ポートと送信 IP 範囲を常に含める必要があります。次のアノテーションを "*" 以外に設定することはできません。
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
この制約では、Istio サイドカー インジェクタは必ず traffic.sidecar.istio.io/excludeInboundPorts アノテーションに追加され、ヘルスチェックに使用できるため、常にポート 15020 を除外できます。
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedInboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
allowedInboundPortExclusions:
- <string>
# allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
# constraint calculates whether excluded IP ranges match or are a subset of
# the ranges in this list.
allowedOutboundIPRangeExclusions:
- <string>
# allowedOutboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
allowedOutboundPortExclusions:
- <string>
例
restrict-network-exclusions
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: restrict-network-exclusions
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedInboundPortExclusions:
- "80"
allowedOutboundIPRangeExclusions:
- 169.254.169.254/32
allowedOutboundPortExclusions:
- "8888"
許可
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx
name: nothing-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeInboundPorts: "80"
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
labels:
app: nginx
name: allowed-port-and-ip-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
labels:
app: nginx
name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: '*'
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
traffic.sidecar.istio.io/includeOutboundPorts: '*'
labels:
app: nginx
name: everything-included-with-no-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
禁止
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
labels:
app: nginx
name: disallowed-ip-range-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
labels:
app: nginx
name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: 80,443
traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundPorts: "8888"
labels:
app: nginx
name: disallowed-specific-port-and-ip-inclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
SourceNotAllAuthz
Istio AuthorizationPolicy ルールで、ソース プリンシパルが「*」以外に設定されている必要があります。 https://istio.io/latest/docs/reference/config/security/authorization-policy/
制約スキーマ
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: allows you to configure which resources fall in scope for
# this constraint. Please see the match criteria documentation for more information:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
例
sourcenotall-authz-constraint
制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: sourcenotall-authz-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
許可
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-dne
namespace: foo
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-all
namespace: foo
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-someall
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
次のステップ
- Policy Controller の詳細を確認する
- Policy Controller をインストールする
- PodSecurityPolicies の代わりに制約を使用する方法を学ぶ
- gatekeeper-library リポジトリで制約テンプレートのオープンソース ライブラリを確認する