Bibliothek mit Einschränkungsvorlagen

Mithilfe von Einschränkungsvorlagen können Sie die Funktionsweise einer Einschränkung definieren, aber die Details dieser Einschränkung an eine Einzelperson oder Gruppe mit Fachkenntnissen delegieren. Neben der Trennung von Fragestellungen wird auch die Logik der Einschränkung von der Definition getrennt.

Damit Sie sehen können, wie die Einschränkungsvorlagen funktionieren, enthält jede Vorlage eine Beispieleinschränkung und eine Ressource, die gegen die Einschränkung verstößt.

Nicht alle Einschränkungsvorlagen sind für alle Versionen von Anthos Config Management verfügbar. Außerdem können sich die Vorlagen zwischen Versionen ändern. Wenn Sie den Verlauf einer Vorlage besser verstehen möchten, können Sie die Anthos Config Management-Archive aufrufen, um frühere Versionen dieser Seite anzuzeigen.

AllowedServicePortName

Erfordert, dass Dienstportnamen ein Präfix aus einer angegebenen Liste haben.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # prefixes <array>: Prefixes of allowed service port names.
    prefixes:
      - <string>

Beispiele

port-name-constraint

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: port-name-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    prefixes:
    - http-
    - http2-
    - grpc-
    - mongo-
    - redis-
    - tcp-
Nicht zugelassen
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-bad
spec:
  ports:
  - name: helloport
    port: 5000
  selector:
    app: helloworld

DestinationRuleTLSEnabled

Verbietet die Deaktivierung von TLS für alle Hosts und Hostteilmengen in Istio DestinationRules.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

dr-tls-enabled

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: dr-tls-enabled
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - networking.istio.io
      kinds:
      - DestinationRule
Nicht zugelassen
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-traffic-leastconn
  namespace: default
spec:
  host: myservice
  trafficPolicy:
    loadBalancer:
      simple: LEAST_CONN

DisallowedAuthzPrefix

Erfordert, dass Hauptkonten und Namespaces in AuthorizationPolicy-Regeln von Istio kein Präfix aus einer angegebenen Liste haben. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # disallowedprefixes <array>: Disallowed prefixes of principals and
    # namespaces.
    disallowedprefixes:
      - <string>

Beispiele

disallowed-authz-prefix-constraint

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: disallowed-authz-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedprefixes:
    - badprefix
    - reallybadprefix
Nicht zugelassen
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - badprefix-test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

GCPStorageLocationConstraintV1

Beschränkt den zulässigen locations für StorageBucket Config Connector-Ressourcen auf die Liste der in der Einschränkung angegebenen Standorte. Bucket-Namen in der exemptions-Liste sind ausgenommen.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # exemptions <array>: A list of bucket names that are exempt from this
    # constraint.
    exemptions:
      - <string>
    # locations <array>: A list of locations that a bucket is permitted to
    # have.
    locations:
      - <string>

Beispiele

singapore-and-jakarta-only

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: singapore-and-jakarta-only
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - storage.cnrm.cloud.google.com
      kinds:
      - StorageBucket
  parameters:
    exemptions:
    - my_project_id_cloudbuild
    locations:
    - asia-southeast1
    - asia-southeast2
Zulässig
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-permitted-location
spec:
  location: asia-southeast1
Nicht zugelassen
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-disallowed-location
spec:
  location: us-central1

K8sAllowedRepos

Erfordert Container-Images, die mit einem String aus der angegebenen Liste beginnen sollen.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

Beispiele

repo-is-openpolicyagent

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: repo-is-openpolicyagent
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    repos:
    - openpolicyagent/
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

K8sBlockEndpointEditDefaultRole

Viele Kubernetes-Installationen haben standardmäßig eine system:aggregate-to-edit ClusterRole, die den Zugriff auf die Bearbeitung von Endpunkten nicht richtig einschränkt. Dieses ConstraintTemplate verbietet der system:aggregate-to-edit ClusterRole, die Erlaubnis zur Erstellung/Patch/Aktualisierung von Endpunkten zu erteilen. ClusterRole/system:aggregation-to-edit sollte aufgrund von CVE-2021-25740-Berechtigungen, den Endpoint- und EndpointSlice-Berechtigungen, die Namespace-übergreifende Weiterleitung nicht zulassen, https://github.com/kubernetes/kubernetes/issues/103675.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

block-endpoint-edit-default-role

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
Zulässig
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
Nicht zugelassen
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - endpoints
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

K8sBlockNodePort

Verhindert alle Dienste mit dem Typ NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

block-node-port

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
Nicht zugelassen
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: NodePort

K8sBlockProcessNamespaceSharing

Unterbindet Pod-Spezifikationen, bei denen shareProcessNamespace auf true festgelegt ist. Dadurch werden Szenarien vermieden, in denen alle Container in einem Pod den gleichen PID-Namespace verwenden und auf das Dateisystem und den Arbeitsspeicher des jeweils anderen Systems zugreifen können.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

block-process-namespace-sharing

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: block-process-namespace-sharing
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  shareProcessNamespace: true

K8sContainerLimits

Erfordert, dass in Containern Speicher- und CPU-Beschränkungen festgelegt sind, die innerhalb der angegebenen Höchstwerte liegen müssen. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
    cpu: <string>
    # memory <string>: The maximum allowed memory limit on a Pod, exclusive.
    memory: <string>

Beispiele

container-must-have-limits

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi

K8sContainerRatios

Legt ein maximales Verhältnis für Containerressourcenlimits zu Anfragen fest. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # ratio <string>: The maximum allowed ratio of `resources.limits` to
    # `resources.requests` on a container.
    ratio: <string>

Beispiele

container-must-meet-ratio

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ratio: "2"
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 800m
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 100Mi

K8sDisallowedRoleBindingSubjects

Unterbindet RoleBinding oder ClusterRoleBinding mit Subjekten, die mit einem als Parameter übergebenen disallowedSubjects übereinstimmen.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # disallowedSubjects <array>: A list of subjects that cannot appear in a
    # RoleBinding.
    disallowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the disallowed role
        # binding subject. Currently ignored.
        apiGroup: <string>
        # kind <string>: The kind of the disallowed role binding subject.
        kind: <string>
        # name <string>: The name of the disallowed role binding subject.
        name: <string>

Beispiele

disallowed-rolebinding-subjects

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: disallowed-rolebinding-subjects
spec:
  parameters:
    disallowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:unauthenticated
Zulässig
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
Nicht zugelassen
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowedTags

Erfordert, dass Container-Images ein Image-Tag haben, das sich von denen in der angegebenen Liste unterscheidet. https://kubernetes.io/docs/concepts/containers/images/#image-names

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # tags <array>: Disallowed container image tags.
    tags:
      - <string>

Beispiele

container-image-must-not-have-latest-tag

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: container-image-must-not-have-latest-tag
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    tags:
    - latest
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-2
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa

K8sEmptyDirHasSizeLimit

Erfordert, dass alle emptyDir-Volumes einen sizeLimit angeben. Optional kann in der Einschränkung der Parameter maxSizeLimit angegeben werden, um ein maximal zulässiges Größenlimit anzugeben.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # maxSizeLimit <string>: When set, the declared size limit for each volume
    # must be less than `maxSizeLimit`.
    maxSizeLimit: <string>

Beispiele

empty-dir-has-size-limit

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-size-limit
spec:
  parameters:
    maxSizeLimit: 4Gi
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir:
      sizeLimit: 2Gi
    name: good-pod-volume
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: bad-pod-volume

K8sExternalIPs

Beschränkt externe IP-Adressen auf eine zulässige Liste von IP-Adressen. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedIPs <array>: An allow-list of external IP addresses.
    allowedIPs:
      - <string>

Beispiele

external-ips

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    allowedIPs:
    - 203.0.113.0
Zulässig
apiVersion: v1
kind: Service
metadata:
  name: allowed-external-ip
spec:
  externalIPs:
  - 203.0.113.0
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp
Nicht zugelassen
apiVersion: v1
kind: Service
metadata:
  name: disallowed-external-ip
spec:
  externalIPs:
  - 1.1.1.1
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp

K8sHttpsOnly

Erfordert Ingress-Ressourcen, um nur HTTPS zu verwenden. Ingress-Ressourcen müssen Folgendes enthalten: eine gültige TLS-Konfiguration, einschließlich der Annotation kubernetes.io/ingress.allow-http, festgelegt auf

false.

https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

ingress-https-only

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Nicht zugelassen
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

K8sImageDigests

Erfordert, dass Container-Images einen Digest enthalten. https://kubernetes.io/docs/concepts/containers/images/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

container-image-must-have-digest

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
    name: opa
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa

K8sLocalStorageRequireSafeToEvict

Erfordert Pods, die lokalen Speicher (emptyDir oder hostPath) mit der Annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" verwenden. Cluster Autoscaler löscht Pods ohne diese Annotation nicht.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

local-storage-require-safe-to-evict

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
Zulässig
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  name: good-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage

K8sMemoryRequestEqualsLimit

Erhöht die Pod-Stabilität. Dafür muss der angeforderte Speicher aller Container genau dem Speicherlimit entsprechen, sodass sich Pods nie in einem Zustand befinden, in dem die Speichernutzung den angeforderten Umfang überschreitet. Andernfalls kann Kubernetes Pods beenden, die zusätzlichen Speicher anfordern, wenn der Speicher auf dem Knoten benötigt wird.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

container-must-request-limit

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: container-must-request-limit
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 4Gi
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi

K8sNoEnvVarSecrets

Verbindet Secrets als Umgebungsvariablen in Pod-Containerdefinitionen. Verwenden Sie stattdessen bereitgestellte Secret-Dateien in Datenvolumen: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

no-secrets-as-env-vars

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: no-secrets-as-env-vars
spec:
  enforcementAction: dryrun
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: redis
    name: test
    volumeMounts:
    - mountPath: /etc/test
      name: test
      readOnly: true
  volumes:
  - name: test
    secret:
      secretName: mysecret
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - env:
    - name: MY_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: mysecret
    image: redis
    name: test

K8sNoExternalServices

Verhindert das Erstellen bekannter Ressourcen, die Arbeitslasten für externe IP-Adressen verfügbar machen. Dazu gehören Istio-Gateway-Ressourcen und Kubernetes Ingress-Ressourcen. Kubernetes-Dienste sind ebenfalls nur zulässig, wenn sie die folgenden Kriterien erfüllen: Jeder Dienst vom Typ LoadBalancer muss eine "cloud.google.com/load-balancer-type": "Internal"-Anmerkung haben. Alle "externen IP-Adressen" (außerhalb des Clusters), die an den Dienst gebunden sind, müssen Mitglied eines Bereichs internen CIDRs sein, wie für die Einschränkung angegeben.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # internalCIDRs <array>: A list of CIDRs that are only accessible
    # internally, for example: `10.3.27.0/24`. Which IP ranges are
    # internal-only is determined by the underlying network infrastructure.
    internalCIDRs:
      - <string>

Beispiele

no-external

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external
spec:
  parameters:
    internalCIDRs:
    - 10.0.0.1/32
Zulässig
apiVersion: v1
kind: Service
metadata:
  name: good-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.1
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
Nicht zugelassen
apiVersion: v1
kind: Service
metadata:
  name: bad-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.2
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888

K8sPSPAllowPrivilegeEscalationContainer

Steuert die Einschränkung der Eskalation auf Root-Berechtigungen. Entspricht dem Feld allowPrivilegeEscalation in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

psp-allow-privilege-escalation-container

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: false
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

K8sPSPAllowedUsers

Steuert die Nutzer- und Gruppen-IDs des Containers und einige Volumes. Entspricht den Feldern runAsUser, runAsGroup, supplementalGroups und fsGroup in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
    # or container-level SecurityContext.
    fsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the fsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsGroup <object>: Controls which group ID values are allowed in a Pod
    # or container-level SecurityContext.
    runAsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsUser <object>: Controls which user ID values are allowed in a Pod or
    # container-level SecurityContext.
    runAsUser:
      # ranges <array>: A list of user ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of user IDs affected by the rule.
        - # max <integer>: The maximum user ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum user ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsUser restriction.
      # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
      rule: <string>
    # supplementalGroups <object>: Controls the supplementalGroups values that
    # are allowed in a Pod or container-level SecurityContext.
    supplementalGroups:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the supplementalGroups
      # restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>

Beispiele

psp-pods-allowed-user-ranges

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    fsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsUser:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    supplementalGroups:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250

K8sPSPAppArmor

Konfiguriert eine Zulassungsliste von AppArmor-Profilen für die Verwendung durch Container. Das entspricht bestimmten Annotationen, die auf eine PodSecurityPolicy angewendet werden. Informationen zu AppArmor finden Sie unter https://kubernetes.io/docs/tutorials/clusters/apparmor/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of AppArmor profiles. Examples:
    # `runtime/default`, `unconfined`.
    allowedProfiles:
      - <string>

Beispiele

psp-apparmor

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
Zulässig
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-allowed
spec:
  containers:
  - image: nginx
    name: nginx
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  containers:
  - image: nginx
    name: nginx

K8sPSPCapabilities

Steuert Linux-Funktionen für Container. Entspricht den Feldern allowedCapabilities und requiredDropCapabilities in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#functions

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedCapabilities <array>: A list of Linux capabilities that can be
    # added to a container.
    allowedCapabilities:
      - <string>
    # requiredDropCapabilities <array>: A list of Linux capabilities that are
    # required to be dropped from a container.
    requiredDropCapabilities:
      - <string>

Beispiele

capabilities-demo

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: capabilities-demo
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    allowedCapabilities:
    - something
    requiredDropCapabilities:
    - must_drop
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability

K8sPSPFSGroup

Steuert die Zuweisung einer FSGroup, die die Volumes des Pods besitzt. Entspricht dem Feld fsGroup in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # ranges <array>: GID ranges affected by the rule.
    ranges:
      - # max <integer>: The maximum GID in the range, inclusive.
        max: <integer>
        # min <integer>: The minimum GID in the range, inclusive.
        min: <integer>
    # rule <string>: An FSGroup rule name.
    # Allowed Values: MayRunAs, MustRunAs, RunAsAny
    rule: <string>

Beispiele

psp-fsgroup

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ranges:
    - max: 1000
      min: 1
    rule: MayRunAs
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 2000
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol

K8sPSPFlexVolumes

Steuert die Zulassungsliste der FlexVolume-Treiber. Entspricht dem Feld allowedFlexVolumes in PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
    allowedFlexVolumes:
      - # driver <string>: The name of the FlexVolume driver.
        driver: <string>

Beispiele

psp-flexvolume-drivers

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedFlexVolumes:
    - driver: example/lvm
    - driver: example/cifs
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/lvm
    name: test-volume
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/testdriver
    name: test-volume

K8sPSPForbiddenSysctls

Steuert das von Containern verwendete Profil sysctl. Entspricht dem Feld forbiddenSysctls in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
    # sysctls.
    forbiddenSysctls:
      - <string>

Beispiele

psp-forbidden-sysctls

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    forbiddenSysctls:
    - kernel.*
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: kernel.msgmax
      value: "65536"

K8sPSPHostFilesystem

Steuert die Nutzung des Hostdateisystems. Entspricht dem Feld allowedHostPaths in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedHostPaths <array>: An array of hostpath objects, representing
    # paths and read/write configuration.
    allowedHostPaths:
      - # pathPrefix <string>: The path prefix that the host volume must
        # match.
        pathPrefix: <string>
        # readOnly <boolean>: when set to true, any container volumeMounts
        # matching the pathPrefix must include `readOnly: true`.
        readOnly: <boolean>

Beispiele

psp-host-filesystem

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedHostPaths:
    - pathPrefix: /foo
      readOnly: true
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume

K8sPSPHostNamespace

Verhindert die Freigabe von Host-PID- und IPC-Namespaces nach Pod-Containern. Entspricht den Feldern hostPID und hostIPC in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

psp-host-namespace

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: psp-host-namespace
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: false
  hostPID: false
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: true
  hostPID: true

K8sPSPHostNetworkingPorts

Steuert die Nutzung des Hostnetzwerk-Namespace nach Pod-Containern. Bestimmte Ports müssen angegeben werden. Entspricht den Feldern hostNetwork und hostPorts in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # hostNetwork <boolean>: Determines if the policy allows the use of
    # HostNetwork in the pod spec.
    hostNetwork: <boolean>
    # max <integer>: The end of the allowed port range, inclusive.
    max: <integer>
    # min <integer>: The start of the allowed port range, inclusive.
    min: <integer>

Beispiele

psp-host-network-ports

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    hostNetwork: true
    max: 9000
    min: 80
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9000
      hostPort: 80
  hostNetwork: false
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true

K8sPSPPrivilegedContainer

Steuert die Fähigkeit eines Containers, den privilegierten Modus zu aktivieren. Entspricht dem Feld privileged in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

psp-privileged-container

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: psp-privileged-container
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: false
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true

K8sPSPProcMount

Steuert die zulässigen procMount-Typen für den Container. Entspricht dem Feld allowedProcMountTypes in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowprocmounttypes.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # procMount <string>: Defines the strategy for the security exposure of
    # certain paths in `/proc` by the container runtime. Setting to `Default`
    # uses the runtime defaults, where `Unmasked` bypasses the default
    # behavior.
    # Allowed Values: Default, Unmasked
    procMount: <string>

Beispiele

psp-proc-mount

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    procMount: Default
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked

K8sPSPReadOnlyRootFilesystem

Erfordert die Verwendung eines schreibgeschützten Root-Dateisystems durch Pod-Container. Entspricht dem Feld readOnlyRootFilesystem in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

psp-readonlyrootfilesystem

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: true
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false

K8sPSPSELinux

Steuert den SELinux-Kontext des Containers.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinux
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    allowedSELinuxOptions:
      level: <string>
      role: <string>
      type: <string>
      user: <string>

Beispiele

psp-selinux

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinux
metadata:
  name: psp-selinux
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSELinuxOptions:
      level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

K8sPSPSELinuxV2

Definiert eine Zulassungsliste von seLinuxOptions-Konfigurationen für Pod-Container. Entspricht einer PodSecurityPolicy, die SELinux-Konfigurationen erfordert. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedSELinuxOptions <array>: An allow-list of SELinux options
    # configurations.
    allowedSELinuxOptions:
      # <list item: object>: An allowed configuration of SELinux options for a
      # pod container.
      - # level <string>: An SELinux level.
        level: <string>
        # role <string>: An SELinux role.
        role: <string>
        # type <string>: An SELinux type.
        type: <string>
        # user <string>: An SELinux user.
        user: <string>

Beispiele

psp-selinux-v2

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSELinuxOptions:
    - level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

K8sPSPSeccomp

Steuert das von Containern verwendete seccomp-Profil. Entspricht der Annotation seccomp.security.alpha.kubernetes.io/allowedProfileNames in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of allowed profile values for seccomp
    # annotations on Pods.
    allowedProfiles:
      - <string>

Beispiele

psp-seccomp

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
    - docker/default
Zulässig
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed2
spec:
  containers:
  - image: nginx
    name: nginx
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed2
spec:
  containers:
  - image: nginx
    name: nginx

K8sPSPVolumeTypes

Beschränkt die bereitstellbaren Volume-Typen auf die vom Nutzer angegebenen Volumes. Entspricht dem Feld volumes in einer PodSecurityPolicy. Weitere Informationen finden Sie unter https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # volumes <array>: `volumes` is an array of volume types. All volume types
    # can be enabled using `*`.
    volumes:
      - <string>

Beispiele

psp-volume-types

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    volumes:
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
    - flexVolume
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
  - emptyDir: {}
    name: demo-vol

K8sPodsRequireSecurityContext

Erfordert, dass alle Pods securityContext definieren. Erfordert, dass alle in Pods definierten Container einen SecurityContext auf Pod- oder Containerebene definieren.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

pods-require-security-context

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: pods-require-security-context
spec:
  enforcementAction: dryrun
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsUser: 2000
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - image: nginx
    name: nginx

K8sProhibitRoleWildcardAccess

Erfordert, dass Roles und ClusterRoles den Ressourcenzugriff nicht auf einen Platzhalterwert („“) festlegen. Beschränkt den Platzhalterzugriff auf untergeordnete Ressourcen wie „/status“.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

prohibit-role-wildcard-access

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-role-wildcard-access
spec:
  enforcementAction: dryrun
Zulässig
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
Nicht zugelassen
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-bad-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

K8sReplicaLimits

Erfordert, dass Objekte mit dem Feld spec.replicas (Deployments, ReplicaSets usw.) eine Anzahl von Replikaten innerhalb definierter Bereiche angeben.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

Beispiele

replica-limits

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: replica-limits
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
  parameters:
    ranges:
    - max_replicas: 50
      min_replicas: 3
Zulässig
apiVersion: apps/v1
kind: Deployment
metadata:
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
Nicht zugelassen
apiVersion: apps/v1
kind: Deployment
metadata:
  name: disallowed-deployment
spec:
  replicas: 100
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sRequireNamespaceNetworkPolicies

Erfordert, dass jeder im Cluster definierte Namespace eine NetworkPolicy hat. Hinweis: Diese Einschränkung ist referenziell. Weitere Informationen finden Sie unter https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#referential.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

require-namespace-network-policies

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: require-namespace-network-policies
spec:
  enforcementAction: dryrun
Zulässig
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: require-namespace-network-policies-good-example
Nicht zugelassen
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example

K8sRequiredAnnotations

Erfordert, dass alle Ressourcen bestimmte Annotation(en) mit einem Wert enthalten, der einem angegebenen regulären Ausdruck entspricht.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    annotations:
      - allowedRegex: <string>
        key: <string>
    message: <string>

Beispiele

all-must-have-certain-set-of-annotations

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: all-must-have-certain-set-of-annotations
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    annotations:
    - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
      key: a8r.io/owner
    - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
      key: a8r.io/runbook
    message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Zulässig
apiVersion: v1
kind: Service
metadata:
  annotations:
    a8r.io/owner: dev-team-alfa@contoso.com
    a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
  name: allowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo
Nicht zugelassen
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo

K8sRequiredLabels

Erfordert, dass alle Ressourcen ein angegebenes Label mit einem Wert enthalten, der einem angegebenen regulären Ausdruck entspricht.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    labels:
      - allowedRegex: <string>
        key: <string>
    message: <string>

Beispiele

all-must-have-owner

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: all-must-have-owner
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    labels:
    - allowedRegex: ^[a-zA-Z]+.agilebank.demo$
      key: owner
    message: All namespaces must have an `owner` label that points to your company
      username
Zulässig
apiVersion: v1
kind: Namespace
metadata:
  labels:
    owner: user.agilebank.demo
  name: allowed-namespace
Nicht zugelassen
apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequiredProbes

Erfordert, dass Pods über Bereitschafts- und/oder Aktivitätsprüfungen verfügen.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    probeTypes:
      - <string>
    probes:
      - <string>

Beispiele

must-have-probes

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    probeTypes:
    - tcpSocket
    - httpGet
    - exec
    probes:
    - readinessProbe
    - livenessProbe
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: nginx:1.7.9
    livenessProbe: null
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

K8sRestrictLabels

Verhindert, dass Ressourcen bestimmte Labels enthalten, es sei denn, es gibt eine Ausnahme für die jeweilige Ressource.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # exceptions <array>: Objects listed here are exempt from enforcement of
    # this constraint. All fields must be provided.
    exceptions:
      # <list item: object>: A single object's identification, based on group,
      # kind, namespace, and name.
      - # group <string>: The Kubernetes group of the exempt object.
        group: <string>
        # kind <string>: The Kubernetes kind of the exempt object.
        kind: <string>
        # name <string>: The name of the exempt object.
        name: <string>
        # namespace <string>: The namespace of the exempt object. For
        # cluster-scoped resources, use the empty string `""`.
        namespace: <string>
    # restrictedLabels <array>: A list of label keys strings.
    restrictedLabels:
      - <string>

Beispiele

restrict-label-example

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    exceptions:
    - group: ""
      kind: Pod
      name: allowed-example
      namespace: default
    restrictedLabels:
    - label-example
Zulässig
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNamespaces

Schränkt die Verwendung von Namespaces durch Ressourcen ein, die unter dem Parameter restrictedNamespaces aufgeführt sind.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # restrictedNamespaces <array>: A list of Namespaces to restrict.
    restrictedNamespaces:
      - <string>

Beispiele

restrict-default-namespace

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: restrict-default-namespace
spec:
  enforcementAction: dryrun
  parameters:
    restrictedNamespaces:
    - default
Zulässig
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
  namespace: test-namespace
spec:
  containers:
  - image: nginx
    name: nginx
Nicht zugelassen
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictRoleBindings

Schränkt ClusterRoleBindings und RoleBindings ein, auf die angegebene Rolle/ClusterRole zu verweisen, sofern nicht alle Subjekte der Bindung als zulässig markiert sind.

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of subjects that are allowed to bind to
    # the restricted role.
    allowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the subject.
        apiGroup: <string>
        # kind <string>: The Kubernetes kind of the subject.
        kind: <string>
        # name <string>: The name of the subject.
        name: <string>
    # restrictedRole <object>: The role that cannot be bound to unless
    # expressly allowed.
    restrictedRole:
      # apiGroup <string>: The Kubernetes API group of the role.
      apiGroup: <string>
      # kind <string>: The Kubernetes kind of the role.
      kind: <string>
      # name <string>: The name of the role.
      name: <string>

Beispiele

restrict-clusteradmin-rolebindings

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:masters
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
Zulässig
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
Nicht zugelassen
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sUniqueIngressHost

Alle Ingress-Regelhosts müssen eindeutig sein. Unterstützt keine Hostnamen-Platzhalter: https://kubernetes.io/docs/concepts/services-networking/ingress/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

unique-ingress-host

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: unique-ingress-host
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
Nicht zugelassen
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-host-example
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-host-example2
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

K8sUniqueServiceSelector

Dienste müssen einen eindeutigen Selektor innerhalb eines Namespace haben. Selektoren werden als identisch betrachtet, wenn sie identische Schlüssel und Werte haben. Selektoren können ein Schlüssel/Wert-Paar verwenden, solange sich mindestens ein separates Schlüssel/Wert-Paar zwischen ihnen befindet. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

unique-service-selector

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  labels:
    owner: admin.agilebank.demo
  name: unique-service-selector
Nicht zugelassen
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-example
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value

PolicyStrictOnly

Erfordert, dass die Istio-Authentifizierungsrichtlinie Peers mit gegenseitigem TLS von STRICT angibt. https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

policy-strict-constraint

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: policy-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - authentication.istio.io
      kinds:
      - Policy
    namespaces:
    - default
Nicht zugelassen
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-permissive
  namespace: default
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

SourceNotAllAuthz

Erfordert, dass die AuthorizationPolicy-Regeln von Istio Quellhauptkonten auf etwas anderes als "*" gesetzt haben. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Einschränkungsschema

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

Beispiele

sourcenotall-authz-constraint

Einschränkung
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: sourcenotall-authz-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
Nicht zugelassen
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-all
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

Nächste Schritte