Bibliothèque de modèles de contrainte

Les modèles de contrainte vous permettent de définir le fonctionnement d'une contrainte mais délèguent la définition des spécificités de la contrainte à un individu ou à un groupe ayant une expertise en la matière. En plus de séparer les divers problèmes, cela sépare également la logique de la contrainte de sa définition.

Toutes les contraintes contiennent une section match qui définit les objets auxquels une contrainte s'applique. Pour en savoir plus sur la configuration de cette section, consultez la page Section de correspondance de contrainte.

Tous les modèles de contraintes ne sont pas disponibles pour toutes les versions de Policy Controller, et les modèles peuvent changer d'une version à l'autre. Utilisez les liens suivants pour comparer les contraintes des versions compatibles:

Liens vers les versions compatibles de cette page

Pour vous assurer d'être entièrement compatible, nous vous recommandons d'utiliser des modèles de contrainte issus d'une version compatible de Policy Controller.

Pour vous aider à comprendre le fonctionnement des modèles de contraintes, chaque modèle inclut un exemple de contrainte et une ressource qui ne respecte pas la contrainte.

Modèles de contraintes disponibles

Modèle de contrainte	Description	Référence
AllowedServicePortName	Nécessite que les noms de port du service comportent un préfixe provenant d'une liste spécifiée.	Non
AsmAuthzPolicyDefaultDeny	Appliquez la règle de refus AuthorizationPolicy par défaut au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.	Oui
AsmAuthzPolicyDisallowedPrefix	Nécessite que les comptes principaux et les espaces de noms des règles Istio "AuthorizationPolicy" ne comportent pas de préfixe provenant d'une liste spécifiée. https://Istio.io/latest/docs/reference/config/security/permission-policy/	Non
AsmAuthzPolicyEnforceSourcePrincipals	Nécessite que le champ "from" de la règle AuthorizationPolicy d'Istio, lorsqu'il est défini, possède des principes sources, qui doivent être définis sur une valeur autre que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/	Non
AsmAuthzPolicyNormalization	Appliquez la normalisation de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/reference/config/security/normalization/.	Non
AsmAuthzPolicySafePattern	Appliquez les modèles sécurisés de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.	Non
AsmIngressgatewayLabel	N'appliquez le libellé ingressgateway d'Istio que sur les pods ingressgateway.	Non
AsmPeerAuthnMeshStrictMtls	Appliquez PeerAuthentication en mode mTLS strict au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.	Oui
AsmPeerAuthnStrictMtls	L'application de l'ensemble des PeerAuthentications ne peut pas écraser le mode mTLS strict. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.	Non
AsmRequestAuthnProhibitedOutputHeaders	Dans "RequestAuthentication", forcez le champ "jwtRules.outPayloadToHeader" à ne pas contenir d'en-têtes de requêtes HTTP bien connus ni d'en-têtes de requêtes HTTP personnalisés. Consultez la documentation de référence sur la page https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.	Non
AsmSidecarInjection	Appliquez le proxy side-car Istio, toujours injecté dans les pods de la charge de travail.	Non
DestinationRuleTLSEnabled	Interdit la désactivation du protocole TLS pour tous les hôtes et sous-ensembles d'hôtes dans les DestinationRules d'Istio.	Non
DisallowedAuthzPrefix	Nécessite que les comptes principaux et les espaces de noms des règles Istio "AuthorizationPolicy" ne comportent pas de préfixe provenant d'une liste spécifiée. https://Istio.io/latest/docs/reference/config/security/permission-policy/	Non
GCPStorageLocationConstraintV1	Limite les "emplacements" autorisés pour les ressources du connecteur de configuration StorageBucket à la liste des emplacements fournis dans la contrainte. Les noms de buckets figurant dans la liste des exceptions sont exemptés.	Non
GkeSpotVMTerminationGrace	Les pods et les modèles de pod associés à "nodeAfffinty" ou "nodeAfffinty" de "gke-spot" doivent avoir une valeur "terminationGracePeriodseconds" de 15 secondes ou moins.	Oui
K8sAllowedRepos	Nécessite que les images de conteneur commencent par une chaîne de la liste spécifiée.	Non
K8sAvoidUseOfSystemMastersGroup	Interdit l'utilisation du groupe "system:masters". N'a aucun effet pendant l'audit.	Non
K8sBlockAllIngress	Interdit la création d'objets Ingress (types "Ingress", "Gateway" et "Service" de "NodePort" et "LoadBalancer").	Non
K8sBlockCreationWithDefaultServiceAccount	Interdit la création de ressources à l'aide d'un compte de service par défaut. N'a aucun effet pendant l'audit.	Non
K8sBlockEndpointEditDefaultRole	Par défaut, de nombreuses installations Kubernetes comportent un ClusterRole system:aggregate-to-edit qui ne limite pas correctement l'accès à la modification des points de terminaison. Ce ConstraintTemplate empêche le système ClusterRole:system-aggregate-to-edit d'accorder l'autorisation de créer, d'appliquer des correctifs et de mettre à jour des points de terminaison. ClusterRole/system:aggregate-to-edit ne doit pas accepter les autorisations de modification des points de terminaison en raison de la norme CVE-2021-25740, les autorisations Endpoint & EndpointSlice permettent le transfert d'espaces de noms multiples, https://github.com/kubernetes/kubernetes/issues/103675	Non
K8sBlockLoadBalancer	Interdit tous les services de type LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer	Non
K8sBlockNodePort	Interdit tous les services de type NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport	Non
K8sBlockObjectsOfType	Interdit les objets de types interdits.	Non
K8sBlockProcessNamespaceSharing	Interdit les spécifications des pods lorsque "shareProcessnamespace" est défini sur "true". Cela permet d'éviter que tous les conteneurs d'un pod partagent un espace de noms PID, et puissent accéder mutuellement au système de fichiers et à la mémoire.	Non
K8sBlockWildcardIngress	Les utilisateurs ne doivent pas pouvoir créer d'objets Ingress avec un nom d'hôte vide ou générique (*), car cela leur permettrait d'intercepter le trafic pour d'autres services du cluster, même s'ils n'ont pas accès à ces services.	Non
K8sContainerEphemeralStorageLimit	Nécessite que les conteneurs aient une limite de stockage éphémère définie et qu'elle ne dépasse pas les valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	Non
K8sContainerLimits	Exige des limites de mémoire et de processeur pour les conteneurs, avec des limites correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	Non
K8sContainerRatios	Définit un ratio maximal pour les limites de ressources de conteneurs des requêtes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	Non
K8sContainerRequests	Exige des requêtes de mémoire et de processeur pour les conteneurs, avec des requêtes correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	Non
K8sCronJobAllowedRepos	Nécessite que les images de conteneur des jobs Cron commencent par une chaîne de la liste spécifiée.	Non
K8sDisallowAnonymous	Interdit l'association des ressources ClusterRole et Role à l'utilisateur system:anonymous et au groupe system:unauthenticated.	Non
K8sInterdireInteractiveTTY	Les champs "spec.tty" et "spec.stdin" des objets doivent être définis sur "false" ou non définis.	Non
K8sDisallowedRepos	Dépôts de conteneurs non autorisés commençant par une chaîne de la liste spécifiée.	Non
K8sDisallowedRoleBindingSubjects	Interdit les RoleBindings ou ClusterRoleBindings avec les sujets correspondant à des sujets "disallowedSubjects" transmis en tant que paramètres.	Non
K8sDisallowedTags	Nécessite que les images de conteneur aient un tag d'image différent de celui de la liste spécifiée. https://kubernetes.io/docs/concepts/containers/images/#image-names	Non
K8sEmptyDirHasSizeLimit	Tous les volumes " emptyDir" doivent spécifier un "sizeLimit". Un paramètre "maxSizeLimit" peut éventuellement être fourni dans la contrainte pour spécifier une limite de taille maximale autorisée.	Non
K8sEnforceCloudArmorBackendConfig	Applique la configuration Cloud Armor sur les ressources BackendConfig	Non
K8sEnforceConfigManagement	Nécessite la présence et l'utilisation de Config Management. Les contraintes utilisant ce "ConstraintTemplate" ne seront auditées que, quelle que soit la valeur "enforcementAction".	Oui
K8sExternalIPs	Limite les adresses IP externes du service à une liste d'adresses IP autorisées. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips	Non
K8sHorizontalPodAutoscaler	Interdictez les scénarios suivants lors du déploiement d'HorizontalPodAutoscalers. 1. Déploiement d'HorizontalPodAutoscalers avec ".spec.minReplicas" ou ".spec.maxReplicas" en dehors des plages définies dans la contrainte 2. Déploiement des objets HorizontalPodAutoscalers où la différence entre ".spec.minReplicas" et ".spec.maxReplicas" est inférieure au "minimumReplicaReplica" configuré. 3. Déploiement d'HorizontalPodAutoscalers qui ne référencent pas de "scaleTargetRef" valide (par exemple, Deployment, ReplicationController, ReplicaSet, StatefulSet).	Oui
K8sHttpsOnly	Exige que les ressources Ingress soient de type HTTPS uniquement. Les ressources d'entrée doivent inclure l'annotation "kubernetes.io/ingress.allow-http", définie sur "false". Par défaut, une configuration TLS {} valide est requise. Vous pouvez la rendre facultative en définissant le paramètre "tlsOptional" sur "true". https://kubernetes.io/docs/concepts/services-networking/ingress/#tls	Non
K8sImageDigests	Nécessite que les images de conteneur contiennent un condensé. https://kubernetes.io/docs/concepts/containers/images/	Non
K8sLocalStorageRequireSafeToEvict	L'annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" ne doit pas être supprimée pour les pods utilisant le stockage local (" emptyDir" ou "hostPath"). L'autoscaler ne supprime pas les pods sans cette annotation.	Non
K8sMemoryRequestEqualsLimit	Favorise la stabilité du pod en exigeant que la mémoire demandée de tous les conteneurs soit exactement égale à la limite de mémoire. Ainsi, les pods ne sont jamais dans un état où l'utilisation de mémoire dépasse la quantité demandée. Sinon, Kubernetes peut arrêter les pods qui demandent de la mémoire supplémentaire si de la mémoire est nécessaire sur le nœud.	Non
K8sNoEnvVarSecrets	Interdit les secrets en tant que variables d'environnement dans les définitions de conteneur des pods. Utilisez plutôt des fichiers secrets installés dans des volumes de données : https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod	Non
K8sNoExternalServices	Interdit la création de ressources connues qui exposent les charges de travail à des adresses IP externes. Cela inclut les ressources Istio Gateway et Kubernetes Ingress. Les services Kubernetes ne sont pas non plus autorisés, sauf s'ils répondent aux critères suivants : Tout service de type "LoadBalancer" dans Google Cloud doit comporter une annotation "networking.gke.io/load-balancer-type": "Interne". Dans AWS, tout service de type "LoadBalancer" doit comporter une annotation "service.beta.kubernetes.io/aws-load-balancer-internal: "true". Toutes les "adresses IP externes" (externes au cluster) liées au service doivent être membres d'une plage de CIDR internes, comme indiqué dans la contrainte.	Non
K8sPSPAllowPrivilegeEscalationContainer	Contrôle la limite de passage aux droits racine. Correspond au champ "allowPrivilegeescalation" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-élévation.	Non
K8sPSPAllowedUsers	Contrôle les ID d'utilisateur et de groupe du conteneur, ainsi que certains volumes. Correspond aux champs "runAsUser", "runAsGroup", "supplementalGroups" et "fsGroup" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups	Non
K8sPSPAppArmor	Configure une liste d'autorisation de profils AppArmor à utiliser par les conteneurs. Cela correspond aux annotations spécifiques appliquées à une règle PodSecurityPolicy. Pour plus d'informations sur AppArmor, consultez la page https://kubernetes.io/docs/tutorials/clusters/apparmor/.	Non
K8sPSPAutomountServiceAccountTokenPod	Contrôle la capacité de n'importe quel pod à activer automountServiceAccountToken.	Non
K8sPSPCapabilities	Contrôle les capacités Linux sur les conteneurs. Correspond aux champs "allowedCapabilities" et "requiredDropCapabilities" dans une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#Capabilities	Non
K8sPSPFSGroup	Contrôle l'allocation d'un FSGroup qui est propriétaire des volumes du pod. Correspond au champ "fsGroup" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.	Non
K8sPSPFlexVolumes	Contrôle la liste d'autorisation des pilotes FlexVolume. Correspond au champ "allowedFlexVolumes" dans PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers	Non
K8sPSPForbiddenSysctls	Contrôle le profil "sysctl" utilisé par les conteneurs. Correspond aux champs "allowedUnsafeSysctls" et "forbiddenSysctls" dans une règle PodSecurityPolicy. Si spécifié, tout paramètre sysctl qui ne figure pas dans le paramètre "allowedSysctls" est considéré comme interdit. Le paramètre "forbiddenSysctls" est prioritaire sur le paramètre "allowedSysctls". Pour en savoir plus, consultez la page https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/.	Non
K8sPSPHostFilesystem	Contrôle l'utilisation du système de fichiers hôte. Correspond au champ "allowedHostPaths" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.	Non
K8sPSPHostNamespace	Interdit le partage des espaces de noms PID et IPC hôtes par les conteneurs de pods. Correspond aux champs "hostPID" et "hostIPC" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces.	Non
K8sPSPHostNetworkingPorts	Contrôle l'utilisation de l'espace de noms du réseau hôte par les conteneurs de pods. Des ports spécifiques doivent être spécifiés. Correspond aux champs "hostNetwork" et "hostPorts" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces.	Non
K8sPSPPrivilegedContainer	Contrôle la capacité de n'importe quel conteneur à activer le mode privilégié. Correspond au champ "privileged" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged.	Non
K8sPSPProcMount	Contrôle les types "procMount" autorisés pour le conteneur. Correspond au champ "allowedProcMountTypes" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes.	Non
K8sPSPReadOnlyRootFilesystem	Nécessite l'utilisation d'un système de fichiers racine en lecture seule par les conteneurs de pods. Correspond au champ "readOnlyRootFilesystem" dans une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.	Non
K8sPSPSELinuxV2	Définit une liste d'autorisation de configurations seLinuxOptions pour les conteneurs de pods. Correspond à une règle PodSecurityPolicy nécessitant des configurations SELinux. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux.	Non
K8sPSPSeccomp	Contrôle le profil seccomp utilisé par les conteneurs. Correspond à l'annotation "seccomp.security.alpha.kubernetes.io/allowedProfileNames" sur une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp.	Non
K8sPSPVolumeTypes	Limite les types de volumes installables à ceux spécifiés par l'utilisateur. Correspond au champ "volumes" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.	Non
K8sPSPWindowsHostProcess	Limite l'exécution des conteneurs / pods Windows HostProcess. Pour en savoir plus, consultez https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/.	Non
K8sPSSRunAsNonRoot	Nécessite que les conteneurs s'exécutent en tant qu'utilisateurs non racines. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/security/pod-security-standards/	Non
K8sPodDisruptionBudget	Interdire les scénarios suivants lors du déploiement de PodDisruptionBudgets ou de ressources qui mettent en œuvre la sous-ressource d'instance dupliquée (par exemple Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Déploiement de PodDisruptionBudgets avec .spec.maxUnavailable == 0 2. Déploiement de PodDisruptionBudgets avec .spec.minAvailable == .spec.replicas de la ressource avec sous-ressource d'instance dupliquée. Cette opération empêche PodDisruptionBudgets de bloquer les interruptions volontaires telles que le drainage de nœud. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/	Oui
K8sPodResourcesBestPractices	Nécessite que les conteneurs ne reposent pas sur le meilleur effort (en définissant les demandes de ressources de processeur et de mémoire) et qu'ils suivent les bonnes pratiques d'utilisation intensive (le nombre de demandes de mémoire doit être strictement identique à la limite). Vous pouvez éventuellement configurer des clés d'annotation pour ignorer les différentes validations.	Non
K8sPodsRequireSecurityContext	Nécessite que tous les pods définissent securityContext. Nécessite que tous les conteneurs définis dans les pods aient un contexte SecurityContext défini au niveau du pod ou du conteneur.	Non
K8sProhibitRoleWildcardAccess	Les objets Role et ClusterRole ne doivent pas définir l'accès aux ressources en fonction d'une valeur générique "", à l'exception des objets Role et ClusterRole exemptés fournis en tant qu'exceptions. Ne limite pas l 'accès avec caractères génériques aux sous-ressources, telles que "/status"'.	Non
K8sReplicaLimits	Les objets avec le champ "spec.replicas" (déploiements, ReplicaSets, etc.) doivent spécifier un nombre d'instances répliquées dans des plages définies.	Non
K8sRequireAdmissionController	Nécessite l'admission de sécurité des pods ou un système de contrôle de règles externe	Oui
K8sExigerBinAuthZ	Nécessite le Binary Authorization Validating Admission Webhook. Les contraintes utilisant ce "ConstraintTemplate" ne seront auditées que, quelle que soit la valeur "enforcementAction".	Oui
K8sRequireCosNodeImage	Applique l'utilisation de Container-Optimized OS de Google sur les nœuds.	Non
K8sRequireDaemonsets	Nécessite la présence de la liste des daemonsets spécifiés.	Oui
K8sRequireDefaultDenyEgressPolicy	Nécessite que chaque espace de noms défini dans le cluster dispose d'une règle NetworkPolicy de refus par défaut pour la sortie.	Oui
K8sRequireNamespaceNetworkPolicies	Nécessite que chaque espace de noms défini dans le cluster ait un objet NetworkPolicy.	Oui
K8sRequireValidRangesForNetworks	Détermine les blocs CIDR autorisés pour l'entrée et la sortie réseau.	Non
K8sRequiredAnnotations	Exige que les ressources contiennent des annotations spécifiées, avec des valeurs correspondant aux expressions régulières fournies.	Non
K8sRequiredLabels	Exige que les ressources contiennent des libellés spécifiés, avec des valeurs correspondant aux expressions régulières fournies.	Non
K8sRequiredProbes	Exige que les pods fassent l'objet de vérifications d'aptitude et/ou d'activité.	Non
K8sRequiredResources	Nécessite que les conteneurs aient un ensemble de ressources définies. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	Non
K8sRestrictAdmissionController	Limiter les contrôleurs d'admission dynamiques à ceux autorisés	Non
K8sRestrictAutomountServiceAccountTokens	Limite l'utilisation des jetons de compte de service.	Non
K8sRestrictLabels	Empêche les ressources de contenir des libellés spécifiés, sauf en cas d'exception pour la ressource spécifique.	Non
K8sRestrictNamespaces	Empêche les ressources d'utiliser des espaces de noms répertoriés dans le paramètre restrictedNamespaces.	Non
K8sRestrictNfsUrls	Interdit aux ressources de contenir des URL NFS, sauf indication contraire.	Non
K8sRestrictRbacSubjects	Limite l'utilisation des noms dans les sujets RBAC aux valeurs autorisées.	Non
K8sRestrictRoleBindings	Limite les sujets spécifiés dans les objets ClusterRoleBinding et RoleBinding à une liste de sujets autorisés.	Non
K8sRestrictRoleRules	Limite les règles pouvant être définies sur les objets Role et ClusterRole.	Non
K8sStorageClass	Vous devez spécifier des classes de stockage lorsqu'elles sont utilisées. Seuls les conteneurs Gatekeeper 3.9 ou version ultérieure et les conteneurs non éphémères sont acceptés.	Oui
K8sUniqueIngressHost	Exige que tous les hôtes de règle Ingress soient uniques. N'accepte pas les caractères génériques du nom d'hôte : https://kubernetes.io/docs/concepts/services-networking/ingress/	Oui
K8sUniqueServiceSelector	Exige que les Services aient des sélecteurs uniques au sein d'un espace de noms. Les sélecteurs sont considérés comme identiques s'ils possèdent des clés et des valeurs identiques. Les sélecteurs peuvent partager une paire clé/valeur s'il existe au moins une paire clé/valeur distincte entre eux. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service	Oui
NoUpdateServiceAccount	Bloque la mise à jour du compte de service sur les ressources qui extraient sur les pods. Cette règle est ignorée en mode audit.	Non
PolicyStrictOnly	Nécessite que l'authentification TLS mutuelle "STRICT" d'Istio soit toujours spécifiée lors de l'utilisation de l'authentification [PeerAuthentication](https://Istio.io/latest/docs/reference/config/security/peer_authentication/). Cette contrainte garantit également que les ressources [Policy](https://Istio.io/v1.4/docs/reference/config/security/itunes.authentication.v1alpha1/#Policy) et MeshPolicy obsolètes appliquent le protocole TLS mutuel "STRICT". Consultez la page https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh.	Non
RestrictNetworkExclusions	Contrôlez les ports entrants, les ports sortants et les plages d'adresses IP sortantes pouvant être exclues de la capture du réseau Istio. Les ports et les plages d'adresses IP qui contournent la capture du réseau Istio ne sont pas gérés par le proxy Istio et ne sont pas soumis à l'authentification mTLS d'Istio, à la règle d'autorisation et à d'autres fonctionnalités d'Istio. Cette contrainte peut être utilisée pour appliquer des restrictions à l'utilisation des annotations suivantes : * "traffic.sidecar.Istio.io/excludedInboundPorts" * "traffic.sidecar.Istio.io/excludedSortPorts" * "traffic.sidecar.figurent.io/excludedSortOutRanges" Voir https://Istio.io/latest/docs/reference/config/annotations/. Lorsque vous limitez des plages d'adresses IP sortantes, la contrainte calcule si les plages d'adresses IP exclues correspondent ou sont un sous-ensemble des exclusions de plages d'adresses IP autorisées. Lorsque vous utilisez cette contrainte, tous les ports entrants, les ports sortants et les plages d'adresses IP sortantes doivent toujours être inclus en définissant les annotations d'inclusion correspondantes sur"" ou en les laissant non définies. Il n'est pas autorisé de définir l'une des annotations suivantes sur une valeur autre que "" : * "traffic.sidecar.Istio.io/includeInboundPorts" * "traffic.sidecar.Istio.io/includeExitPorts" * "traffic.sidecar.).	Non
SourceNotAllAuthz	Nécessite que les comptes principaux sources des règles AuthorizationPolicy d'Istio soient définis sur autre chose que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/	Non
VerifyDeprecatedAPI	Vérifie les API Kubernetes obsolètes pour s'assurer que toutes les versions d'API sont à jour. Ce modèle ne s'applique pas à l'audit, car l'audit examine les ressources déjà présentes dans le cluster avec des versions d'API non obsolètes.	Non

AllowedServicePortName

Noms des ports de service autorisés v1.0.1

Nécessite que les noms de port du service comportent un préfixe provenant d'une liste spécifiée.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # prefixes <array>: Prefixes of allowed service port names.
    prefixes:
      - <string>

Examples

port-name-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: port-name-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    prefixes:
    - http-
    - http2-
    - grpc-
    - mongo-
    - redis-
    - tcp-

Autorisés

apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-http
spec:
  ports:
  - name: http-helloport
    port: 5000
  selector:
    app: helloworld

Non autorisé

apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-tcp
spec:
  ports:
  - name: foo-helloport
    port: 5000
  selector:
    app: helloworld

apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-bad
spec:
  ports:
  - name: helloport
    port: 5000
  selector:
    app: helloworld

AsmAuthzPolicyDefaultDeny

Refus par défaut ASM AuthorizationPolicy v1.0.4

Appliquez la règle de refus AuthorizationPolicy par défaut au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Contrainte référentielle

Cette contrainte est référentielle. Avant de les utiliser, vous devez activer les contraintes référentielles et créer une configuration indiquant à Policy Controller les types d'objets à surveiller.

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "AuthorizationPolicy"

Examples

asm-authz-policy-default-deny-with-input-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High

Autorisés

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW

Non autorisé

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST

asm-authz-policy-default-deny-no-input-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High

Autorisés

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW

Non autorisé

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST

AsmAuthzPolicyDisallowedPrefix

Préfixes non autorisés pour la stratégie d'autorisation ASM v1.0.2

Nécessite que les comptes principaux et les espaces de noms des règles AuthorizationPolicy d'Istio ne comportent pas de préfixe provenant d'une liste spécifiée. https://istio.io/latest/docs/reference/config/security/authorization-policy/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
    disallowedNamespacePrefixes:
      - <string>
    # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
    disallowedPrincipalPrefixes:
      - <string>

Examples

asm-authz-policy-disallowed-prefix-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: asm-authz-policy-disallowed-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedNamespacePrefixes:
    - bad-ns-prefix
    - worse-ns-prefix
    disallowedPrincipalPrefixes:
    - bad-principal-prefix
    - worse-principal-prefix

Autorisés

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/worse-principal-prefix-sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - bad-ns-prefix-test
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyEnforceSourcePrincipals

Comptes principaux d'application d'ASM AuthorizationPolicy v1.0.2

Nécessite que le champ "from" de la règle AuthorizationPolicy d'Istio, lorsqu'il est défini, possède des principes sources, qui doivent être définis sur une valeur autre que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

asm-authz-policy-enforce-source-principals-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: asm-authz-policy-enforce-source-principals-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy

Autorisés

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: no-source-principals
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-contains-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyNormalization

Normalisation ASM AuthorizationPolicy v1.0.2

Appliquez la normalisation de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/reference/config/security/normalization/.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

asm-authz-policy-normalization-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: asm-authz-policy-normalization-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy

Autorisés

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-method-lowercase
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - get
  selector:
    matchLabels:
      app: httpbin

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-request-header-whitespace
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Ag ent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: path-unnormalized
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test\/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicySafePattern

Modèles de sécurité ASM AuthorizationPolicy v1.0.4

Appliquez les modèles sécurisés de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Examples

asm-authz-policy-safe-pattern-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: asm-authz-policy-safe-pattern-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    strictnessLevel: High

Autorisés

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-istio-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-asm-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      asm: ingressgateway

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: hosts-on-noningress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: invalid-hosts
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-negative-match
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        notMethods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-positive-match
spec:
  action: DENY
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway

AsmIngressgatewayLabel

Étiquette de passerelle d'entrée ASM v1.0.3

N'appliquez le libellé ingressgateway d'Istio que sur les pods ingressgateway.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

asm-ingressgateway-label-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: asm-ingressgateway-label-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: istio
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: istio-ingressgateway
    istio: ingressgateway
  name: istio-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: asm-ingressgateway
    asm: ingressgateway
  name: asm-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    asm: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

AsmPeerAuthnMeshStrictMtls

Maillage d'authentification de pair ASM mTLS v1.0.4

Appliquez PeerAuthentication en mode mTLS strict au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "PeerAuthentication"

Examples

asm-peer-authn-mesh-strict-mtls-with-input-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High

Autorisés

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: asm-root
spec:
  mtls:
    mode: STRICT

Non autorisé

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: asm-root
spec:
  mtls:
    mode: PERMISSIVE

asm-peer-authn-mesh-strict-mtls-no-input-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High

Autorisés

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: istio-system
spec:
  mtls:
    mode: STRICT

Non autorisé

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: istio-system
spec:
  mtls:
    mode: PERMISSIVE

AsmPeerAuthnStrictMtls

Authentification homologue ASM Strict mTLS v1.0.3

L'application de l'ensemble des PeerAuthentications ne peut pas écraser le mode mTLS strict. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Examples

asm-peer-authn-strict-mtls-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: asm-peer-authn-strict-mtls-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
  parameters:
    strictnessLevel: High

Autorisés

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: valid-strict-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-permissive-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-port-disable-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: DISABLE
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar

AsmRequestAuthnProhibitedOutputHeaders

En-têtes de sortie interdits ASM RequestAuthentication v1.0.2

Dans RequestAuthentication, appliquez le champ jwtRules.outPayloadToHeader pour qu'il ne contienne pas d'en-têtes de requête HTTP connus ou d'en-têtes personnalisés interdits. Consultez la documentation de référence sur la page https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # prohibitedHeaders <array>: User predefined prohibited headers.
    prohibitedHeaders:
      - <string>

Examples

asm-request-authn-prohibited-output-headers-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: asm-request-authn-prohibited-output-headers-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - RequestAuthentication
  parameters:
    prohibitedHeaders:
    - Bad-Header
    - X-Bad-Header

Autorisés

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: valid-request-authn
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Good-Header
  selector:
    matchLabels:
      app: istio-ingressgateway

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Host
  selector:
    matchLabels:
      app: istio-ingressgateway

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: X-Bad-Header
  selector:
    matchLabels:
      app: istio-ingressgateway

AsmSidecarInjection

Injection side-car ASM v1.0.2

Appliquez le proxy side-car Istio, toujours injecté dans les pods de la charge de travail.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of sidecar injection strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

Examples

asm-sidecar-injection-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: asm-sidecar-injection-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    strictnessLevel: High

Autorisés

apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "true"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

apiVersion: v1
kind: Pod
metadata:
  annotations:
    "false": "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep

DestinationRuleTLSEnabled

Règle de destination TLS activé v1.0.1

Interdit la désactivation du protocole TLS pour tous les hôtes et sous-ensembles d'hôtes dans les DestinationRules d'Istio.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

dr-tls-enabled

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: dr-tls-enabled
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - networking.istio.io
      kinds:
      - DestinationRule

Non autorisé

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-subset-tls-disable
  namespace: default
spec:
  host: myservice
  subsets:
  - name: v1
    trafficPolicy:
      tls:
        mode: DISABLE
  - name: v2
    trafficPolicy:
      tls:
        mode: SIMPLE

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-traffic-tls-disable
  namespace: default
spec:
  host: myservice
  trafficPolicy:
    tls:
      mode: DISABLE

DisallowedAuthzPrefix

Interdire les préfixes AuthorizationPolicy d'Istio v1.0.2

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedprefixes <array>: Disallowed prefixes of principals and
    # namespaces.
    disallowedprefixes:
      - <string>

Examples

disallowed-authz-prefix-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: disallowed-authz-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedprefixes:
    - badprefix
    - reallybadprefix

Autorisés

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/badprefix-sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - badprefix-test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

GCPStorageLocationConstraintV1

Contrainte d'emplacement de stockage GCP v1.0.3

Limite les emplacements (locations) autorisés pour les ressources Config Connector de StorageBucket à la liste des emplacements fournis dans la contrainte. Les noms de buckets de la liste exemptions sont exclus.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <array>: A list of bucket names that are exempt from this
    # constraint.
    exemptions:
      - <string>
    # locations <array>: A list of locations that a bucket is permitted to
    # have.
    locations:
      - <string>

Examples

singapore-and-jakarta-only

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: singapore-and-jakarta-only
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - storage.cnrm.cloud.google.com
      kinds:
      - StorageBucket
  parameters:
    exemptions:
    - my_project_id_cloudbuild
    locations:
    - asia-southeast1
    - asia-southeast2

Autorisés

apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-permitted-location
spec:
  location: asia-southeast1

Non autorisé

apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-disallowed-location
spec:
  location: us-central1

apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-without-specific-location
spec: null

GkeSpotVMTerminationGrace

Limite terminationGracePeriodseconds pour les VM Spot GKE v1.1.3

Les pods et les modèles de pod avec nodeSelector ou nodeAfffinty défini sur gke-spot doivent avoir une terminationGracePeriodSeconds de 15 s ou moins.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
    # of 15s or less for all `Pod` on a `gke-spot` Node.
    includePodOnSpotNodes: <boolean>

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Node"

Examples

spotvm-termination-grace

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: spotvm-termination-grace
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    includePodOnSpotNodes: true

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15

apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15

apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default

apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default

apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 30

apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 30

apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default

K8sAllowedRepos

Dépôts autorisés v1.0.1

Nécessite que les images de conteneur commencent par une chaîne de la liste spécifiée.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

Examples

repo-is-openpolicyagent

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: repo-is-openpolicyagent
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    repos:
    - openpolicyagent/

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  ephemeralContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

K8sAvoidUseOfSystemMastersGroup

Interdire l'utilisation du groupe "system:masters" v1.0.0

Interdit l'utilisation du groupe "system:masters". N'a aucun effet pendant l'audit.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowlistedUsernames <array>: allowlistedUsernames is the list of
    # usernames that are allowed to use system:masters group.
    allowlistedUsernames:
      - <string>

Examples

avoid-use-of-system-masters-group

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: avoid-use-of-system-masters-group

Autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockAllIngress

Bloquer tous les objets Ingress v1.0.4

Interdit la création d'objets Ingress (types Ingress, Gateway et Service de NodePort et LoadBalancer).

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowList <array>: A list of regular expressions for the Ingress object
    # names that are exempt from the constraint.
    allowList:
      - <string>

Examples

entrée "tout bloquer"

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: block-all-ingress
spec:
  enforcementAction: dryrun
  parameters:
    allowList:
    - name1
    - name2
    - name3
    - my-*

Autorisés

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: allowed-clusterip-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: ClusterIP

Non autorisé

apiVersion: v1
kind: Service
metadata:
  name: disallowed-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: disallowed-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: disallowed-gateway-example
spec:
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    hostname: '*.example.com'
    name: default
    port: 80
    protocol: HTTP

K8sBlockCreationWithDefaultServiceAccount

Bloquer la création avec le compte de service par défaut v1.0.2

Interdit la création de ressources à l'aide d'un compte de service par défaut. N'a aucun effet pendant l'audit.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

block-creation-with-default-serviceaccount

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: block-creation-with-default-serviceaccount
spec:
  enforcementAction: dryrun

Autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockEndpointEditDefaultRole

Bloquer la modification du rôle par défaut des points de terminaison v1.0.0

Par défaut, de nombreuses installations Kubernetes comportent un ClusterRole system:aggregate-to-edit qui ne limite pas correctement l'accès à la modification des points de terminaison. Ce ConstraintTemplate empêche le système ClusterRole:system-aggregate-to-edit d'accorder l'autorisation de créer, d'appliquer des correctifs et de mettre à jour des points de terminaison. ClusterRole/system:aggregate-to-edit ne doit pas accepter les autorisations de modification des points de terminaison en raison de la norme CVE-2021-25740, les autorisations Endpoint & EndpointSlice permettent le transfert d'espaces de noms multiples, https://github.com/kubernetes/kubernetes/issues/103675

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

block-endpoint-edit-default-role

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - endpoints
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

K8sBlockLoadBalancer

Blocs de services avec le type LoadBalancer v1.0.0

Interdit tous les services de type LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

équilibreur de charge de bloc

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: block-load-balancer
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service

Autorisés

apiVersion: v1
kind: Service
metadata:
  name: my-service-allowed
spec:
  ports:
  - port: 80
    targetPort: 80
  type: ClusterIP

Non autorisé

apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: LoadBalancer

K8sBlockNodePort

Bloquer NodePort v1.0.0

Interdit tous les services de type NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

block-node-port

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service

Non autorisé

apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: NodePort

K8sBlockObjectsOfType

Objets Block v1.0.1

Interdit les objets de types interdits.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    forbiddenTypes:
      - <string>

Examples

block-secrets-of-type-basic-auth

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: block-secrets-of-type-basic-auth
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Secret
  parameters:
    forbiddenTypes:
    - kubernetes.io/basic-auth

Autorisés

apiVersion: v1
data:
  password: ZHVtbXlwYXNz
  username: ZHVtbXl1c2Vy
kind: Secret
metadata:
  name: credentials
  namespace: default
type: Opaque

Non autorisé

apiVersion: v1
data:
  password: YmFzaWMtcGFzc3dvcmQ=
  username: YmFzaWMtdXNlcm5hbWU=
kind: Secret
metadata:
  name: secret-basic-auth
  namespace: default
type: kubernetes.io/basic-auth

K8sBlockProcessNamespaceSharing

Bloquer le partage d'espace de noms de processus v1.0.1

Interdit les spécifications de pod quand shareProcessNamespace est défini sur true. Cela permet d'éviter des scénarios dans lesquels tous les conteneurs d'un pod partagent un espace de noms PID et peuvent accéder au système de fichiers et à la mémoire de chacun d'entre eux.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: block-process-namespace-sharing

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  shareProcessNamespace: true

K8sBlockWildcardIngress

Bloquer l'entrée à caractère générique v1.0.1

Les utilisateurs ne doivent pas pouvoir créer d'objets Ingress avec un nom d'hôte vide ou générique (*), car cela leur permettrait d'intercepter le trafic pour d'autres services du cluster, même s'ils n'ont pas accès à ces services.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

block-wildcard-ingress

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: block-wildcard-ingress
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress

Autorisés

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: non-wildcard-ingress
spec:
  rules:
  - host: myservice.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

Non autorisé

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: ""
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: valid.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

K8sContainerEphemeralStorageLimit

Limite de stockage éphémère du conteneur v1.0.2

Nécessite que les conteneurs aient une limite de stockage éphémère définie et qu'elle ne dépasse pas les valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # ephemeral-storage <string>: The maximum allowed ephemeral storage limit
    # on a Pod, exclusive.
    ephemeral-storage: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

container-ephemeral-storage-limit

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: container-ephemeral-storage-limit
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ephemeral-storage: 500Mi

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi

K8sContainerLimits

Limites des conteneurs v1.0.1

Exige des limites de mémoire et de processeur pour les conteneurs, avec des limites correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory limit on a Pod, exclusive.
    memory: <string>

Examples

container-must-have-limits

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi

K8sContainerRatios

Ratios de conteneur v1.0.1

Définit un ratio maximal pour les limites de ressources de conteneurs des requêtes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
    # `resources.requests.cpu` on a container. If not specified, equal to
    # `ratio`.
    cpuRatio: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # ratio <string>: The maximum allowed ratio of `resources.limits` to
    # `resources.requests` on a container.
    ratio: <string>

Examples

container-must-meet-ratio

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ratio: "2"

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 200m
        memory: 200Mi
      requests:
        cpu: 100m
        memory: 100Mi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 800m
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 100Mi

container-must-meet-memory-and-cpu-ratio

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-memory-and-cpu-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpuRatio: "10"
    ratio: "1"

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: "1"
        memory: 2Gi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi

K8sContainerRequests

Requêtes de conteneur v1.0.1

Exige des requêtes de mémoire et de processeur pour les conteneurs, avec des requêtes correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory request on a Pod, exclusive.
    memory: <string>

Examples

container-must-have-requests

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: container-must-have-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 1Gi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi

K8sCronJobAllowedRepos

Dépôts autorisés pour les jobs Cron v1.0.1

Nécessite que les images de conteneur des jobs Cron commencent par une chaîne de la liste spécifiée.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

Examples

cronjob-restrict-repos

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
  name: cronjob-restrict-repos
spec:
  match:
    kinds:
    - apiGroups:
      - batch
      kinds:
      - CronJob
  parameters:
    repos:
    - gke.gcr.io/

Autorisés

apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: gke.gcr.io/busybox:1.28
            name: hello
  schedule: '* * * * *'

Non autorisé

apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: busybox:1.28
            name: hello
  schedule: '* * * * *'

K8sDisallowAnonymous

Interdire l'accès anonyme v1.0.0

Interdit l'association des ressources ClusterRole et Role à l'utilisateur system:anonymous et au groupe system:unauthenticated.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRoles <array>: The list of ClusterRoles and Roles that may be
    # associated with the `system:unauthenticated` group and `system:anonymous`
    # user.
    allowedRoles:
      - <string>

Examples

no-anonymous

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: no-anonymous
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRoleBinding
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
  parameters:
    allowedRoles:
    - cluster-role-1

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-1
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-2
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sInterdireInteractiveTTY

Interdire les conteneurs TTY interactifs v1.0.0

Les champs spec.tty et spec.stdin doivent être définis sur "false" ou non définis pour les objets.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

no-interactive-tty-containers

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
  name: no-interactive-tty-containers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-interactive-tty
  name: nginx-interactive-tty-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    stdin: false
    tty: false

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    stdin: true
    tty: true

K8sDisallowedRepos

Dépôts non autorisés v1.0.0

Dépôts de conteneurs non autorisés commençant par une chaîne de la liste spécifiée.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is not allowed to
    # have.
    repos:
      - <string>

Examples

repo-must-not-be-k8s-gcr-io

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: repo-must-not-be-k8s-gcr-io
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    repos:
    - k8s.gcr.io/

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: kustomize-allowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize

apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit

apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit

apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  ephemeralContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize

K8sDisallowedRoleBindingSubjects

Objets Rolebinding non autorisés v1.0.1

Interdit les objets RoleBinding ou ClusterRoleBinding avec les sujets correspondant à un disallowedSubjects transmis en tant que paramètre.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedSubjects <array>: A list of subjects that cannot appear in a
    # RoleBinding.
    disallowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the disallowed role
        # binding subject. Currently ignored.
        apiGroup: <string>
        # kind <string>: The kind of the disallowed role binding subject.
        kind: <string>
        # name <string>: The name of the disallowed role binding subject.
        name: <string>

Examples

disallowed-rolebinding-subjects

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: disallowed-rolebinding-subjects
spec:
  parameters:
    disallowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:unauthenticated

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowedTags

Interdire les balises version 1.0.1

Nécessite que les images de conteneur aient un tag d'image différent de celui de la liste spécifiée. https://kubernetes.io/docs/concepts/containers/images/#image-names

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # tags <array>: Disallowed container image tags.
    tags:
      - <string>

Examples

container-image-must-not-have-latest-tag

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: container-image-must-not-have-latest-tag
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    exemptImages:
    - openpolicyagent/opa-exp:latest
    - openpolicyagent/opa-exp2:latest
    tags:
    - latest

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa

apiVersion: v1
kind: Pod
metadata:
  name: opa-exempt-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa-exp
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:v1
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa
    name: opa

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-2
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-ephemeral
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-3
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:latest
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/monitor:latest
    name: opa-monitor

K8sEmptyDirHasSizeLimit

Un répertoire vide a une limite de taille v1.0.5

Nécessite que tous les volumes emptyDir spécifient un sizeLimit. Un paramètre maxSizeLimit peut éventuellement être fourni dans la contrainte pour spécifier une limite de taille maximale autorisée.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptVolumesRegex <array>: Exempt Volume names as regex match.
    exemptVolumesRegex:
      - <string>
    # maxSizeLimit <string>: When set, the declared size limit for each volume
    # must be less than `maxSizeLimit`.
    maxSizeLimit: <string>

Examples

empty-dir-has-size-limit

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-size-limit
spec:
  match:
    excludedNamespaces:
    - istio-system
    - kube-system
    - gatekeeper-system
  parameters:
    exemptVolumesRegex:
    - ^istio-[a-z]+$
    maxSizeLimit: 4Gi

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir:
      sizeLimit: 2Gi
    name: good-pod-volume

apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: istio-envoy

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: bad-pod-volume

K8sEnforceCloudArmorBackendConfig

Appliquer Cloud Armor sur les ressources BackendConfig v1.0.2

Applique la configuration Cloud Armor sur les ressources BackendConfig

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

enforce-cloudarmor-backendconfig

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: enforce-cloudarmor-backendconfig
spec:
  enforcementAction: dryrun

Autorisés

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: example-security-policy

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: second-backendconfig
spec:
  securityPolicy:
    name: my-security-policy

Non autorisé

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: null

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: ""

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
spec:
  logging:
    enable: true
    sampleRate: 0.5

K8sEnforceConfigManagement

Appliquez Config Management v1.1.6

Nécessite la présence et l'utilisation de Config Management. Les contraintes utilisant ce ConstraintTemplate seront auditées uniquement, quelle que soit la valeur de enforcementAction.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # requireDriftPrevention <boolean>: Require Config Sync drift prevention to
    # prevent config drift.
    requireDriftPrevention: <boolean>
    # requireRootSync <boolean>: Require a Config Sync `RootSync` object for
    # cluster config management.
    requireRootSync: <boolean>

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "configsync.gke.io"
        version: "v1beta1"
        kind: "RootSync"

Examples

applique-config-management

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: enforce-config-management
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - configmanagement.gke.io
      kinds:
      - ConfigManagement

Autorisés

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    proxy: {}
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2
  healthy: true

Non autorisé

apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2

K8sExternalIPs

Adresses IP externes v1.0.0

Limite les adresses IP externes du service à une liste d'adresses IP autorisées. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedIPs <array>: An allow-list of external IP addresses.
    allowedIPs:
      - <string>

Examples

external-ips

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    allowedIPs:
    - 203.0.113.0

Autorisés

apiVersion: v1
kind: Service
metadata:
  name: allowed-external-ip
spec:
  externalIPs:
  - 203.0.113.0
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp

Non autorisé

apiVersion: v1
kind: Service
metadata:
  name: disallowed-external-ip
spec:
  externalIPs:
  - 1.1.1.1
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp

K8sHorizontalPodAutoscaler

Autoscaler horizontal de pods v1.0.1

Interdiction des scénarios suivants lors du déploiement de HorizontalPodAutoscalers 1. Déploiement d'HorizontalPodAutoscalers avec .spec.minReplicas ou .spec.maxReplicas en dehors des plages définies dans la contrainte 2. Déploiement d'HorizontalPodAutoscalers où la différence entre .spec.minReplicas et .spec.maxReplicas est inférieure à la valeur minimumReplicaSpread 3 configurée. Déploiement d'HorizontalPodAutoscalers qui ne référencent pas un scaleTargetRef valide (par exemple, Deployment, ReplicationController, ReplicaSet, StatefulSet).

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # enforceScaleTargetRef <boolean>: If set to true it validates the HPA
    # scaleTargetRef exists
    enforceScaleTargetRef: <boolean>
    # minimumReplicaSpread <integer>: If configured it enforces the minReplicas
    # and maxReplicas in an HPA must have a spread of at least this many
    # replicas
    minimumReplicaSpread: <integer>
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "apps"
        version: "v1"
        kind: "Deployment"
      OR
      - group: "apps"
        version: "v1"
        kind: "StatefulSet"

Examples

autoscaler de pods horizontal

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: horizontal-pod-autoscaler
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    enforceScaleTargetRef: true
    minimumReplicaSpread: 1
    ranges:
    - max_replicas: 6
      min_replicas: 3

Autorisés

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-allowed
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

Non autorisé

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicas
  namespace: default
spec:
  maxReplicas: 7
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 2
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicaspread
  namespace: default
spec:
  maxReplicas: 4
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 4
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-scaletarget
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment-missing
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sHttpsOnly

HTTPS uniquement v1.0.2

Exige que les ressources Ingress soient de type HTTPS uniquement. Les ressources d&#Ingress doivent inclure l'annotation kubernetes.io/ingress.allow-http, définie sur false. Par défaut, une configuration TLS {} valide est requise. Vous pouvez la rendre facultative en définissant le paramètre tlsOptional sur true. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # tlsOptional <boolean>: When set to `true` the TLS {} is optional,
    # defaults to false.
    tlsOptional: <boolean>

Examples

ingress-https-only

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress

Autorisés

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - {}

Non autorisé

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

ingress-https-only-tls-optional

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only-tls-optional
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
  parameters:
    tlsOptional: true

Autorisés

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

Non autorisé

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sImageDigests

Condensés d'images v1.0.1

Nécessite que les images de conteneur contiennent un condensé. https://kubernetes.io/docs/concepts/containers/images/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

container-image-must-have-digest

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
    name: opa

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit

K8sLocalStorageRequireSafeToEvict

Le stockage local nécessite l'éviction sécurisée de la version 1.0.1

Nécessite que les pods qui utilisent un stockage local (emptyDir ou hostPath) comportent l'annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Cluster Autoscaler ne supprime pas les pods qui ne comportent pas cette annotation.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

local-storage-require-safe-to-evict

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
spec:
  match:
    excludedNamespaces:
    - kube-system
    - istio-system
    - gatekeeper-system

Autorisés

apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  name: good-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage

K8sMemoryRequestEqualsLimit

Memory Request Equals Limit (la limite de mémoire demandée est égale à v1.0.4)

Favorise la stabilité du pod en exigeant que la mémoire demandée de tous les conteneurs soit exactement égale à la limite de mémoire. Ainsi, les pods ne sont jamais dans un état où l'utilisation de mémoire dépasse la quantité demandée. Sinon, Kubernetes peut arrêter les pods qui demandent de la mémoire supplémentaire si de la mémoire est nécessaire sur le nœud.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptContainersRegex <array>: Exempt Container names as regex match.
    exemptContainersRegex:
      - <string>

Examples

container-must-request-limit

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: container-must-request-limit
spec:
  match:
    excludedNamespaces:
    - kube-system
    - resource-group-system
    - asm-system
    - istio-system
    - config-management-system
    - config-management-monitoring
  parameters:
    exemptContainersRegex:
    - ^istio-[a-z]+$

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 4Gi

apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: auto
    name: istio-proxy
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi

K8sNoEnvVarSecrets

Aucun secret de variable d'environnement v1.0.1

Interdit les secrets en tant que variables d'environnement dans les définitions de conteneur des pods. Utilisez plutôt des fichiers secrets installés dans des volumes de données : https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

no-secrets-as-env-vars-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: no-secrets-as-env-vars-sample
spec:
  enforcementAction: dryrun

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: redis
    name: test
    volumeMounts:
    - mountPath: /etc/test
      name: test
      readOnly: true
  volumes:
  - name: test
    secret:
      secretName: mysecret

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - env:
    - name: MY_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: mysecret
    image: redis
    name: test

K8sNoExternalServices

Aucun service externe version 1.0.3

Interdit la création de ressources connues qui exposent les charges de travail à des adresses IP externes. Cela inclut les ressources Istio Gateway et Kubernetes Ingress. Les services Kubernetes ne sont pas non plus autorisés, sauf s'ils répondent aux critères suivants : tout service de type LoadBalancer dans Google Cloud doit comporter une annotation "networking.gke.io/load-balancer-type": "Internal". Tout service de type LoadBalancer dans AWS doit comporter une annotation service.beta.kubernetes.io/aws-load-balancer-internal: "true. Toutes les "adresses IP externes" (externes au cluster) liées au service doivent être membres d'une plage de CIDR internes, comme indiqué dans la contrainte.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
    # are supported currently.
    cloudPlatform: <string>
    # internalCIDRs <array>: A list of CIDRs that are only accessible
    # internally, for example: `10.3.27.0/24`. Which IP ranges are
    # internal-only is determined by the underlying network infrastructure.
    internalCIDRs:
      - <string>

Examples

no-external

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external
spec:
  parameters:
    internalCIDRs:
    - 10.0.0.1/32

Autorisés

apiVersion: v1
kind: Service
metadata:
  name: good-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.1
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888

apiVersion: v1
kind: Service
metadata:
  annotations:
    networking.gke.io/load-balancer-type: Internal
  name: allowed-internal-load-balancer
  namespace: default
spec:
  type: LoadBalancer

Non autorisé

apiVersion: v1
kind: Service
metadata:
  name: bad-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.2
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888

no-external-aws

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external-aws
spec:
  parameters:
    cloudPlatform: AWS

Autorisés

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
  name: good-aws-service
  namespace: default
spec:
  type: LoadBalancer

Non autorisé

apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/load-balancer-type: Internal
  name: bad-aws-service
  namespace: default
spec:
  type: LoadBalancer

K8sPSPAllowPrivilegeEscalationContainer

Autoriser l'élévation des privilèges dans le conteneur v1.0.1

Contrôle la limite de passage aux droits racine. Correspond au champ allowPrivilegeEscalation de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-élévation.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

psp-allow-privilege-escalation-container-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: false

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

K8sPSPAllowedUsers

Utilisateurs autorisés v1.0.2

Contrôle les ID d'utilisateur et de groupe du conteneur, ainsi que certains volumes. Correspond aux champs runAsUser, runAsGroup, supplementalGroups et fsGroup d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
    # or container-level SecurityContext.
    fsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the fsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsGroup <object>: Controls which group ID values are allowed in a Pod
    # or container-level SecurityContext.
    runAsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsUser <object>: Controls which user ID values are allowed in a Pod or
    # container-level SecurityContext.
    runAsUser:
      # ranges <array>: A list of user ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of user IDs affected by the rule.
        - # max <integer>: The maximum user ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum user ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsUser restriction.
      # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
      rule: <string>
    # supplementalGroups <object>: Controls the supplementalGroups values that
    # are allowed in a Pod or container-level SecurityContext.
    supplementalGroups:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the supplementalGroups
      # restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>

Examples

psp-pods-allowed-user-ranges

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    fsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsUser:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    supplementalGroups:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 199
      runAsUser: 199
  securityContext:
    fsGroup: 199
    supplementalGroups:
    - 199

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250

K8sPSPAppArmor

App Armor v1.0.0

Configure une liste d'autorisation de profils AppArmor à utiliser par les conteneurs. Cela correspond aux annotations spécifiques appliquées à une règle PodSecurityPolicy. Pour plus d'informations sur AppArmor, consultez la page https://kubernetes.io/docs/tutorials/clusters/apparmor/.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of AppArmor profiles. Examples:
    # `runtime/default`, `unconfined`.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

psp-apparmor

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default

Autorisés

apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-allowed
spec:
  containers:
  - image: nginx
    name: nginx

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPAutomountServiceAccountTokenPod

Jeton de compte de service d'installation automatique pour le pod v1.0.1

Contrôle la capacité de n'importe quel pod à activer automountServiceAccountToken.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

Examples

psp-automount-serviceaccount-token-pod

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: psp-automount-serviceaccount-token-pod
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-not-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-allowed
spec:
  automountServiceAccountToken: false
  containers:
  - image: nginx
    name: nginx

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-disallowed
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx

K8sPSPCapabilities

Fonctionnalités version 1.0.2

Contrôle les capacités Linux sur les conteneurs. Correspond aux champs allowedCapabilities et requiredDropCapabilities d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#Capabilities

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedCapabilities <array>: A list of Linux capabilities that can be
    # added to a container.
    allowedCapabilities:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # requiredDropCapabilities <array>: A list of Linux capabilities that are
    # required to be dropped from a container.
    requiredDropCapabilities:
      - <string>

Examples

capabilities-demo

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: capabilities-demo
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    allowedCapabilities:
    - something
    requiredDropCapabilities:
    - must_drop

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - something
        drop:
        - must_drop
        - another_one

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability

K8sPSPFSGroup

FS Group v1.0.2

Contrôle l'allocation d'un FSGroup qui est propriétaire des volumes du pod. Correspond au champ fsGroup de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: GID ranges affected by the rule.
    ranges:
      - # max <integer>: The maximum GID in the range, inclusive.
        max: <integer>
        # min <integer>: The minimum GID in the range, inclusive.
        min: <integer>
    # rule <string>: An FSGroup rule name.
    # Allowed Values: MayRunAs, MustRunAs, RunAsAny
    rule: <string>

Examples

psp-fsgroup

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ranges:
    - max: 1000
      min: 1
    rule: MayRunAs

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 500
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 2000
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol

K8sPSPFlexVolumes

FlexVolumes v1.0.1

Contrôle la liste d'autorisation des pilotes FlexVolume. Correspond au champ allowedFlexVolumes de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
    allowedFlexVolumes:
      - # driver <string>: The name of the FlexVolume driver.
        driver: <string>

Examples

psp-flexvolume-drivers

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedFlexVolumes:
    - driver: example/lvm
    - driver: example/cifs

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/lvm
    name: test-volume

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/testdriver
    name: test-volume

K8sPSPForbiddenSysctls

Sysctls interdits v1.1.3

Contrôle le profil sysctl utilisé par les conteneurs. Correspond aux champs allowedUnsafeSysctls et forbiddenSysctls d'une règle PodSecurityPolicy. Si spécifié, toute valeur sysctl qui ne figure pas dans le paramètre allowedSysctls est considérée comme interdite. Le paramètre forbiddenSysctls est prioritaire sur le paramètre allowedSysctls. Pour en savoir plus, consultez la page https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
    # not listed in the `forbiddenSysctls` parameter.
    allowedSysctls:
      - <string>
    # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
    # sysctls.
    forbiddenSysctls:
      - <string>

Examples

psp-forbidden-sysctls

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSysctls:
    - '*'
    forbiddenSysctls:
    - kernel.*

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: net.core.somaxconn
      value: "1024"

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: kernel.msgmax
      value: "65536"
    - name: net.core.somaxconn
      value: "1024"

K8sPSPHostFilesystem

Système de fichiers hôte v1.0.2

Contrôle l'utilisation du système de fichiers hôte. Correspond au champ allowedHostPaths de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedHostPaths <array>: An array of hostpath objects, representing
    # paths and read/write configuration.
    allowedHostPaths:
      - # pathPrefix <string>: The path prefix that the host volume must
        # match.
        pathPrefix: <string>
        # readOnly <boolean>: when set to true, any container volumeMounts
        # matching the pathPrefix must include `readOnly: true`.
        readOnly: <boolean>

Examples

psp-host-filesystem

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedHostPaths:
    - pathPrefix: /foo
      readOnly: true

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /foo/bar
    name: cache-volume

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume

K8sPSPHostNamespace

Espace de noms hôte v1.0.1

Interdit le partage des espaces de noms PID et IPC hôtes par les conteneurs de pods. Correspond aux champs hostPID et hostIPC d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

Examples

psp-host-namespace-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: psp-host-namespace-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: false
  hostPID: false

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: true
  hostPID: true

K8sPSPHostNetworkingPorts

Ports réseau hôte v1.0.2

Contrôle l'utilisation de l'espace de noms du réseau hôte par les conteneurs de pods. Des ports spécifiques doivent être spécifiés. Correspond aux champs hostNetwork et hostPorts d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # hostNetwork <boolean>: Determines if the policy allows the use of
    # HostNetwork in the pod spec.
    hostNetwork: <boolean>
    # max <integer>: The end of the allowed port range, inclusive.
    max: <integer>
    # min <integer>: The start of the allowed port range, inclusive.
    min: <integer>

Examples

psp-host-network-ports-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    hostNetwork: true
    max: 9000
    min: 80

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9000
      hostPort: 80
  hostNetwork: false

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true

K8sPSPPrivilegedContainer

Conteneur privilégié v1.0.1

Contrôle la capacité de n'importe quel conteneur à activer le mode privilégié. Correspond au champ privileged de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

psp-privileged-container-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: psp-privileged-container-sample
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: false

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true

K8sPSPProcMount

Installation de proc v1.0.3

Contrôle les types procMount autorisés pour le conteneur. Correspond au champ allowedProcMountTypes de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # procMount <string>: Defines the strategy for the security exposure of
    # certain paths in `/proc` by the container runtime. Setting to `Default`
    # uses the runtime defaults, where `Unmasked` bypasses the default
    # behavior.
    # Allowed Values: Default, Unmasked
    procMount: <string>

Examples

psp-proc-mount

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    procMount: Default

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Default

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked

K8sPSPReadOnlyRootFilesystem

Système de fichiers racine en lecture seule v1.0.1

Nécessite l'utilisation d'un système de fichiers racine en lecture seule par les conteneurs de pods. Correspond au champ readOnlyRootFilesystem de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

psp-readonlyrootfilesystem

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: true

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false

K8sPSPSELinuxV2

SELinux V2 v1.0.2

Définit une liste d'autorisation de configurations seLinuxOptions pour les conteneurs de pods. Correspond à une règle PodSecurityPolicy nécessitant des configurations SELinux. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSELinuxOptions <array>: An allow-list of SELinux options
    # configurations.
    allowedSELinuxOptions:
      # <list item: object>: An allowed configuration of SELinux options for a
      # pod container.
      - # level <string>: An SELinux level.
        level: <string>
        # role <string>: An SELinux role.
        role: <string>
        # type <string>: An SELinux type.
        type: <string>
        # user <string>: An SELinux user.
        user: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

psp-selinux-v2

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSELinuxOptions:
    - level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

K8sPSPSeccomp

Seccomp v1.0.1

Contrôle le profil seccomp utilisé par les conteneurs. Correspond à l'annotation seccomp.security.alpha.kubernetes.io/allowedProfileNames d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedLocalhostFiles <array>: When using securityContext naming scheme
    # for seccomp and including `Localhost` this array holds the allowed
    # profile JSON files. Putting a `*` in this array will allows all JSON
    # files to be used. This field is required to allow `Localhost` in
    # securityContext as with an empty list it will block.
    allowedLocalhostFiles:
      - <string>
    # allowedProfiles <array>: An array of allowed profile values for seccomp
    # on Pods/Containers. Can use the annotation naming scheme:
    # `runtime/default`, `docker/default`, `unconfined` and/or
    # `localhost/some-profile.json`. The item `localhost/*` will allow any
    # localhost based profile. Can also use the securityContext naming scheme:
    # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
    # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
    # allowed profile JSON files. The policy code will translate between the
    # two schemes so it is not necessary to use both. Putting a `*` in this
    # array allows all Profiles to be used. This field is required since with
    # an empty list this policy will block all workloads.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

Examples

psp-seccomp

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
    - docker/default

Autorisés

apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed
spec:
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed2
spec:
  containers:
  - image: nginx
    name: nginx

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed2
spec:
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPVolumeTypes

Types de volumes v1.0.2

Limite les types de volumes installables à ceux spécifiés par l'utilisateur. Correspond au champ volumes de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # volumes <array>: `volumes` is an array of volume types. All volume types
    # can be enabled using `*`.
    volumes:
      - <string>

Examples

psp-volume-types

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    volumes:
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
    - flexVolume

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - emptyDir: {}
    name: cache-volume
  - emptyDir: {}
    name: demo-vol

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
  - emptyDir: {}
    name: demo-vol

K8sPSPWindowsHostProcess

Limite les conteneurs et les pods Windows HostProcess. v1.0.0

Limite l'exécution des conteneurs / pods Windows HostProcess. Pour en savoir plus, consultez https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

restrict-windows-hostprocess

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: restrict-windows-hostprocess
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-loop
  nodeSelector:
    kubernetes.io/os: windows

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-container
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
    securityContext:
      windowsOptions:
        hostProcess: true
        runAsUserName: NT AUTHORITY\SYSTEM
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows

apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-pod
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows
  securityContext:
    windowsOptions:
      hostProcess: true
      runAsUserName: NT AUTHORITY\SYSTEM

K8sPSSRunAsNonRoot

Nécessite l'exécution des conteneurs en tant qu'utilisateurs non racines. v1.0.0

Nécessite que les conteneurs s'exécutent en tant qu'utilisateurs non racines. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/security/pod-security-standards/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

restrict-runasnonroot

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
  name: restrict-runasnonroot
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-allowed
spec:
  containers:
  - image: nginx
    name: nginx-container-allowed
    securityContext:
      runAsNonRoot: true
  securityContext:
    runAsNonRoot: true

apiVersion: v1
kind: Pod
metadata:
  name: nginx-allowed
spec:
  containers:
  - image: nginx
    name: nginx-allowed
  securityContext:
    runAsNonRoot: true

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-allowed
spec:
  containers:
  - image: nginx
    name: nginx-container-disallowed
    securityContext:
      runAsNonRoot: false
  securityContext:
    runAsNonRoot: true

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-disallowed
spec:
  containers:
  - image: nginx
    name: nginx-container-allowed
    securityContext:
      runAsNonRoot: true
  securityContext:
    runAsNonRoot: false

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-disallowed
spec:
  containers:
  - image: nginx
    name: nginx-container-disallowed
  securityContext:
    runAsNonRoot: false

K8sPodDisruptionBudget

Budget d'interruption de pod v1.0.3

Interdire les scénarios suivants lors du déploiement de PodDisruptionBudgets ou de ressources qui mettent en œuvre la sous-ressource d'instance dupliquée (par exemple Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Déploiement de PodDisruptionBudgets avec .spec.maxUnavailable == 0 2. Déploiement de PodDisruptionBudgets avec .spec.minAvailable == .spec.replicas de la ressource avec sous-ressource d'instance dupliquée. Cette opération empêche PodDisruptionBudgets de bloquer les interruptions volontaires telles que le drainage de nœud. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "policy"
        version: "v1"
        kind: "PodDisruptionBudget"

Examples

pod-distruption-budget

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: pod-distruption-budget
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
    - apiGroups:
      - ""
      kinds:
      - ReplicationController

Autorisés

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-allowed
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      foo: bar

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-1
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-1
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-1
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-2
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-2
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-2
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-3
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-3
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-3
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: non-matching-nginx
  name: nginx-deployment-allowed-4
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: non-matching-nginx
      example: allowed-deployment-4
  template:
    metadata:
      labels:
        app: non-matching-nginx
        example: allowed-deployment-4
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-mongo-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: mongo
      example: non-matching-deployment-3

Non autorisé

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-disallowed
  namespace: default
spec:
  maxUnavailable: 0
  selector:
    matchLabels:
      foo: bar

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-disallowed
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: disallowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-disallowed
  namespace: default
spec:
  minAvailable: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment

K8sPodResourcesBestPractices

Les conteneurs ne constituent pas la méthode d'optimisation et suivent les bonnes pratiques évolutives v1.0.5

Nécessite que les conteneurs ne reposent pas sur le meilleur effort (en définissant les demandes de ressources de processeur et de mémoire) et qu'ils suivent les bonnes pratiques d'utilisation intensive (le nombre de demandes de mémoire doit être strictement identique à la limite). Vous pouvez éventuellement configurer des clés d'annotation pour ignorer les différentes validations.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>
    # skipBestEffortValidationAnnotationKey <string>: Optional annotation key
    # to skip best-effort container validation.
    skipBestEffortValidationAnnotationKey: <string>
    # skipBurstableValidationAnnotationKey <string>: Optional annotation key to
    # skip burstable container validation.
    skipBurstableValidationAnnotationKey: <string>
    # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
    # annotation key to skip both best-effort and burstable validation.
    skipResourcesBestPracticesValidationAnnotationKey: <string>

Examples

gke-pod-resources-best-practices

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: gke-pod-resources-best-practices
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    skipBestEffortValidationAnnotationKey: skip_besteffort_validation
    skipBurstableValidationAnnotationKey: skip_burstable_validation
    skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-limits-only
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m
        memory: 100Mi

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        cpu: 250m
        memory: 100Mi

apiVersion: v1
kind: Pod
metadata:
  annotations:
    skip_besteffort_validation: "true"
    skip_burstable_validation: "true"
    skip_resources_best_practices_validation: "false"
  name: pod-skip-validation
spec:
  containers:
  - image: nginx
    name: nginx

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-cpu-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        memory: 100Mi

apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-requests
spec:
  containers:
  - image: nginx
    name: nginx
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-not-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m
        memory: 100Mi

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-memory-requests-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 30m
      requests:
        memory: 100Mi

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        cpu: 250m

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 500m
      requests:
        cpu: 250m

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 250Mi

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        memory: 100Mi

apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        memory: 100Mi

K8sPodsRequireSecurityContext

Les pods nécessitent un contexte de sécurité v1.1.1

Nécessite que tous les pods définissent securityContext. Nécessite que tous les conteneurs définis dans les pods aient un contexte SecurityContext défini au niveau du pod ou du conteneur.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>

Examples

pods-require-security-context-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: pods-require-security-context-sample
spec:
  enforcementAction: dryrun
  parameters:
    exemptImages:
    - nginix-exempt
    - alpine*

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsUser: 2000

apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage
spec:
  containers:
  - image: nginix-exempt
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage-wildcard
spec:
  containers:
  - image: alpine17
    name: alpine

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - image: nginx
    name: nginx

K8sProhibitRoleWildcardAccess

Interdire l'accès avec des caractères génériques de rôle v1.0.5

Les objets Role et ClusterRole ne doivent pas définir l'accès aux ressources sur une valeur générique "", à l'exception des objets Role et ClusterRole exemptés fournis en tant qu'exceptions. Ne limite pas l'accès avec caractères génériques aux sous-ressources, par exemple '"/status"'.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <object>: The list of exempted Roles and/or ClusterRoles name
    # that are allowed to set  resource access to a wildcard.
    exemptions:
      clusterRoles:
        - # name <string>: The name of the ClusterRole to be exempted.
          name: <string>
          # regexMatch <boolean>: The flag to allow a regular expression
          # based match on the name.
          regexMatch: <boolean>
      roles:
        - # name <string>: The name of the Role to be exempted.
          name: <string>
          # namespace <string>: The namespace of the Role to be exempted.
          namespace: <string>

Examples

prohibit-role-wildcard-access-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-role-wildcard-access-sample
spec:
  enforcementAction: dryrun

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-bad-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

prohibit-wildcard-except-exempted-cluster-role

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-wildcard-except-exempted-cluster-role
spec:
  enforcementAction: dryrun
  parameters:
    exemptions:
      clusterRoles:
      - name: cluster-role-allowed-example
      roles:
      - name: role-allowed-example
        namespace: role-ns-allowed-example

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-allowed-example
  namespace: role-ns-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-not-allowed-example
  namespace: role-ns-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

K8sReplicaLimits

Limites du nombre d'instances répliquées v1.0.2

Nécessite que les objets comportant le champ spec.replicas (Deployments, ReplicaSets, etc.) spécifient un nombre d'instances dupliquées dans les plages définies.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

Examples

replica-limits

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: replica-limits
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
  parameters:
    ranges:
    - max_replicas: 50
      min_replicas: 3

Autorisés

apiVersion: apps/v1
kind: Deployment
metadata:
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

Non autorisé

apiVersion: apps/v1
kind: Deployment
metadata:
  name: disallowed-deployment
spec:
  replicas: 100
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sRequireAdmissionController

Nécessite la version 1.0.0 du contrôleur d'admission

Nécessite l'admission de sécurité des pods ou un système de contrôle de règles externe

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # permittedValidatingWebhooks <array>: List of permitted validating
    # webhooks which are valid external policy control systems
    permittedValidatingWebhooks:
      - <string>

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "admissionregistration.k8s.io"
        version: "v1" OR "v1beta1"
        kind: "ValidatingWebhookConfiguration"

Examples

exiger-contrôleur-d'admission

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
  name: require-admission-controller
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace

Autorisés

apiVersion: v1
kind: Namespace
metadata:
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: v1.28
  name: allowed-namespace

Non autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sExigerBinAuthZ

Nécessite l'autorisation binaire v1.0.2

Nécessite le Binary Authorization Validating Admission Webhook. Les contraintes utilisant ce ConstraintTemplate seront auditées uniquement, quelle que soit la valeur de enforcementAction.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "admissionregistration.k8s.io"
        version: "v1" OR "v1beta1"
        kind: "ValidatingWebhookConfiguration"

Examples

require-binauthz

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: require-binauthz
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace

Autorisés

apiVersion: v1
kind: Namespace
metadata:
  name: default
---
# Referential Data
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: binauthz-admission-controller
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview
  name: imagepolicywebhook.image-policy.k8s.io
  rules:
  - operations:
    - CREATE
    - UPDATE
  - apiVersion:
    - v1
  sideEffects: None

Non autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: default

K8sRequireCosNodeImage

Nécessite l'image de nœud COS v1.1.1

Applique l'utilisation de Container-Optimized OS de Google sur les nœuds.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptOsImages <array>: A list of exempt OS Images.
    exemptOsImages:
      - <string>

Examples

nodes-have-consistent-time

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: nodes-have-consistent-time
spec:
  enforcementAction: dryrun
  parameters:
    exemptOsImages:
    - Debian
    - Ubuntu*

Autorisés

apiVersion: v1
kind: Node
metadata:
  name: allowed-example
status:
  nodeInfo:
    osImage: Container-Optimized OS from Google

apiVersion: v1
kind: Node
metadata:
  name: example-exempt
status:
  nodeInfo:
    osImage: Debian

apiVersion: v1
kind: Node
metadata:
  name: example-exempt-wildcard
status:
  nodeInfo:
    osImage: Ubuntu 18.04.5 LTS

Non autorisé

apiVersion: v1
kind: Node
metadata:
  name: disallowed-example
status:
  nodeInfo:
    osImage: Debian GNUv1.0

K8sRequireDaemonsets

Daemonsets v1.1.2 requis

Nécessite la présence de la liste des daemonsets spécifiés.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # requiredDaemonsets <array>: A list of names and namespaces of the
    # required daemonsets.
    requiredDaemonsets:
      - # name <string>: The name of the required daemonset.
        name: <string>
        # namespace <string>: The namespace for the required daemonset.
        namespace: <string>
    # restrictNodeSelector <boolean>: The daemonsets cannot include
    # `NodeSelector`.
    restrictNodeSelector: <boolean>

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "DaemonSet"
      OR
      - group: "apps"
        version: "v1beta2" OR "v1"
        kind: "DaemonSet"

Examples

require-daemonset

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: require-daemonset
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    requiredDaemonsets:
    - name: clamav
      namespace: pci-dss-av
    restrictNodeSelector: true

Autorisés

apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: clamav-host-scanner
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    metadata:
      labels:
        name: clamav
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/clamav:latest
        livenessProbe:
          exec:
            command:
            - /health.sh
          initialDelaySeconds: 60
          periodSeconds: 30
        name: clamav-scanner
        resources:
          limits:
            memory: 3Gi
          requests:
            cpu: 500m
            memory: 2Gi
        volumeMounts:
        - mountPath: /data
          name: data-vol
        - mountPath: /host-fs
          name: host-fs
          readOnly: true
        - mountPath: /logs
          name: logs
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
      - emptyDir: {}
        name: data-vol
      - hostPath:
          path: /
        name: host-fs
      - hostPath:
          path: /var/log/clamav
        name: logs

Non autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av

apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other

apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: clamav
      nodeSelector:
        cloud.google.com/gke-spot: "true"

K8sRequireDefaultDenyEgressPolicy

Exiger la stratégie de refus de sortie par défaut v1.0.3

Nécessite que chaque espace de noms défini dans le cluster dispose d'une règle NetworkPolicy de refus par défaut pour la sortie.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

Examples

require-default-deny-network-policies

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: require-default-deny-network-policies
spec:
  enforcementAction: dryrun

Autorisés

apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress

Non autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace2
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress

K8sRequireNamespaceNetworkPolicies

Exiger des règles de réseau d'espace de noms v1.0.6

Nécessite que chaque espace de noms défini dans le cluster ait un objet NetworkPolicy.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

Examples

require-namespace-network-policies-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: require-namespace-network-policies-sample
spec:
  enforcementAction: dryrun

Autorisés

apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: require-namespace-network-policies-example

Non autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example

K8sRequireValidRangesForNetworks

Exiger des plages valides pour les réseaux v1.0.2

Détermine les blocs CIDR autorisés pour l'entrée et la sortie réseau.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for egress.
    allowedEgress:
      - <string>
    # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for ingress.
    allowedIngress:
      - <string>

Examples

require-valid-network-ranges

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: require-valid-network-ranges
spec:
  enforcementAction: dryrun
  parameters:
    allowedEgress:
    - 10.0.0.0/32
    allowedIngress:
    - 10.0.0.0/24

Autorisés

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.0.0/32
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/29
    - ipBlock:
        cidr: 10.0.0.100/29
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress

Non autorisé

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy-disallowed
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 1.1.2.0/31
  ingress:
  - from:
    - ipBlock:
        cidr: 1.1.2.0/24
    - ipBlock:
        cidr: 2.1.2.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress

K8sRequiredAnnotations

Annotations requises v1.0.1

Exige que les ressources contiennent des annotations spécifiées, avec des valeurs correspondant aux expressions régulières fournies.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # annotations <array>: A list of annotations and values the object must
    # specify.
    annotations:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required annotation.
        key: <string>
    message: <string>

Examples

all-must-have-certain-set-of-annotations

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: all-must-have-certain-set-of-annotations
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    annotations:
    - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
      key: a8r.io/owner
    - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
      key: a8r.io/runbook
    message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.

Autorisés

apiVersion: v1
kind: Service
metadata:
  annotations:
    a8r.io/owner: dev-team-alfa@contoso.com
    a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
  name: allowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo

Non autorisé

apiVersion: v1
kind: Service
metadata:
  name: disallowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo

K8sRequiredLabels

Étiquettes requises v1.0.1

Exige que les ressources contiennent des libellés spécifiés, avec des valeurs correspondant aux expressions régulières fournies.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # labels <array>: A list of labels and values the object must specify.
    labels:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required label.
        key: <string>
    message: <string>

Examples

all-must-have-owner

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: all-must-have-owner
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    labels:
    - allowedRegex: ^[a-zA-Z]+.agilebank.demo$
      key: owner
    message: All namespaces must have an `owner` label that points to your company
      username

Autorisés

apiVersion: v1
kind: Namespace
metadata:
  labels:
    owner: user.agilebank.demo
  name: allowed-namespace

Non autorisé

apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequiredProbes

Vérifications requises v1.0.1

Exige que les pods fassent l'objet de vérifications d'aptitude et/ou d'activité.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # probeTypes <array>: The probe must define a field listed in `probeType`
    # in order to satisfy the constraint (ex. `tcpSocket` satisfies
    # `['tcpSocket', 'exec']`)
    probeTypes:
      - <string>
    # probes <array>: A list of probes that are required (ex: `readinessProbe`)
    probes:
      - <string>

Examples

must-have-probes

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    probeTypes:
    - tcpSocket
    - httpGet
    - exec
    probes:
    - readinessProbe
    - livenessProbe

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: tomcat
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: nginx:1.7.9
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

apiVersion: v1
kind: Pod
metadata:
  name: test-pod2
spec:
  containers:
  - image: nginx:1.7.9
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

K8sRequiredResources

Ressources requises v1.0.1

Nécessite que les conteneurs aient un ensemble de ressources définies. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # limits <array>: A list of limits that should be enforced (`cpu`,
    # `memory`, or both).
    limits:
      # Allowed Values: cpu, memory
      - <string>
    # requests <array>: A list of requests that should be enforced (`cpu`,
    # `memory`, or both).
    requests:
      # Allowed Values: cpu, memory
      - <string>

Examples

container-must-have-limits-and-requests

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - cpu
    - memory
    requests:
    - cpu
    - memory

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi

container-must-have-cpu-requests-memory-limits-and-requests

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - memory
    requests:
    - cpu
    - memory

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}

no-enforcements

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: no-enforcements
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod

Autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m

apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}

K8sRestrictAdmissionController

Restricted Admission Controller version 1.0.0

Limiter les contrôleurs d'admission dynamiques à ceux autorisés

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # permittedMutatingWebhooks <array>: List of permitted mutating webhooks
    # (mutating admission controllers)
    permittedMutatingWebhooks:
      - <string>
    # permittedValidatingWebhooks <array>: List of permitted validating
    # webhooks (validating admission controllers)
    permittedValidatingWebhooks:
      - <string>

Examples

contrôleur-d'admission-restreint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
  name: restrict-admission-controller
spec:
  match:
    kinds:
    - apiGroups:
      - admissionregistration.k8s.io
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
  parameters:
    permittedMutatingWebhooks:
    - allowed-mutating-webhook
    permittedValidatingWebhooks:
    - allowed-validating-webhook

Autorisés

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: allowed-validating-webhook

Non autorisé

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: disallowed-validating-webhook

K8sRestrictAutomountServiceAccountTokens

Restreindre les jetons de compte de service v1.0.1

Limite l'utilisation des jetons de compte de service.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

restrict-serviceaccounttokens

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: restrict-serviceaccounttokens
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
      - ServiceAccount

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-pod
spec:
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: ServiceAccount
metadata:
  name: disallowed-example-serviceaccount

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example-pod
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  name: allowed-example-serviceaccount

K8sRestrictLabels

Restreindre les libellés v1.0.2

Empêche les ressources de contenir des libellés spécifiés, sauf en cas d'exception pour la ressource spécifique.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # exceptions <array>: Objects listed here are exempt from enforcement of
    # this constraint. All fields must be provided.
    exceptions:
      # <list item: object>: A single object's identification, based on group,
      # kind, namespace, and name.
      - # group <string>: The Kubernetes group of the exempt object.
        group: <string>
        # kind <string>: The Kubernetes kind of the exempt object.
        kind: <string>
        # name <string>: The name of the exempt object.
        name: <string>
        # namespace <string>: The namespace of the exempt object. For
        # cluster-scoped resources, use the empty string `""`.
        namespace: <string>
    # restrictedLabels <array>: A list of label keys strings.
    restrictedLabels:
      - <string>

Examples

restrict-label-example

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    exceptions:
    - group: ""
      kind: Pod
      name: allowed-example
      namespace: default
    restrictedLabels:
    - label-example

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNamespaces

Restreindre les espaces de noms v1.0.1

Empêche les ressources d'utiliser des espaces de noms répertoriés dans le paramètre restrictedNamespaces.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # restrictedNamespaces <array>: A list of Namespaces to restrict.
    restrictedNamespaces:
      - <string>

Examples

restrict-default-namespace-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: restrict-default-namespace-sample
spec:
  enforcementAction: dryrun
  parameters:
    restrictedNamespaces:
    - default

Autorisés

apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
  namespace: test-namespace
spec:
  containers:
  - image: nginx
    name: nginx

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNfsUrls

Restreindre les URL NFS v1.0.1

Interdit aux ressources de contenir des URL NFS, sauf indication contraire.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedNfsUrls <array>: A list of allowed NFS URLs
    allowedNfsUrls:
      - <string>

Examples

restrict-label-example

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    allowedNfsUrls:
    - my-nfs-server.example.com/my-nfs-volume
    - my-nfs-server.example.com/my-wildcard-nfs-volume/*

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com

apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs-wildcard
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path
      server: my-nfs-server.example.com

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com

apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs-mixed
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume-allowed
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com
  - name: test-volume-disallowed
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com

K8sRestrictRbacSubjects

Restreindre les sujets RBAC v1.0.3

Limite l'utilisation des noms dans les sujets RBAC aux valeurs autorisées.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of names permitted in RBAC subjects.
    allowedSubjects:
      - # name <string>: The exact-name or the pattern of the allowed subject
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>

Examples

restrict-rbac-subjects

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: restrict-rbac-subjects
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
      - ClusterRoleBinding
  parameters:
    allowedSubjects:
    - name: system:masters
    - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@system.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@google.com$
      regexMatch: true

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user@google.com
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-1234567890@gcp-sa-ktd-control.iam.gserviceaccount.com

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user1@example.com
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user2@example.com

K8sRestrictRoleBindings

Restreindre les liaisons de rôles v1.0.3

Limite les sujets spécifiés dans les objets ClusterRoleBinding et RoleBinding à une liste de sujets autorisés.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of subjects that are allowed to bind to
    # the restricted role.
    allowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the subject.
        apiGroup: <string>
        # kind <string>: The Kubernetes kind of the subject.
        kind: <string>
        # name <string>: The name of the subject which is matched exactly as
        # provided as well as based on a regular expression.
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>
    # restrictedRole <object>: The role that cannot be bound to unless
    # expressly allowed.
    restrictedRole:
      # apiGroup <string>: The Kubernetes API group of the role.
      apiGroup: <string>
      # kind <string>: The Kubernetes kind of the role.
      kind: <string>
      # name <string>: The name of the role.
      name: <string>

Examples

restrict-clusteradmin-rolebindings-sample

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-sample
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:masters
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

restrict-clusteradmin-rolebindings-regex

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-regex
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
      regexMatch: true
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

K8sRestrictRoleRules

Restreindre les règles Role et ClusterRole. v1.0.4

Limite les règles pouvant être définies sur les objets Role et ClusterRole.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRules <array>: AllowedRules is the list of rules that are allowed
    # on Role or ClusterRole objects. If set, any item off this list will be
    # rejected.
    allowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be allowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # disallowedRules <array>: DisallowedRules is the list of rules that are
    # NOT allowed on Role or ClusterRole objects. If set, any item on this list
    # will be rejected.
    disallowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be disallowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
    # names that are allowed to violate this policy.
    exemptions:
      clusterRoles:
        - # name <string>: Name is the name or a pattern of the ClusterRole
          # to be exempted.
          name: <string>
          # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
          # regex match of the ClusterRole name.
          regexMatch: <boolean>
      roles:
        - # name <string>: Name is the name of the Role to be exempted.
          name: <string>
          # namespace <string>: Namespace is the namespace of the Role to be
          # exempted.
          namespace: <string>

Examples

restrict-pods-exec

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: restrict-pods-exec
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - Role
      - ClusterRole
  parameters:
    disallowedRules:
    - apiGroups:
      - ""
      resources:
      - pods/exec
      verbs:
      - create

Autorisés

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: allowed-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

Non autorisé

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: disallowed-cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - '*'

K8sStorageClass

Classe de stockage v1.1.2

Vous devez spécifier des classes de stockage lorsqu'elles sont utilisées. Seuls les conteneurs Gatekeeper 3.9 ou version ultérieure et les conteneurs non éphémères sont acceptés.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedStorageClasses <array>: An optional allow-list of storage classes.
    #  If specified, any storage class not in the `allowedStorageClasses`
    # parameter is disallowed.
    allowedStorageClasses:
      - <string>
    includeStorageClassesInMessage: <boolean>

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "storage.k8s.io"
        version: "v1"
        kind: "StorageClass"

Examples

storageclass

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    includeStorageClassesInMessage: true

Autorisés

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ok
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: somestorageclass
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: volumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: volumeclaimstorageclass
  serviceName: volumeclaimstorageclass
  template:
    metadata:
      labels:
        app: volumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: somestorageclass
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo

Non autorisé

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: badstorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: badstorageclass
  volumeMode: Filesystem

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: badvolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: badvolumeclaimstorageclass
  serviceName: badvolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: badvolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: badstorageclass

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nostorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  volumeMode: Filesystem

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: novolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: novolumeclaimstorageclass
  serviceName: novolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: novolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi

Classe de stockage autorisée

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: allowed-storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    allowedStorageClasses:
    - allowed-storage-class
    includeStorageClassesInMessage: true

Autorisés

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: allowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: allowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo

Non autorisé

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disallowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: disallowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo

K8sUniqueIngressHost

Hôte d'entrée unique v1.0.4

Exige que tous les hôtes de règle Ingress soient uniques. N'accepte pas les caractères génériques du nom d'hôte : https://kubernetes.io/docs/concepts/services-networking/ingress/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "Ingress"
      OR
      - group: "networking.k8s.io"
        version: "v1beta1" OR "v1"
        kind: "Ingress"

Examples

unique-ingress-host

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: unique-ingress-host
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress

Autorisés

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-allowed
  namespace: default
spec:
  rules:
  - host: example-allowed-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-allowed-host1.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix

Non autorisé

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-host3.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sUniqueServiceSelector

Sélecteur de service unique v1.0.2

Exige que les Services aient des sélecteurs uniques au sein d'un espace de noms. Les sélecteurs sont considérés comme identiques s'ils possèdent des clés et des valeurs identiques. Les sélecteurs peuvent partager une paire clé/valeur s'il existe au moins une paire clé/valeur distincte entre eux. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Contrainte référentielle

Votre Config Policy Controller nécessite une entrée syncOnly semblable à celle-ci:

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Service"

Examples

unique-service-selector

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  labels:
    owner: admin.agilebank.demo
  name: unique-service-selector

Autorisés

apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: other-value

Non autorisé

apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-example
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value

NoUpdateServiceAccount

Bloquer la mise à jour du compte de service v1.0.1

Bloque la mise à jour du compte de service sur les ressources qui extraient sur les pods. Cette règle est ignorée en mode audit.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedGroups <array>: Groups that should be allowed to bypass the
    # policy.
    allowedGroups:
      - <string>
    # allowedUsers <array>: Users that should be allowed to bypass the policy.
    allowedUsers:
      - <string>

Examples

no-update-kube-system-service-account

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: no-update-kube-system-service-account
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - ReplicationController
    - apiGroups:
      - apps
      kinds:
      - ReplicaSet
      - Deployment
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - batch
      kinds:
      - CronJob
    namespaces:
    - kube-system
  parameters:
    allowedGroups: []
    allowedUsers: []

Autorisés

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: policy-test
  name: policy-test
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: policy-test-deploy
  template:
    metadata:
      labels:
        app: policy-test-deploy
    spec:
      containers:
      - command:
        - /bin/bash
        - -c
        - sleep 99999
        image: ubuntu
        name: policy-test
      serviceAccountName: policy-test-sa-1

PolicyStrictOnly

Nécessite la stratégie mTLS d'Istio STRICT v1.0.4

Nécessite que l'authentification TLS mutuelle STRICT d'Istio soit toujours spécifiée lorsque vous utilisez PeerAuthentication. Cette contrainte garantit également que les ressources obsolètes Policy et MeshPolicy appliquent le protocole TLS mutuel STRICT. Consultez la page https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

peerauthentication-strict-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: peerauthentication-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
    namespaces:
    - default

Autorisés

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict
  namespace: default
spec:
  mtls:
    mode: STRICT

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-level
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: STRICT

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-unset
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: UNSET

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: empty-mtls
  namespace: default
spec:
  mtls: {}

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: unspecified-mtls
  namespace: default

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-null
  namespace: default
spec:
  mtls:
    mode: null

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls-null
  namespace: default
spec:
  mtls: null

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-permissive
  namespace: default
spec:
  mtls:
    mode: PERMISSIVE

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE
    "8081":
      mode: STRICT

deprecated-policy-strict-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: deprecated-policy-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - authentication.istio.io
      kinds:
      - Policy
    namespaces:
    - default

Autorisés

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mode-strict
  namespace: default
spec:
  peers:
  - mtls:
      mode: STRICT

Non autorisé

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-empty
  namespace: default
spec:
  peers:
  - mtls: {}

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-null
  namespace: default
spec:
  peers:
  - mtls: null

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: peers-empty
  namespace: default
spec:
  peers: []

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-no-peers
  namespace: default
spec:
  targets:
  - name: httpbin

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-permissive
  namespace: default
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

RestrictNetworkExclusions

Restreindre les exclusions réseau v1.0.2

Contrôlez les ports entrants, les ports sortants et les plages d'adresses IP sortantes pouvant être exclues de la capture du réseau Istio. Les ports et les plages d'adresses IP qui contournent la capture du réseau Istio ne sont pas gérés par le proxy Istio et ne sont pas soumis à l'authentification mTLS d'Istio, à la règle d'autorisation et à d'autres fonctionnalités d'Istio. Cette contrainte peut être utilisée pour appliquer des restrictions à l'utilisation des annotations suivantes:

traffic.sidecar.istio.io/excludeInboundPorts
traffic.sidecar.istio.io/excludeOutboundPorts
traffic.sidecar.istio.io/excludeOutboundIPRanges

Voir https://istio.io/latest/docs/reference/config/annotations/.

Lorsque vous limitez des plages d'adresses IP sortantes, la contrainte calcule si les plages d'adresses IP exclues correspondent ou sont un sous-ensemble des exclusions de plages d'adresses IP autorisées.

Lorsque vous utilisez cette contrainte, tous les ports entrants, ports sortants et plages d'adresses IP sortantes doivent toujours être inclus en définissant les annotations "include" correspondantes sur "*" ou en les laissant non défini. La définition de l'une des annotations suivantes sur une valeur autre que "*" n'est pas autorisée:

traffic.sidecar.istio.io/includeInboundPorts
traffic.sidecar.istio.io/includeOutboundPorts
traffic.sidecar.istio.io/includeOutboundIPRanges

Cette contrainte permet toujours d'exclure le port 15020, car l'injecteur de side-car Istio l'ajoute toujours à l'annotation traffic.sidecar.istio.io/excludeInboundPorts afin de pouvoir l'utiliser pour la vérification de l'état.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedInboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
    allowedInboundPortExclusions:
      - <string>
    # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
    # constraint calculates whether excluded IP ranges match or are a subset of
    # the ranges in this list.
    allowedOutboundIPRangeExclusions:
      - <string>
    # allowedOutboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
    allowedOutboundPortExclusions:
      - <string>

Examples

restrict-network-exclusions

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: restrict-network-exclusions
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedInboundPortExclusions:
    - "80"
    allowedOutboundIPRangeExclusions:
    - 169.254.169.254/32
    allowedOutboundPortExclusions:
    - "8888"

Autorisés

apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx
  name: nothing-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeInboundPorts: "80"
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
  labels:
    app: nginx
  name: allowed-port-and-ip-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
  labels:
    app: nginx
  name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: '*'
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
    traffic.sidecar.istio.io/includeOutboundPorts: '*'
  labels:
    app: nginx
  name: everything-included-with-no-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

Non autorisé

apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
  labels:
    app: nginx
  name: disallowed-ip-range-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443

apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
  labels:
    app: nginx
  name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443

apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: 80,443
    traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundPorts: "8888"
  labels:
    app: nginx
  name: disallowed-specific-port-and-ip-inclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

SourceNotAllAuthz

La source AuthorizationPolicy d'Istio ne nécessite pas toutes les versions v1.0.1.

Nécessite que les comptes principaux sources des règles AuthorizationPolicy d'Istio soient définis sur autre chose que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]

Examples

sourcenotall-authz-constraint

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: sourcenotall-authz-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy

Autorisés

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

Non autorisé

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-dne
  namespace: foo
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-all
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-someall
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

VerifyDeprecatedAPI

Vérifier les API obsolètes v1.0.0

Vérifie les API Kubernetes obsolètes pour s'assurer que toutes les versions d'API sont à jour. Ce modèle ne s'applique pas à l'audit, car l'audit examine les ressources déjà présentes dans le cluster avec des versions d'API non obsolètes.

Schéma de contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/anthos-config-management/docs/reference/match
  match:
    [match schema]
  parameters:
    # k8sVersion <number>: kubernetes version
    k8sVersion: <number>
    # kvs <array>: Deprecated api versions and corresponding kinds
    kvs:
      - # deprecatedAPI <string>: deprecated api
        deprecatedAPI: <string>
        # kinds <array>: impacted list of kinds
        kinds:
          - <string>
        # targetAPI <string>: target api
        targetAPI: <string>

Examples

vérifier-1.16

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.16
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - extensions
      kinds:
      - PodSecurityPolicy
      - ReplicaSet
      - Deployment
      - DaemonSet
      - NetworkPolicy
  parameters:
    k8sVersion: 1.16
    kvs:
    - deprecatedAPI: apps/v1beta1
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - ReplicaSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: policy/v1beta1
    - deprecatedAPI: apps/v1beta2
      kinds:
      - ReplicaSet
      - StatefulSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - NetworkPolicy
      targetAPI: networking.k8s.io/v1

Autorisés

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

Non autorisé

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: disallowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

vérifier-1.22

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.22
spec:
  match:
    kinds:
    - apiGroups:
      - admissionregistration.k8s.io
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
    - apiGroups:
      - apiextensions.k8s.io
      kinds:
      - CustomResourceDefinition
    - apiGroups:
      - apiregistration.k8s.io
      kinds:
      - APIService
    - apiGroups:
      - authentication.k8s.io
      kinds:
      - TokenReview
    - apiGroups:
      - authorization.k8s.io
      kinds:
      - SubjectAccessReview
    - apiGroups:
      - certificates.k8s.io
      kinds:
      - CertificateSigningRequest
    - apiGroups:
      - coordination.k8s.io
      kinds:
      - Lease
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
    - apiGroups:
      - networking.k8s.io
      kinds:
      - IngressClass
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
    - apiGroups:
      - scheduling.k8s.io
      kinds:
      - PriorityClass
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
  parameters:
    k8sVersion: 1.22
    kvs:
    - deprecatedAPI: admissionregistration.k8s.io/v1beta1
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
      targetAPI: admissionregistration.k8s.io/v1
    - deprecatedAPI: apiextensions.k8s.io/v1beta1
      kinds:
      - CustomResourceDefinition
      targetAPI: apiextensions.k8s.io/v1
    - deprecatedAPI: apiregistration.k8s.io/v1beta1
      kinds:
      - APIService
      targetAPI: apiregistration.k8s.io/v1
    - deprecatedAPI: authentication.k8s.io/v1beta1
      kinds:
      - TokenReview
      targetAPI: authentication.k8s.io/v1
    - deprecatedAPI: authorization.k8s.io/v1beta1
      kinds:
      - SubjectAccessReview
      targetAPI: authorization.k8s.io/v1
    - deprecatedAPI: certificates.k8s.io/v1beta1
      kinds:
      - CertificateSigningRequest
      targetAPI: certificates.k8s.io/v1
    - deprecatedAPI: coordination.k8s.io/v1beta1
      kinds:
      - Lease
      targetAPI: coordination.k8s.io/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - Ingress
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: networking.k8s.io/v1beta1
      kinds:
      - Ingress
      - IngressClass
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: rbac.authorization.k8s.io/v1beta1
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
      targetAPI: rbac.authorization.k8s.io/v1
    - deprecatedAPI: scheduling.k8s.io/v1beta1
      kinds:
      - PriorityClass
      targetAPI: scheduling.k8s.io/v1
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
      targetAPI: storage.k8s.io/v1

Autorisés

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: allowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix

Non autorisé

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: disallowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix

vérifier-1.25

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.25
spec:
  match:
    kinds:
    - apiGroups:
      - batch
      kinds:
      - CronJob
    - apiGroups:
      - discovery.k8s.io
      kinds:
      - EndpointSlice
    - apiGroups:
      - events.k8s.io
      kinds:
      - Event
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
      - PodSecurityPolicy
    - apiGroups:
      - node.k8s.io
      kinds:
      - RuntimeClass
  parameters:
    k8sVersion: 1.25
    kvs:
    - deprecatedAPI: batch/v1beta1
      kinds:
      - CronJob
      targetAPI: batch/v1
    - deprecatedAPI: discovery.k8s.io/v1beta1
      kinds:
      - EndpointSlice
      targetAPI: discovery.k8s.io/v1
    - deprecatedAPI: events.k8s.io/v1beta1
      kinds:
      - Event
      targetAPI: events.k8s.io/v1
    - deprecatedAPI: autoscaling/v2beta1
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodDisruptionBudget
      targetAPI: policy/v1
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: None
    - deprecatedAPI: node.k8s.io/v1beta1
      kinds:
      - RuntimeClass
      targetAPI: node.k8s.io/v1

Autorisés

apiVersion: batch/v1
kind: CronJob
metadata:
  name: allowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'

Non autorisé

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: disallowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'

vérifier-1.26

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.26
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    k8sVersion: 1.26
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
    - deprecatedAPI: autoscaling/v2beta2
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2

Autorisés

apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group

Non autorisé

apiVersion: flowcontrol.apiserver.k8s.io/v1beta1
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group

vérifier-1.27

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.27
spec:
  match:
    kinds:
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIStorageCapacity
  parameters:
    k8sVersion: 1.27
    kvs:
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIStorageCapacity
      targetAPI: storage.k8s.io/v1

Autorisés

apiVersion: storage.k8s.io/v1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
storageClassName: standard

Non autorisé

apiVersion: storage.k8s.io/v1beta1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
  namespace: default
storageClassName: standard

vérifier-1.29

Contrainte

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.29
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
  parameters:
    k8sVersion: 1.29
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3

Autorisés

apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group

Non autorisé

apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group

Étapes suivantes

En savoir plus sur Policy Controller
Installer Policy Controller
Utiliser des contraintes au lieu de règles PodSecurityPolicies
Affichez la bibliothèque Open Source des modèles de contrainte dans le dépôt gatekeeper-library