制約テンプレート ライブラリ

制約テンプレートを使用すると、制約がどのように機能するかを定義できますが、制約の詳細な定義は、制約に関する専門知識を持つ個人またはグループに委任できます。懸念事項を分離することに加え、このことは制約のロジックをその定義からも分離します。

制約テンプレートの機能を示すため、各テンプレートには制約の例と、制約に違反するリソースが含まれています。

すべての制約テンプレートが、Anthos Config Management のすべてのバージョンで利用できるわけではありません。また、テンプレートはバージョンによって異なる場合があります。テンプレートの履歴については、Anthos Config Management のアーカイブにアクセスして、このページの以前のバージョンを確認してください。

すべての制約には match セクションが含まれます。このセクションでは、制約が適用されるオブジェクトを定義します。このセクションの構成方法については、こちらをご覧ください。

AllowedServicePortName

サービスポート名には、指定されたリストの接頭辞が必要です。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # prefixes <array>: Prefixes of allowed service port names.
    prefixes:
      - <string>

port-name-constraint

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: port-name-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    prefixes:
    - http-
    - http2-
    - grpc-
    - mongo-
    - redis-
    - tcp-
禁止
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-bad
spec:
  ports:
  - name: helloport
    port: 5000
  selector:
    app: helloworld

DestinationRuleTLSEnabled

Istio DestinationRules 内のすべてのホストとホスト サブセットに対する TLS の無効化を禁止します。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

dr-tls-enabled

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: dr-tls-enabled
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - networking.istio.io
      kinds:
      - DestinationRule
禁止
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-traffic-leastconn
  namespace: default
spec:
  host: myservice
  trafficPolicy:
    loadBalancer:
      simple: LEAST_CONN

DisallowedAuthzPrefix

Istio AuthorizationPolicy ルールのプリンシパルと名前空間に、指定されたリストの接頭辞が含まれないようにします。 https://istio.io/latest/docs/reference/config/security/authorization-policy/

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # disallowedprefixes <array>: Disallowed prefixes of principals and
    # namespaces.
    disallowedprefixes:
      - <string>

disallowed-authz-prefix-constraint

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: disallowed-authz-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedprefixes:
    - badprefix
    - reallybadprefix
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - badprefix-test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

GCPStorageLocationConstraintV1

StorageBucket Config Connector リソースに許可される locations を、制約で指定されたロケーションのリストに制限します。exemptions リストにあるバケット名は対象外です。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # exemptions <array>: A list of bucket names that are exempt from this
    # constraint.
    exemptions:
      - <string>
    # locations <array>: A list of locations that a bucket is permitted to
    # have.
    locations:
      - <string>

singapore-and-jakarta-only

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: singapore-and-jakarta-only
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - storage.cnrm.cloud.google.com
      kinds:
      - StorageBucket
  parameters:
    exemptions:
    - my_project_id_cloudbuild
    locations:
    - asia-southeast1
    - asia-southeast2
許可
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-permitted-location
spec:
  location: asia-southeast1
禁止
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-disallowed-location
spec:
  location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-without-specific-location
spec: null

K8sAllowedRepos

コンテナ イメージは、指定されたリストにある文字列で開始する必要があります。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

repo-is-openpolicyagent

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: repo-is-openpolicyagent
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    repos:
    - openpolicyagent/
許可
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
禁止
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

K8sBlockEndpointEditDefaultRole

Kubernetes インストール環境の多くは、デフォルトで system:aggregate-to-edit ClusterRole を使用しているため、Endpoints の編集アクセスが適切に制限されません。この ConstraintTemplate は、system:aggregate-to-edit ClusterRole が Endpoints の作成 / パッチ / 更新の権限を付与することを禁止しています。CVE-2021-25740 のため、ClusterRole/system:aggregate-to-edit で Endpoint 編集権限を許可してはなりません。Endpoint 権限と EndpointSlice 権限は、Namespace 間の転送を許可します(https://github.com/kubernetes/kubernetes/issues/103675)。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

block-endpoint-edit-default-role

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
許可
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
禁止
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - endpoints
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

K8sBlockNodePort

NodePort タイプを持つすべての Service を禁止します。https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

block-node-port

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
禁止
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: NodePort

K8sBlockProcessNamespaceSharing

Pod 仕様で shareProcessNamespacetrue に設定することを禁止します。これにより、Pod 内のすべてのコンテナが PID 名前空間を共有し、互いのファイルシステムおよびメモリにアクセスできる状況を回避できます。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

block-process-namespace-sharing

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: block-process-namespace-sharing
許可
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  shareProcessNamespace: true

K8sContainerLimits

コンテナにメモリと CPU の上限を設定し、指定した最大値を超えないようにする必要があります。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
    cpu: <string>
    # memory <string>: The maximum allowed memory limit on a Pod, exclusive.
    memory: <string>

container-must-have-limits

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi

K8sContainerRatios

コンテナ リソースの上限に対するリクエストの最大比率を設定します。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # ratio <string>: The maximum allowed ratio of `resources.limits` to
    # `resources.requests` on a container.
    ratio: <string>

container-must-meet-ratio

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ratio: "2"
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 800m
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 100Mi

K8sDisallowedRoleBindingSubjects

パラメータとして渡された disallowedSubjects に一致するサブジェクトを持つ RoleBindings または ClusterRoleBindings を禁止します。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # disallowedSubjects <array>: A list of subjects that cannot appear in a
    # RoleBinding.
    disallowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the disallowed role
        # binding subject. Currently ignored.
        apiGroup: <string>
        # kind <string>: The kind of the disallowed role binding subject.
        kind: <string>
        # name <string>: The name of the disallowed role binding subject.
        name: <string>

disallowed-rolebinding-subjects

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: disallowed-rolebinding-subjects
spec:
  parameters:
    disallowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:unauthenticated
許可
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
禁止
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowedTags

コンテナ イメージには、指定されたリストとは異なるイメージタグが必要です。 https://kubernetes.io/docs/concepts/containers/images/#image-names

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # tags <array>: Disallowed container image tags.
    tags:
      - <string>

container-image-must-not-have-latest-tag

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: container-image-must-not-have-latest-tag
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    tags:
    - latest
許可
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
禁止
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-2
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa

K8sEmptyDirHasSizeLimit

emptyDir ボリュームで sizeLimit を指定する必要があります。必要に応じて、maxSizeLimit パラメータに制約を設定して、最大サイズの上限を指定できます。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # maxSizeLimit <string>: When set, the declared size limit for each volume
    # must be less than `maxSizeLimit`.
    maxSizeLimit: <string>

empty-dir-has-size-limit

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-size-limit
spec:
  parameters:
    maxSizeLimit: 4Gi
許可
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir:
      sizeLimit: 2Gi
    name: good-pod-volume
禁止
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: bad-pod-volume

K8sExternalIPs

Service の externalIPs を、許可された IP アドレスのリストに制限します。 https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedIPs <array>: An allow-list of external IP addresses.
    allowedIPs:
      - <string>

external-ips

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    allowedIPs:
    - 203.0.113.0
許可
apiVersion: v1
kind: Service
metadata:
  name: allowed-external-ip
spec:
  externalIPs:
  - 203.0.113.0
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp
禁止
apiVersion: v1
kind: Service
metadata:
  name: disallowed-external-ip
spec:
  externalIPs:
  - 1.1.1.1
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp

K8sHttpsOnly

Ingress リソースは HTTPS のみにする必要があります。Ingress リソースは次の条件を満たしている必要があります。- 有効な TLS 構成が含まれている - kubernetes.io/ingress.allow-http アノテーションが含まれ、次の値に設定されている。

false

https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

ingress-https-only

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
禁止
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

K8sImageDigests

コンテナ イメージにダイジェストが含まれている必要があります。 https://kubernetes.io/docs/concepts/containers/images/

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

container-image-must-have-digest

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
許可
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
    name: opa
禁止
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa

K8sLocalStorageRequireSafeToEvict

ローカル ストレージ(emptyDir または hostPath)を使用する Pod にはアノテーション "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" が必要です。このアノテーションのない Pod は、クラスタ オートスケーラーによって削除されることはありません。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

local-storage-require-safe-to-evict

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
許可
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  name: good-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage
禁止
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage

K8sMemoryRequestEqualsLimit

すべてのコンテナがリクエストするメモリがメモリ制限に完全に一致することを要求することで Pod の安定性を高め、メモリ使用量がリクエストされた量を超える状態にならないようにします。そうでないと、ノードにメモリが必要なときに、Kubernetes は追加のメモリが必要な Pod を終了する可能性があります。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

container-must-request-limit

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: container-must-request-limit
許可
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 4Gi
禁止
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi

K8sNoEnvVarSecrets

Pod コンテナ定義で環境変数としての Secret を禁止します。代わりに、マウントされた Secrets ファイルをデータ ボリュームで使用します。https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

no-secrets-as-env-vars

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: no-secrets-as-env-vars
spec:
  enforcementAction: dryrun
許可
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: redis
    name: test
    volumeMounts:
    - mountPath: /etc/test
      name: test
      readOnly: true
  volumes:
  - name: test
    secret:
      secretName: mysecret
禁止
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - env:
    - name: MY_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: mysecret
    image: redis
    name: test

K8sNoExternalServices

ワークロードを外部 IP に公開する既知のリソースの作成を禁止します。これには、Istio Gateway リソースと Kubernetes Ingress リソースが含まれます。次の基準を満たさない限り、Kubernetes Service も許可されません。 LoadBalancer タイプの Service に "cloud.google.com/load-balancer-type": "Internal" アノテーションがある。Service にバインドされる外部 IP(クラスタ外部の IP)は、制約で提供される内部 CIDR の範囲に含まれている必要があります。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # internalCIDRs <array>: A list of CIDRs that are only accessible
    # internally, for example: `10.3.27.0/24`. Which IP ranges are
    # internal-only is determined by the underlying network infrastructure.
    internalCIDRs:
      - <string>

no-external

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external
spec:
  parameters:
    internalCIDRs:
    - 10.0.0.1/32
許可
apiVersion: v1
kind: Service
metadata:
  name: good-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.1
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
禁止
apiVersion: v1
kind: Service
metadata:
  name: bad-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.2
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888

K8sPSPAllowPrivilegeEscalationContainer

エスカレーションの root 権限への制限を制御します。PodSecurityPolicy の allowPrivilegeEscalation フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

psp-allow-privilege-escalation-container

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: false
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

K8sPSPAllowedUsers

コンテナと一部のボリュームのユーザー ID とグループ ID を制御します。PodSecurityPolicy の runAsUserrunAsGroupsupplementalGroupsfsGroup フィールドに対応しています。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
    # or container-level SecurityContext.
    fsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the fsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsGroup <object>: Controls which group ID values are allowed in a Pod
    # or container-level SecurityContext.
    runAsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsUser <object>: Controls which user ID values are allowed in a Pod or
    # container-level SecurityContext.
    runAsUser:
      # ranges <array>: A list of user ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of user IDs affected by the rule.
        - # max <integer>: The maximum user ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum user ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsUser restriction.
      # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
      rule: <string>
    # supplementalGroups <object>: Controls the supplementalGroups values that
    # are allowed in a Pod or container-level SecurityContext.
    supplementalGroups:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the supplementalGroups
      # restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>

psp-pods-allowed-user-ranges

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    fsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsUser:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    supplementalGroups:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250

K8sPSPAppArmor

コンテナで使用する AppArmor プロファイルの許可リストを構成します。これは、PodSecurityPolicy に適用される特定のアノテーションに対応します。AppArmor については、https://kubernetes.io/docs/tutorials/clusters/apparmor/ をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of AppArmor profiles. Examples:
    # `runtime/default`, `unconfined`.
    allowedProfiles:
      - <string>

psp-apparmor

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
許可
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-allowed
spec:
  containers:
  - image: nginx
    name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  containers:
  - image: nginx
    name: nginx

K8sPSPCapabilities

コンテナの Linux 機能を制御します。PodSecurityPolicy の allowedCapabilities フィールドと requiredDropCapabilities フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedCapabilities <array>: A list of Linux capabilities that can be
    # added to a container.
    allowedCapabilities:
      - <string>
    # requiredDropCapabilities <array>: A list of Linux capabilities that are
    # required to be dropped from a container.
    requiredDropCapabilities:
      - <string>

capabilities-demo

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: capabilities-demo
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    allowedCapabilities:
    - something
    requiredDropCapabilities:
    - must_drop
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability

K8sPSPFSGroup

Pod のボリュームを所有している FSGroup の割り当てを制御します。PodSecurityPolicy の fsGroup フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # ranges <array>: GID ranges affected by the rule.
    ranges:
      - # max <integer>: The maximum GID in the range, inclusive.
        max: <integer>
        # min <integer>: The minimum GID in the range, inclusive.
        min: <integer>
    # rule <string>: An FSGroup rule name.
    # Allowed Values: MayRunAs, MustRunAs, RunAsAny
    rule: <string>

psp-fsgroup

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ranges:
    - max: 1000
      min: 1
    rule: MayRunAs
禁止
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 2000
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol

K8sPSPFlexVolumes

FlexVolume ドライバの許可リストを制御します。PodSecurityPolicy の allowedFlexVolumes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
    allowedFlexVolumes:
      - # driver <string>: The name of the FlexVolume driver.
        driver: <string>

psp-flexvolume-drivers

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedFlexVolumes:
    - driver: example/lvm
    - driver: example/cifs
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/lvm
    name: test-volume
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/testdriver
    name: test-volume

K8sPSPForbiddenSysctls

コンテナで使用される sysctl プロファイルを制御します。PodSecurityPolicy の forbiddenSysctls フィールドに対応します。詳細については、https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
    # sysctls.
    forbiddenSysctls:
      - <string>

psp-forbidden-sysctls

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    forbiddenSysctls:
    - kernel.*
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: kernel.msgmax
      value: "65536"

K8sPSPHostFilesystem

ホスト ファイル システムの使用を制御します。PodSecurityPolicy の allowedHostPaths フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedHostPaths <array>: An array of hostpath objects, representing
    # paths and read/write configuration.
    allowedHostPaths:
      - # pathPrefix <string>: The path prefix that the host volume must
        # match.
        pathPrefix: <string>
        # readOnly <boolean>: when set to true, any container volumeMounts
        # matching the pathPrefix must include `readOnly: true`.
        readOnly: <boolean>

psp-host-filesystem

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedHostPaths:
    - pathPrefix: /foo
      readOnly: true
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume

K8sPSPHostNamespace

Pod コンテナによるホスト PID 名前空間と IPC 名前空間の共有を禁止します。PodSecurityPolicy の hostPID フィールドと hostIPC フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

psp-host-namespace

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: psp-host-namespace
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: false
  hostPID: false
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: true
  hostPID: true

K8sPSPHostNetworkingPorts

Pod コンテナによるホスト ネットワークの名前空間の使用を制御します。特定のポートを指定する必要があります。PodSecurityPolicy の hostNetwork フィールドと hostPorts フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # hostNetwork <boolean>: Determines if the policy allows the use of
    # HostNetwork in the pod spec.
    hostNetwork: <boolean>
    # max <integer>: The end of the allowed port range, inclusive.
    max: <integer>
    # min <integer>: The start of the allowed port range, inclusive.
    min: <integer>

psp-host-network-ports

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    hostNetwork: true
    max: 9000
    min: 80
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9000
      hostPort: 80
  hostNetwork: false
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true

K8sPSPPrivilegedContainer

特権モードを有効にするコンテナの機能を制御します。PodSecurityPolicy の privileged フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

psp-privileged-container

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: psp-privileged-container
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: false
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true

K8sPSPProcMount

コンテナで許可される procMount 型を制御します。PodSecurityPolicy の allowedProcMountTypes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # procMount <string>: Defines the strategy for the security exposure of
    # certain paths in `/proc` by the container runtime. Setting to `Default`
    # uses the runtime defaults, where `Unmasked` bypasses the default
    # behavior.
    # Allowed Values: Default, Unmasked
    procMount: <string>

psp-proc-mount

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    procMount: Default
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked

K8sPSPReadOnlyRootFilesystem

Pod コンテナで読み取り専用のルート ファイル システムを使用する必要があります。PodSecurityPolicy の readOnlyRootFilesystem フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

psp-readonlyrootfilesystem

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: true
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false

K8sPSPSELinuxV2

Pod コンテナの seLinuxOptions 構成の許可リストを定義します。SELinux 構成ファイルを必要とする PodSecurityPolicy に対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedSELinuxOptions <array>: An allow-list of SELinux options
    # configurations.
    allowedSELinuxOptions:
      # <list item: object>: An allowed configuration of SELinux options for a
      # pod container.
      - # level <string>: An SELinux level.
        level: <string>
        # role <string>: An SELinux role.
        role: <string>
        # type <string>: An SELinux type.
        type: <string>
        # user <string>: An SELinux user.
        user: <string>

psp-selinux-v2

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSELinuxOptions:
    - level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

K8sPSPSeccomp

コンテナで使用される seccomp プロファイルを制御します。PodSecurityPolicy の seccomp.security.alpha.kubernetes.io/allowedProfileNames アノテーションに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of allowed profile values for seccomp
    # annotations on Pods.
    allowedProfiles:
      - <string>

psp-seccomp

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
    - docker/default
許可
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed2
spec:
  containers:
  - image: nginx
    name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed2
spec:
  containers:
  - image: nginx
    name: nginx

K8sPSPVolumeTypes

マウント可能なボリューム タイプをユーザーが指定したものに限定します。PodSecurityPolicy の volumes フィールドに対応します。詳細については、https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # volumes <array>: `volumes` is an array of volume types. All volume types
    # can be enabled using `*`.
    volumes:
      - <string>

psp-volume-types

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    volumes:
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
    - flexVolume
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
  - emptyDir: {}
    name: demo-vol

K8sPodsRequireSecurityContext

すべての Pod で securityContext を定義する必要があります。Pod で定義されたすべてのコンテナに、Pod レベルまたはコンテナレベルで SecurityContext が定義されている必要があります。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

pods-require-security-context

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: pods-require-security-context
spec:
  enforcementAction: dryrun
許可
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsUser: 2000
禁止
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - image: nginx
    name: nginx

K8sProhibitRoleWildcardAccess

Roles と ClusterRoles にワイルドカード("")値へのリソース アクセス権限が設定されていないことを必須にします。/status のようなサブリソースへのワイルドカード アクセスは制限しません。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

prohibit-role-wildcard-access

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-role-wildcard-access
spec:
  enforcementAction: dryrun
許可
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
禁止
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-bad-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

K8sReplicaLimits

spec.replicas フィールドのオブジェクト(Deployments、ReplicaSets など)に、定義された範囲内のレプリカ数を指定する必要があります。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

replica-limits

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: replica-limits
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
  parameters:
    ranges:
    - max_replicas: 50
      min_replicas: 3
許可
apiVersion: apps/v1
kind: Deployment
metadata:
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
禁止
apiVersion: apps/v1
kind: Deployment
metadata:
  name: disallowed-deployment
spec:
  replicas: 100
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sRequireNamespaceNetworkPolicies

クラスタで定義されているすべての名前空間に NetworkPolicy が必要です。注: この制約は参照です。詳しくは、https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#referential をご覧ください。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

require-namespace-network-policies

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: require-namespace-network-policies
spec:
  enforcementAction: dryrun
許可
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: require-namespace-network-policies-good-example
禁止
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example

K8sRequiredAnnotations

すべてのリソースに、指定した正規表現に一致する値を持つアノテーションが含まれている必要があります。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    annotations:
      - allowedRegex: <string>
        key: <string>
    message: <string>

all-must-have-certain-set-of-annotations

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: all-must-have-certain-set-of-annotations
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    annotations:
    - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
      key: a8r.io/owner
    - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
      key: a8r.io/runbook
    message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
許可
apiVersion: v1
kind: Service
metadata:
  annotations:
    a8r.io/owner: dev-team-alfa@contoso.com
    a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
  name: allowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo
禁止
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo

K8sRequiredLabels

すべてのリソースに、指定した正規表現に一致する値を持つラベルを指定する必要があります。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    labels:
      - allowedRegex: <string>
        key: <string>
    message: <string>

all-must-have-owner

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: all-must-have-owner
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    labels:
    - allowedRegex: ^[a-zA-Z]+.agilebank.demo$
      key: owner
    message: All namespaces must have an `owner` label that points to your company
      username
許可
apiVersion: v1
kind: Namespace
metadata:
  labels:
    owner: user.agilebank.demo
  name: allowed-namespace
禁止
apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequiredProbes

Pod に readiness Probe または liveness Probe が必要です。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    probeTypes:
      - <string>
    probes:
      - <string>

must-have-probes

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    probeTypes:
    - tcpSocket
    - httpGet
    - exec
    probes:
    - readinessProbe
    - livenessProbe
禁止
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: nginx:1.7.9
    livenessProbe: null
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

K8sRestrictLabels

特定のリソースに例外がある場合を除き、指定されたラベルをリソースに含めることを禁止します。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # exceptions <array>: Objects listed here are exempt from enforcement of
    # this constraint. All fields must be provided.
    exceptions:
      # <list item: object>: A single object's identification, based on group,
      # kind, namespace, and name.
      - # group <string>: The Kubernetes group of the exempt object.
        group: <string>
        # kind <string>: The Kubernetes kind of the exempt object.
        kind: <string>
        # name <string>: The name of the exempt object.
        name: <string>
        # namespace <string>: The namespace of the exempt object. For
        # cluster-scoped resources, use the empty string `""`.
        namespace: <string>
    # restrictedLabels <array>: A list of label keys strings.
    restrictedLabels:
      - <string>

restrict-label-example

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    exceptions:
    - group: ""
      kind: Pod
      name: allowed-example
      namespace: default
    restrictedLabels:
    - label-example
許可
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNamespaces

リソースに対して、restrictedNamespaces パラメータにリストされた名前空間の使用を制限します。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # restrictedNamespaces <array>: A list of Namespaces to restrict.
    restrictedNamespaces:
      - <string>

restrict-default-namespace

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: restrict-default-namespace
spec:
  enforcementAction: dryrun
  parameters:
    restrictedNamespaces:
    - default
許可
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
  namespace: test-namespace
spec:
  containers:
  - image: nginx
    name: nginx
禁止
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictRoleBindings

バインディングのサブジェクトがすべて許可されている場合を除き、ClusterRoleBinding と RoleBinding が、指定された Role/ClusterRole を参照できないようにします。

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of subjects that are allowed to bind to
    # the restricted role.
    allowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the subject.
        apiGroup: <string>
        # kind <string>: The Kubernetes kind of the subject.
        kind: <string>
        # name <string>: The name of the subject.
        name: <string>
    # restrictedRole <object>: The role that cannot be bound to unless
    # expressly allowed.
    restrictedRole:
      # apiGroup <string>: The Kubernetes API group of the role.
      apiGroup: <string>
      # kind <string>: The Kubernetes kind of the role.
      kind: <string>
      # name <string>: The name of the role.
      name: <string>

restrict-clusteradmin-rolebindings

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:masters
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
許可
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
禁止
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sUniqueIngressHost

すべての Ingress ルールホストが一意となることを必須にします。ホスト名のワイルドカードは処理されません。https://kubernetes.io/docs/concepts/services-networking/ingress/

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

unique-ingress-host

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: unique-ingress-host
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
禁止
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-host-example
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-host-example2
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80

K8sUniqueServiceSelector

Service に名前空間内で一意のセレクタが必要です。セレクタのキーと値が同一の場合、セレクタは同一と見なされます。1 つ以上の異なる Key-Value ペアが存在する限り、セレクタは Key-Value ペアを共有できます。 https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

unique-service-selector

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  labels:
    owner: admin.agilebank.demo
  name: unique-service-selector
禁止
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-example
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value

PolicyStrictOnly

Istio 認証ポリシーで STRICT 相互 TLS を持つピアを指定する必要があります。 https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

policy-strict-constraint

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: policy-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - authentication.istio.io
      kinds:
      - Policy
    namespaces:
    - default
禁止
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-permissive
  namespace: default
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

SourceNotAllAuthz

Istio AuthorizationPolicy ルールで、ソース プリンシパルが「*」以外に設定されている必要があります。 https://istio.io/latest/docs/reference/config/security/authorization-policy/

制約スキーマ

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: example
spec:
  # match <object>: allows you to configure which resources fall in scope for
  # this constraint.  See the GCP docs for more information:
  # https://cloud.google.com/anthos-config-management/docs/how-to/creating-constraints#constraint
  match:
    [match schema]

sourcenotall-authz-constraint

制約
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: sourcenotall-authz-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
禁止
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-all
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

次のステップ