제약조건 템플릿 라이브러리

제약조건 템플릿을 사용하면 제약조건의 작동 방식을 정의할 수 있을 뿐 아니라, 제약조건의 세부사항 정의를 주제별 전문 지식을 가진 개인 또는 그룹에 위임할 수 있습니다. 우려를 분리하는 것 외에도 제약조건의 논리와 정의를 분리합니다.

모든 제약조건에는 제약조건이 적용되는 객체를 정의하는 match 섹션이 포함되어 있습니다. 해당 섹션을 구성하는 방법에 대한 자세한 내용은 제약조건 일치 섹션을 참조하세요.

정책 컨트롤러, 구성 동기화, 구성 컨트롤러의 모든 버전에서 모든 제약조건 템플릿을 사용할 수 있는 것은 아니며, 버전 간에 템플릿이 변경될 수 있습니다. 다음 링크를 사용하여 지원되는 버전의 제약조건을 비교합니다.

전체 지원을 받으려면 정책 컨트롤러의 지원 버전에서 제약조건 템플릿을 사용하는 것이 좋습니다.

제약조건 템플릿이 작동하는 방식을 확인하기 위해 각 템플릿에는 예시 제약조건과 제약조건을 위반하는 리소스가 포함됩니다.

사용 가능한 제약조건 템플릿

제약조건 템플릿 설명 참조
AllowedServicePortName 서비스 포트 이름에 지정된 목록의 프리픽스가 포함되어야 합니다. 아니요
AsmAuthzPolicyDefaultDeny 메시 수준 기본 거부 AuthorizationPolicy를 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns에 대한 참조입니다.
AsmAuthzPolicyDisallowedPrefix Istio `AuthorizationPolicy` 규칙의 주 구성원 및 네임스페이스에 지정된 목록의 프리픽스가 포함되지 않아야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/ 아니요
AsmAuthzPolicyEnforceSourcePrincipals 거부된 경우 Istio AuthorizationPolicy '시작' 필드에 '*'이 아닌 값으로 설정되어야 하는 소스 주 구성원이 있어야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/ 아니요
AsmAuthzPolicyNormalization AuthorizationPolicy 정규화를 적용합니다. https://istio.io/latest/docs/reference/config/security/normalization/에 대한 참조입니다. 아니요
AsmAuthzPolicySafePattern AuthorizationPolicy 안전 패턴을 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns에 대한 참조입니다. 아니요
AsmIngressgatewayLabel ingressgateway 포드에만 istio ingressgateway 라벨 사용을 적용합니다. 아니요
AsmPeerAuthnMeshStrictMtls 메시 수준 엄격한 mtls PeerAuthentication을 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls에 대한 참조입니다.
AsmPeerAuthnStrictMtls 모든 PeerAuthentications로 엄격한 mtls를 덮어쓸 수 없음을 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls에 대한 참조입니다. 아니요
AsmRequestAuthnProhibitedOutputHeaders RequestAuthentication에서 잘 알려진 HTTP 요청 헤더 또는 커스텀 금지된 헤더를 포함하지 않도록 `jwtRules.outPayloadToHeader` 필드를 적용합니다. https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule에 대한 참조입니다. 아니요
AsmSidecarInjection 워크로드 포드에 istio 프록시 사이드카가 항상 삽입되도록 적용합니다. 아니요
DestinationRuleTLSEnabled Istio DestinationRules에서 모든 호스트 및 호스트 하위 집합에 TLS 중지를 금지합니다. 아니요
DisallowedAuthzPrefix Istio `AuthorizationPolicy` 규칙의 주 구성원 및 네임스페이스에 지정된 목록의 프리픽스가 포함되지 않아야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/ 아니요
GCPStorageLocationConstraintV1 StorageBucket Config Connector 리소스의 허용되는 `locations`를 제약조건에 제공된 위치 목록으로 제한합니다. `exemptions` 목록의 버킷 이름은 제외됩니다. 아니요
GkeSpotVMTerminationGrace 'gke-spot'이 'nodeSelector' 또는 'nodeAfffinty'인 포드 및 포드 템플릿의 'terminationGracePeriodSeconds'가 15초 이하여야 합니다.
K8sAllowedRepos 컨테이너 이미지가 지정된 목록의 문자열로 시작해야 합니다. 아니요
K8sAvoidUseOfSystemMastersGroup 'system:masters' 그룹의 사용을 허용하지 않습니다. 감사 중에는 영향을 주지 않습니다. 아니요
K8sBlockAllIngress 인그레스 객체(`Ingress`, `Gateway`, `NodePort` 및 `LoadBalancer` 의 `Service` 유형) 생성을 금지합니다. 아니요
K8sBlockCreationWithDefaultServiceAccount 기본 서비스 계정을 사용하여 리소스 만들기를 허용하지 않습니다. 감사 중에는 영향을 주지 않습니다. 아니요
K8sBlockEndpointEditDefaultRole 대부분의 Kubernetes 설치에는 기본적으로 Endpoints 수정에 대한 액세스를 올바르게 제한하지 않는 system:aggregate-to-edit ClusterRole이 있습니다. 이 ConstraintTemplate은 system:aggregate-to-edit ClusterRole이 Endpoints를 생성/패치/업데이트할 수 있는 권한을 부여하지 못하게 합니다. ClusterRole/system:aggregate-to-edit는 CVE-2021-25740으로 인해 Endpoint 수정 권한을 허용하지 않습니다. Endpoint 및 EndpointSlice 권한은 네임스페이스 간 전달을 허용합니다. https://github.com/kubernetes/kubernetes/issues/103675. 아니요
K8sBlockLoadBalancer LoadBalancer 유형의 모든 서비스를 금지합니다. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer 아니요
K8sBlockNodePort NodePort 유형이 포함된 모든 서비스를 금지합니다. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport 아니요
K8sBlockObjectsOfType 금지된 유형의 객체를 허용하지 않습니다. 아니요
K8sBlockProcessNamespaceSharing `shareProcessNamespace`를 `true`로 설정하여 포드 사양을 금지합니다. 이렇게 하면 한 포드의 모든 컨테이너가 PID 네임스페이스를 공유하고 서로의 파일 시스템 및 메모리에 액세스할 수 있는 시나리오를 방지합니다. 아니요
K8sBlockWildcardIngress 사용자는 비어 있는 또는 와일드 카드(*) 호스트 이름으로 인그레스를 만들 수 없어야 합니다. 해당 서비스에 액세스할 수 없더라도 클러스터의 다른 서비스에 대한 트래픽을 가로챌 수 있기 때문입니다. 아니요
K8sContainerEphemeralStorageLimit 컨테이너에 임시 스토리지 한도를 설정해야 하며 지정된 최댓값 내로 한도를 제한합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 아니요
K8sContainerLimits 컨테이너에 메모리 및 CPU 한도를 설정해야 하며 지정된 최댓값 내로 한도를 제한해야 합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 아니요
K8sContainerRatios 요청에 대한 컨테이너 리소스 한도의 최대 비율을 설정합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 아니요
K8sContainerRequests 컨테이너에 메모리 및 CPU 요청을 설정해야 하며 지정된 최댓값 내로 요청을 제한해야 합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 아니요
K8sCronJobAllowedRepos CronJob의 컨테이너 이미지가 지정된 목록의 문자열로 시작해야 합니다. 아니요
K8sDisallowAnonymous system:anonymous 사용자 및 system:unauthenticated 그룹에 대해 ClusterRole 및 Role 리소스 연결을 금지합니다. 아니요
K8sDisallowInteractiveTTY 객체의 `spec.tty` 및 `spec.stdin` 필드가 설정되지 않거나 false로 설정되어야 합니다. 아니요
K8sDisallowedRepos 지정된 목록의 문자열로 시작하는 허용되지 않는 컨테이너 저장소입니다. 아니요
K8sDisallowedRoleBindingSubjects 매개변수로 전달된 모든 `disallowedSubjects`와 일치하는 RoleBindings 또는 ClusterRoleBindings를 금지합니다. 아니요
K8sDisallowedTags 컨테이너 이미지가 지정된 목록에 있는 것과 다른 이미지 태그를 갖도록 지정합니다. https://kubernetes.io/docs/concepts/containers/images/#image-names 아니요
K8sEmptyDirHasSizeLimit 모든 `emptyDir` 볼륨이 `sizeLimit`를 지정해야 합니다. 선택적으로 `maxSizeLimit` 매개변수를 제약조건에 제공하여 최대 허용 가능한 크기 한도를 지정할 수 있습니다. 아니요
K8sEnforceCloudArmorBackendConfig BackendConfig 리소스에 Cloud Armor 구성을 적용합니다. 아니요
K8sEnforceConfigManagement Config Management가 존재하고 작동해야 합니다. 이 'ConstraintTemplate'을 사용하는 제약조건은 'enforcementAction' 값에 관계없이 감사됩니다.
K8sExternalIPs Service externalIPs를 허용된 IP 주소 목록으로 제한합니다. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips 아니요
K8sHorizontalPodAutoscaler `HorizontalPodAutoscalers` 1을 배포할 때 다음 시나리오를 허용하지 않습니다. 제약조건 2에 정의된 범위를 벗어나서 `.spec.minReplicas` 또는 `.spec.maxReplicas`를 사용하는 HorizontalPodAutoscalers 배포 `.spec.minReplicas` 와 `.spec.maxReplicas` 간의 차이가 구성된 `minimumReplicaSpread` 3보다 작은 HorizontalPodAutoscaler의 배포 유효한 `scaleTargetRef`를 참조하지 않는 HorizontalPodAutoscaler의 배포(예: Deployment, ReplicationController, ReplicaSet, StatefulSet)
K8sHttpsOnly 인그레스 리소스가 HTTPS 전용이어야 합니다. 인그레스 리소스에는 'false'로 설정된 `kubernetes.io/ingress.allow-http` 주석이 포함되어야 합니다. 기본적으로 유효한 TLS {} 구성이 필요하며, 이는 `tlsOption` 매개변수를 `true`로 설정하여 선택적으로 구성할 수 있습니다. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls 아니요
K8sImageDigests 다이제스트를 포함할 컨테이너 이미지가 있어야 합니다. https://kubernetes.io/docs/concepts/containers/images/ 아니요
K8sLocalStorageRequireSafeToEvict 로컬 스토리지(`emptyDir` 또는 `hostPath`)를 사용하는 포드에 `"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"` 주석이가 포함되어야 합니다. 클러스터 자동 확장 처리는 이 주석이 없는 포드를 삭제하지 않습니다. 아니요
K8sMemoryRequestEqualsLimit 컨테이너의 요청된 메모리가 메모리 한도와 정확하게 동일하도록 요구함으로써 포드에서 메모리 사용량이 요청된 양을 초과하는 상태가 되지 않도록 포드 안정성을 향상시켜 줍니다. 그렇지 않으면 Kubernetes가 노드에 메모리가 필요한 경우 추가 메모리를 요청하는 포드를 종료할 수 있습니다. 아니요
K8sNoEnvVarSecrets 포드 컨테이너 정의에서 보안 비밀을 환경 변수로 사용하는 것을 금지합니다. 그 대신 마운트된 보안 정보 파일을 데이터 볼륨에 사용하세요. https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod 아니요
K8sNoExternalServices 워크로드를 외부 IP로 노출하는 알려진 리소스 생성을 금지합니다. 여기에는 Istio 게이트웨이 리소스와 Kubernetes 인그레스 리소스가 포함됩니다. Kubernetes 서비스도 다음 기준을 충족하지 않으면 허용되지 않습니다. 즉, Google Cloud에서 `LoadBalancer` 유형의 모든 서비스에는 `"networking.gke.io/load-balancer-type": "내부"` 주석이 있어야 합니다. AWS의 모든 `LoadBalancer` 유형 서비스에는 `service.beta.kubernetes.io/aws-load-balancer-internal: "true` 주석이 있어야 합니다. 서비스에 바인딩된 '외부 IP'는 제약조건에 제공된 대로 내부 CIDR 범위의 구성원이어야 합니다. 아니요
K8sPSPAllowPrivilegeEscalationContainer 루트 권한으로의 에스컬레이션 제한을 제어합니다. PodSecurityPolicy의 `allowPrivilegeEscalation` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation을 참조하세요. 아니요
K8sPSPAllowedUsers 컨테이너의 사용자 및 그룹 ID와 일부 볼륨을 제어합니다. PodSecurityPolicy의 `runAsUser`, `runAsGroup`, `supplementalGroups`, `fsGroup` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups를 참조하세요. 아니요
K8sPSPAppArmor 컨테이너에서 사용할 AppArmor 프로필 허용 목록을 구성합니다. PodSecurityPolicy에 적용된 특정 주석에 해당합니다. AppArmor에 대한 자세한 내용은 https://kubernetes.io/docs/tutorials/clusters/apparmor/를 참조하세요. 아니요
K8sPSPAutomountServiceAccountTokenPod 모든 포드의 automountServiceAccountToken 사용 설정 기능을 제어합니다. 아니요
K8sPSPCapabilities 컨테이너의 Linux 기능을 제어합니다. PodSecurityPolicy의 `allowedCapabilities` 및 `requiredDropCapabilities` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities를 참조하세요. 아니요
K8sPSPFSGroup 포드 볼륨을 소유한 FSGroup 할당을 제어합니다. PodSecurityPolicy의 `fsGroup` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요. 아니요
K8sPSPFlexVolumes FlexVolume 드라이버의 허용 목록을 제어합니다. PodSecurityPolicy의 `allowedFlexVolumes` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers를 참조하세요. 아니요
K8sPSPForbiddenSysctls 컨테이너에 사용되는 `sysctl` 프로필을 제어합니다. PodSecurityPolicy의 `allowedUnsafeSysctls` 및 `forbiddenSysctls` 필드에 해당합니다. 지정하면 `allowedSysctls` 매개변수에 없는 sysctl은 금지된 것으로 간주됩니다. `forbiddenSysctls` 매개변수가 `allowedSysctls` 매개변수보다 우선합니다. 자세한 내용은 https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/를 참조하세요. 아니요
K8sPSPHostFilesystem 호스트 파일 시스템 사용량을 제어합니다. PodSecurityPolicy의 `allowedHostPaths` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요. 아니요
K8sPSPHostNamespace 포드 컨테이너별로 호스트 PID 및 IPC 네임스페이스를 공유할 수 없습니다. PodSecurityPolicy의 `hostPID` 및 `hostIPC` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces를 참조하세요. 아니요
K8sPSPHostNetworkingPorts 포드 컨테이너로 호스트 네트워크 네임스페이스 사용을 제어합니다. 특정 포트를 지정해야 합니다. PodSecurityPolicy의 `hostNetwork` 및 `hostPorts` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces를 참조하세요. 아니요
K8sPSPPrivilegedContainer 컨테이너에서 권한 모드를 사용 설정하는 기능을 제어합니다. PodSecurityPolicy의 `privileged` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged를 참조하세요. 아니요
K8sPSPProcMount 컨테이너의 `procMount` 유형을 제어합니다. PodSecurityPolicy의 `allowedProcMountTypes` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes를 참조하세요. 아니요
K8sPSPReadOnlyRootFilesystem 포드 컨테이너에서 읽기 전용 루트 파일 시스템을 사용해야 합니다. PodSecurityPolicy의 `readOnlyRootFilesystem` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요. 아니요
K8sPSPSELinuxV2 포드 컨테이너의 seLinuxOptions 구성 허용 목록을 정의합니다. SELinux 구성이 필요한 PodSecurityPolicy에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux를 참조하세요. 아니요
K8sPSPSeccomp 컨테이너에 사용되는 seccomp 프로필을 제어합니다. PodSecurityPolicy의 `seccomp.security.alpha.kubernetes.io/allowedProfileNames` 주석에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp를 참조하세요. 아니요
K8sPSPVolumeTypes 마운트 가능한 볼륨 유형을 사용자가 지정한 유형으로 제한합니다. PodSecurityPolicy의 `volumes` 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요. 아니요
K8sPSPWindowsHostProcess Windows HostProcess 컨테이너/포드의 실행을 제한합니다. 자세한 내용은 https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/를 참조하세요. 아니요
K8sPSSRunAsNonRoot 컨테이너가 루트가 아닌 사용자로 실행되어야 합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/security/pod-security-standards/를 참조하세요. 아니요
K8sPodDisruptionBudget PodDisruptionBudget 또는 복제본 하위 리소스를 구현하는 리소스(예: Deployment, ReplicationController, ReplicaSet, StatefulSet)를 배포할 때 다음 시나리오를 허용하지 않음: 1. .spec.maxUnavailable == 0인 PodDisruptionBudget의 배포 2. 복제본 하위 리소스가 있는 리소스에서 .spec.minAvailable == .spec.replicas인 PodPodruruBudget의 배포. 이는 PodDisruptionBudget이 노드 드레이닝과 같은 자발적 중단을 차단하지 않도록 합니다. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
K8sPodResourcesBestPractices 컨테이너가 최선의 옵션이 아니며(CPU 및 메모리 요청을 설정) 버스팅 가능한 권장사항을 따라야 합니다(메모리 요청이 정확히 동일한 한도여야 함). 선택적으로 여러 검증 건너뛰기를 허용하도록 주석 키를 구성할 수 있습니다. 아니요
K8sPodsRequireSecurityContext 모든 포드에서 securityContext를 정의해야 합니다. 포드에 정의된 모든 컨테이너에 포드 또는 컨테이너 수준에서 정의된 SecurityContext가 있어야 합니다. 아니요
K8sProhibitRoleWildcardAccess Roles 및 ClusterRoles가 예외적으로 제외된 Roles 및 ClusterRoles를 제외하고 리소스 액세스를 와일드 카드 "*" 값으로 설정하지 않도록 해야 합니다. "*/status"와 같은 하위 리소스까지 와일드 카드 액세스를 제한하지 않습니다. 아니요
K8sReplicaLimits `spec.replicas` 필드(배포, ReplicaSets 등)가 있는 객체가 정의된 범위 내에 있는 복제본 수를 지정해야 합니다. 아니요
K8sRequireAdmissionController 포드 보안 허용 또는 외부 정책 제어 시스템 필요
K8sRequireBinAuthZ 허용 웹훅 검증을 위한 Binary Authorization이 필요합니다. 이 'ConstraintTemplate'을 사용하는 제약조건은 'enforcementAction' 값에 관계없이 감사됩니다.
K8sRequireCosNodeImage 노드에서 Google의 Container-Optimized OS를 사용합니다. 아니요
K8sRequireDaemonsets daemonsets 목록이 존재하도록 지정해야 합니다.
K8sRequireDefaultDenyEgressPolicy 클러스터에 정의된 모든 네임스페이스에 이그레스에 대한 기본 거부 NetworkPolicy가 있어야 합니다.
K8sRequireNamespaceNetworkPolicies 클러스터에 정의된 모든 네임스페이스에 NetworkPolicy가 있어야 합니다.
K8sRequireValidRangesForNetworks 네트워크 인그레스 및 이그레스에 허용되는 CIDR 블록을 적용합니다. 아니요
K8sRequiredAnnotations 리소스가 제공된 정규 표현식과 일치하는 값으로 지정된 주석을 포함하도록 요구합니다. 아니요
K8sRequiredLabels 리소스가 제공된 정규 표현식과 일치하는 값으로 지정된 라벨을 포함하도록 요구합니다. 아니요
K8sRequiredProbes 포드에 준비 상태 또는 활성 프로브가 있어야 합니다. 아니요
K8sRequiredResources 컨테이너에 정의된 리소스를 설정해야 합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 아니요
K8sRestrictAdmissionController 동적 허용 컨트롤러를 허용된 컨트롤러로 제한합니다. 아니요
K8sRestrictAutomountServiceAccountTokens 서비스 계정 토큰 사용을 제한합니다. 아니요
K8sRestrictLabels 특정 리소스에 대한 예외가 없으면 리소스에 지정된 라벨이 포함되지 않도록 합니다. 아니요
K8sRestrictNamespaces 리소스가 restrictedNamespaces 매개변수에 나열된 네임스페이스를 사용하지 못하도록 제한합니다. 아니요
K8sRestrictNfsUrls 지정되지 않은 경우 리소스가 NFS URLS를 포함하지 못하도록 합니다. 아니요
K8sRestrictRbacSubjects RBAC 주제에서 이름 사용을 허용된 값으로 제한합니다. 아니요
K8sRestrictRoleBindings ClusterRoleBindings 및 RoleBindings에 지정된 대상을 허용되는 대상 목록으로 제한합니다. 아니요
K8sRestrictRoleRules Role 및 ClusterRole 객체에 설정할 수 있는 규칙을 제한합니다. 아니요
K8sStorageClass 사용할 때 스토리지 클래스를 지정해야 합니다. Gatekeeper 3.9 이상 및 비임시 컨테이너만 지원됩니다.
K8sUniqueIngressHost 모든 인그레스 규칙 호스트가 고유해야 합니다. 호스트 이름 와일드 카드를 처리하지 않습니다. https://kubernetes.io/docs/concepts/services-networking/ingress/
K8sUniqueServiceSelector 서비스에 네임스페이스 내에서 고유한 선택기가 있어야 합니다. 선택기가 키와 값이 동일한 경우 동일한 선택기로 간주됩니다. 선택기는 별개의 키-값 쌍이 하나 이상 있는 한 키-값 쌍을 공유할 수 있습니다. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
NoUpdateServiceAccount 포드를 추상화하는 리소스에서 서비스 계정 업데이트를 차단합니다. 이 정책은 감사 모드에서 무시됩니다. 아니요
PolicyStrictOnly [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/)을 사용할 때 항상 `STRICT` Istio 상호 TLS가 지정되어야 합니다. 또한 이 제약조건을 사용하면 지원 중단된 [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) 및 MeshPolicy 리소스가 `STRICT` 상호 TLS를 적용합니다. 참조: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh 아니요
RestrictNetworkExclusions

Istio 네트워크 캡처에서 제외할 수 있는 인바운드 포트, 아웃바운드 포트, 아웃바운드 IP 범위를 제어합니다. Istio 네트워크 캡처를 우회하는 포트 및 IP 범위는 Istio 프록시에서 처리되지 않으며 Istio mTLS 인증, 승인 정책, 기타 Istio 기능으로 제한되지 않습니다. 이 제약조건을 사용하여 다음 주석 사용에 제한을 적용할 수 있습니다.

  • traffic.sidecar.istio.io/excludeInboundPorts
  • traffic.sidecar.istio.io/excludeOutboundPort
  • traffic.sidecar.istio.io/excludeOutboundIPRanges

https://istio.io/latest/docs/reference/config/annotations/를 참조하세요.

아웃바운드 IP 범위를 제한할 때 이 제약조건은 제외된 IP 범위가 일치하는지 또는 허용된 IP 범위 제외 항목에 포함되는지 계산합니다.

이 제약조건을 사용할 때 인바운드 포트, 아웃바운드 포트, 아웃바운드 IP 범위는 모두 해당 'include' 주석을 `"*"`로 설정하거나 설정되지 않은 상태로 두어서 항상 포함해야 합니다. 다음 주석을 `"*"` 이외의 값으로 설정하는 것은 허용되지 않습니다.

  • traffic.sidecar.istio.io/includeInboundPorts
  • traffic.sidecar.istio.io/includeOutboundPorts
  • traffic.sidecar.istio.io/includeOutboundIPRanges

Istio 사이드카 인젝터가 항상 이를 traffic.sidecar.istio.io/excludeInboundPorts 주석에 추가하여 상태 확인에 사용할 수 있도록 하므로 이 제약조건은 항상 포트 15020을 제외하도록 허용합니다.

아니요
SourceNotAllAuthz Istio AuthorizationPolicy 규칙에 '*' 이외의 다른 값으로 설정된 소스 주 구성원이 있어야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/ 아니요
VerifyDeprecatedAPI 지원 중단된 Kubernetes API에서 모든 API 버전이 최신인지 확인합니다. 감사에서 지원 중단되지 않은 API 버전이 있는 클러스터에 이미 있는 리소스를 확인하므로 이 템플릿이 감사에 적용되지 않습니다. 아니요

AllowedServicePortName

허용되는 서비스 포트 이름 v1.0.1

서비스 포트 이름에 지정된 목록의 프리픽스가 포함되어야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # prefixes <array>: Prefixes of allowed service port names.
    prefixes:
      - <string>

예시

port-name-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
  name: port-name-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    prefixes:
    - http-
    - http2-
    - grpc-
    - mongo-
    - redis-
    - tcp-
허용됨
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-http
spec:
  ports:
  - name: http-helloport
    port: 5000
  selector:
    app: helloworld
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-tcp
spec:
  ports:
  - name: foo-helloport
    port: 5000
  selector:
    app: helloworld
apiVersion: v1
kind: Service
metadata:
  labels:
    app: helloworld
  name: port-name-bad
spec:
  ports:
  - name: helloport
    port: 5000
  selector:
    app: helloworld

AsmAuthzPolicyDefaultDeny

ASM AuthorizationPolicy 기본 거부 v1.0.4

메시 수준 기본 거부 AuthorizationPolicy를 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns에 대한 참조입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "AuthorizationPolicy"

예시

asm-authz-policy-default-deny-with-input-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
허용됨
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW
허용되지 않음
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: istio-system
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST
asm-authz-policy-default-deny-no-input-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
허용됨
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-no-action
  namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default-deny-with-action
  namespace: istio-system
spec:
  action: ALLOW
허용되지 않음
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
  name: asm-authz-policy-default-deny-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: not-default-deny
  namespace: istio-system
spec:
  action: DENY
  rules:
  - to:
    - operation:
        notMethods:
        - GET
        - POST

AsmAuthzPolicyDisallowedPrefix

ASM AuthorizationPolicy 허용되지 않는 프리픽스 v1.0.2

Istio AuthorizationPolicy 규칙의 주 구성원 및 네임스페이스에 지정된 목록의 프리픽스가 포함되지 않아야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
    disallowedNamespacePrefixes:
      - <string>
    # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
    disallowedPrincipalPrefixes:
      - <string>

예시

asm-authz-policy-disallowed-prefix-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
  name: asm-authz-policy-disallowed-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedNamespacePrefixes:
    - bad-ns-prefix
    - worse-ns-prefix
    disallowedPrincipalPrefixes:
    - bad-principal-prefix
    - worse-principal-prefix
허용됨
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/worse-principal-prefix-sleep
    - source:
        namespaces:
        - test
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - bad-ns-prefix-test
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyEnforceSourcePrincipals

ASM AuthorizationPolicy 시행 주 구성원 v1.0.2

거부된 경우 Istio AuthorizationPolicy '시작' 필드에 '*'이 아닌 값으로 설정되어야 하는 소스 주 구성원이 있어야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

asm-authz-policy-enforce-source-principals-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
  name: asm-authz-policy-enforce-source-principals-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
허용됨
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: valid-authz-policy
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: no-source-principals
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-contains-wildcard
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicyNormalization

ASM AuthorizationPolicy 정규화 v1.0.2

AuthorizationPolicy 정규화를 적용합니다. https://istio.io/latest/docs/reference/config/security/normalization/에 대한 참조입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

asm-authz-policy-normalization-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
  name: asm-authz-policy-normalization-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
허용됨
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-method-lowercase
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - get
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-request-header-whitespace
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Ag ent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: path-unnormalized
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        methods:
        - GET
        paths:
        - /test\/foo
  - when:
    - key: source.ip
      values:
      - 10.1.2.3
      - 10.2.0.0/16
    - key: request.headers[User-Agent]
      values:
      - Mozilla/*
  selector:
    matchLabels:
      app: httpbin

AsmAuthzPolicySafePattern

ASM AuthorizationPolicy 안전 패턴 v1.0.4

AuthorizationPolicy 안전 패턴을 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns에 대한 참조입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of AuthorizationPolicy strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

예시

asm-authz-policy-safe-pattern-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
  name: asm-authz-policy-safe-pattern-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    strictnessLevel: High
허용됨
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-istio-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good-authz-policy-asm-ingress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      asm: ingressgateway
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: hosts-on-noningress
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: invalid-hosts
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-negative-match
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        notMethods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-positive-match
spec:
  action: DENY
  rules:
  - to:
    - operation:
        hosts:
        - test.com
        - test.com:*
        methods:
        - GET
  selector:
    matchLabels:
      istio: ingressgateway

AsmIngressgatewayLabel

ASM 인그레스 게이트웨이 라벨 v1.0.3

ingressgateway 포드에만 istio ingressgateway 라벨 사용을 적용합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

asm-ingressgateway-label-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
  name: asm-ingressgateway-label-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: istio
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: istio-ingressgateway
    istio: ingressgateway
  name: istio-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: asm-ingressgateway
    asm: ingressgateway
  name: asm-ingressgateway
spec:
  containers:
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    asm: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: sleep
    istio: ingressgateway
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP

AsmPeerAuthnMeshStrictMtls

ASM 피어 인증 메시 엄격한 mTLS v1.0.4

메시 수준 엄격한 mtls PeerAuthentication을 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls에 대한 참조입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # rootNamespace <string>: Anthos Service Mesh root namespace, default value
    # is "istio-system" if not specified.
    rootNamespace: <string>
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "security.istio.io"
        version: "v1beta1"
        kind: "PeerAuthentication"

예시

asm-peer-authn-mesh-strict-mtls-with-input-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
허용됨
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: asm-root
spec:
  mtls:
    mode: STRICT
허용되지 않음
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    rootNamespace: asm-root
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: asm-root
spec:
  mtls:
    mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
허용됨
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
허용되지 않음
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
  name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
  enforcementAction: dryrun
  parameters:
    strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mesh-permissive-mtls
  namespace: istio-system
spec:
  mtls:
    mode: PERMISSIVE

AsmPeerAuthnStrictMtls

ASM 피어 인증 엄격한 mTLS v1.0.3

모든 PeerAuthentications로 엄격한 mtls를 덮어쓸 수 없음을 적용합니다. https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls에 대한 참조입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of PeerAuthentication strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

예시

asm-peer-authn-strict-mtls-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
  name: asm-peer-authn-strict-mtls-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
  parameters:
    strictnessLevel: High
허용됨
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: valid-strict-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-permissive-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: PERMISSIVE
  portLevelMtls:
    "80":
      mode: UNSET
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: invalid-port-disable-mtls-pa
  namespace: foo
spec:
  mtls:
    mode: UNSET
  portLevelMtls:
    "80":
      mode: DISABLE
    "443":
      mode: STRICT
  selector:
    matchLabels:
      app: bar

AsmRequestAuthnProhibitedOutputHeaders

ASM RequestAuthentication 금지된 출력 헤더 v1.0.2

RequestAuthentication에서 잘 알려진 HTTP 요청 헤더 또는 커스텀 금지된 헤더를 포함하지 않도록 jwtRules.outPayloadToHeader 필드를 적용합니다. https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule에 대한 참조입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # prohibitedHeaders <array>: User predefined prohibited headers.
    prohibitedHeaders:
      - <string>

예시

asm-request-authn-prohibited-output-headers-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
  name: asm-request-authn-prohibited-output-headers-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - RequestAuthentication
  parameters:
    prohibitedHeaders:
    - Bad-Header
    - X-Bad-Header
허용됨
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: valid-request-authn
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Good-Header
  selector:
    matchLabels:
      app: istio-ingressgateway
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: Host
  selector:
    matchLabels:
      app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: deny-predefined-output-header
  namespace: istio-system
spec:
  jwtRules:
  - issuer: example.com
    outputPayloadToHeader: X-Bad-Header
  selector:
    matchLabels:
      app: istio-ingressgateway

AsmSidecarInjection

ASM 사이드카 삽입 v1.0.2

워크로드 포드에 istio 프록시 사이드카가 항상 삽입되도록 적용합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # strictnessLevel <string>: Level of sidecar injection strictness.
    # Allowed Values: Low, High
    strictnessLevel: <string>

예시

asm-sidecar-injection-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
  name: asm-sidecar-injection-sample
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    strictnessLevel: High
허용됨
apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "true"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
apiVersion: v1
kind: Pod
metadata:
  annotations:
    "false": "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep
  - image: gcr.io/gke-release/asm/proxyv2:release
    name: istio-proxy
    ports:
    - containerPort: 15090
      name: http-envoy-prom
      protocol: TCP
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  annotations:
    sidecar.istio.io/inject: "false"
  name: sleep
spec:
  containers:
  - image: curlimages/curl
    name: sleep

DestinationRuleTLSEnabled

대상 규칙 TLS 사용 설정됨 v1.0.1

Istio DestinationRules에서 모든 호스트 및 호스트 하위 집합에 TLS 중지를 금지합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

dr-tls-enabled
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
  name: dr-tls-enabled
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - networking.istio.io
      kinds:
      - DestinationRule
허용되지 않음
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-subset-tls-disable
  namespace: default
spec:
  host: myservice
  subsets:
  - name: v1
    trafficPolicy:
      tls:
        mode: DISABLE
  - name: v2
    trafficPolicy:
      tls:
        mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: dr-traffic-tls-disable
  namespace: default
spec:
  host: myservice
  trafficPolicy:
    tls:
      mode: DISABLE

DisallowedAuthzPrefix

Istio AuthorizationPolicy 프리픽스 허용되지 않음 v1.0.2

Istio AuthorizationPolicy 규칙의 주 구성원 및 네임스페이스에 지정된 목록의 프리픽스가 포함되지 않아야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedprefixes <array>: Disallowed prefixes of principals and
    # namespaces.
    disallowedprefixes:
      - <string>

예시

disallowed-authz-prefix-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
  name: disallowed-authz-prefix-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
  parameters:
    disallowedprefixes:
    - badprefix
    - reallybadprefix
허용됨
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-principal
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/badprefix-sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: bad-source-namespace
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - badprefix-test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

GCPStorageLocationConstraintV1

GCP 스토리지 위치 제약조건 v1.0.3

StorageBucket Config Connector 리소스의 허용되는 locations를 제약조건에 제공된 위치 목록으로 제한합니다. exemptions 목록의 버킷 이름은 제외됩니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <array>: A list of bucket names that are exempt from this
    # constraint.
    exemptions:
      - <string>
    # locations <array>: A list of locations that a bucket is permitted to
    # have.
    locations:
      - <string>

예시

singapore-and-jakarta-only
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
  name: singapore-and-jakarta-only
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - storage.cnrm.cloud.google.com
      kinds:
      - StorageBucket
  parameters:
    exemptions:
    - my_project_id_cloudbuild
    locations:
    - asia-southeast1
    - asia-southeast2
허용됨
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-permitted-location
spec:
  location: asia-southeast1
허용되지 않음
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-in-disallowed-location
spec:
  location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: bucket-without-specific-location
spec: null

GkeSpotVMTerminationGrace

GKE 스팟 VM의 terminationGracePeriodSeconds 제한 v1.1.3

gke-spotnodeSelector 또는 nodeAfffinty인 포드 및 포드 템플릿의 terminationGracePeriodSeconds가 15초 이하여야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
    # of 15s or less for all `Pod` on a `gke-spot` Node.
    includePodOnSpotNodes: <boolean>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Node"

예시

spotvm-termination-grace
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
  name: spotvm-termination-grace
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    includePodOnSpotNodes: true
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
  name: example-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default
apiVersion: v1
kind: Pod
metadata:
  name: example-with-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default
apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  name: default
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
  terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  nodeSelector:
    cloud.google.com/gke-spot: "true"
  terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
  name: example-disallowed
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/gke-spot
            operator: In
            values:
            - "true"
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: example-without-termGrace
spec:
  Nodename: default
  containers:
  - image: nginx
    name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
  labels:
    cloud.google.com/gke-spot: "true"
  name: default

K8sAllowedRepos

허용되는 저장소 v1.0.1

컨테이너 이미지가 지정된 목록의 문자열로 시작해야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

예시

repo-is-openpolicyagent
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
  name: repo-is-openpolicyagent
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    repos:
    - openpolicyagent/
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginxinit
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
  name: nginx-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  ephemeralContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
  initContainers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 30Mi

K8sAvoidUseOfSystemMastersGroup

'system:masters' 그룹 v1.0.0 사용 금지

'system:masters' 그룹의 사용을 허용하지 않습니다. 감사 중에는 영향을 주지 않습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowlistedUsernames <array>: allowlistedUsernames is the list of
    # usernames that are allowed to use system:masters group.
    allowlistedUsernames:
      - <string>

예시

avoid-use-of-system-masters-group
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
  name: avoid-use-of-system-masters-group
허용됨
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockAllIngress

모든 인그레스 차단 v1.0.4

인그레스 객체(NodePortLoadBalancerIngress, Gateway, Service 유형) 만들기를 허용하지 않습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowList <array>: A list of regular expressions for the Ingress object
    # names that are exempt from the constraint.
    allowList:
      - <string>

예시

block-all-ingress
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
  name: block-all-ingress
spec:
  enforcementAction: dryrun
  parameters:
    allowList:
    - name1
    - name2
    - name3
    - my-*
허용됨
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
  name: allowed-clusterip-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: ClusterIP
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service-example
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 9376
  selector:
    app.kubernetes.io/name: MyApp
  type: LoadBalancer
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: disallowed-gateway-example
spec:
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    hostname: '*.example.com'
    name: default
    port: 80
    protocol: HTTP

K8sBlockCreationWithDefaultServiceAccount

기본 서비스 계정을 사용한 생성 차단 v1.0.2

기본 서비스 계정을 사용하여 리소스 만들기를 허용하지 않습니다. 감사 중에는 영향을 주지 않습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

block-creation-with-default-serviceaccount
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
  name: block-creation-with-default-serviceaccount
spec:
  enforcementAction: dryrun
허용됨
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace

K8sBlockEndpointEditDefaultRole

엔드포인트 수정 차단 기본 역할 v1.0.0

대부분의 Kubernetes 설치에는 기본적으로 Endpoints 수정에 대한 액세스를 올바르게 제한하지 않는 system:aggregate-to-edit ClusterRole이 있습니다. 이 ConstraintTemplate은 system:aggregate-to-edit ClusterRole이 Endpoints를 생성/패치/업데이트할 수 있는 권한을 부여하지 못하게 합니다. ClusterRole/system:aggregate-to-edit는 CVE-2021-25740으로 인해 Endpoint 수정 권한을 허용하지 않습니다. Endpoint 및 EndpointSlice 권한은 네임스페이스 간 전달을 허용합니다. https://github.com/kubernetes/kubernetes/issues/103675.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

block-endpoint-edit-default-role
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - endpoints
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update

K8sBlockLoadBalancer

LoadBalancer 유형의 서비스 차단 v1.0.0

LoadBalancer 유형의 모든 서비스를 금지합니다. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

block-load-balancer
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
  name: block-load-balancer
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
허용됨
apiVersion: v1
kind: Service
metadata:
  name: my-service-allowed
spec:
  ports:
  - port: 80
    targetPort: 80
  type: ClusterIP
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: LoadBalancer

K8sBlockNodePort

NodePort 차단 v1.0.0

NodePort 유형이 포함된 모든 서비스를 금지합니다. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

block-node-port
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  name: my-service-disallowed
spec:
  ports:
  - nodePort: 30007
    port: 80
    targetPort: 80
  type: NodePort

K8sBlockObjectsOfType

유형의 객체 차단 v1.0.1

금지된 유형의 객체를 허용하지 않습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    forbiddenTypes:
      - <string>

예시

block-secrets-of-type-basic-auth
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
  name: block-secrets-of-type-basic-auth
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Secret
  parameters:
    forbiddenTypes:
    - kubernetes.io/basic-auth
허용됨
apiVersion: v1
data:
  password: ZHVtbXlwYXNz
  username: ZHVtbXl1c2Vy
kind: Secret
metadata:
  name: credentials
  namespace: default
type: Opaque
허용되지 않음
apiVersion: v1
data:
  password: YmFzaWMtcGFzc3dvcmQ=
  username: YmFzaWMtdXNlcm5hbWU=
kind: Secret
metadata:
  name: secret-basic-auth
  namespace: default
type: kubernetes.io/basic-auth

K8sBlockProcessNamespaceSharing

프로세스 네임스페이스 공유 차단 v1.0.1

shareProcessNamespacetrue로 설정된 포드 사양을 금지합니다. 한 포드의 모든 컨테이너가 PID 네임스페이스를 공유하고 서로의 파일 시스템 및 메모리에 액세스할 수 있는 시나리오를 방지합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

block-process-namespace-sharing
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
  name: block-process-namespace-sharing
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  shareProcessNamespace: true

K8sBlockWildcardIngress

와일드 카드 인그레스 차단 v1.0.1

사용자는 비어 있는 또는 와일드 카드(*) 호스트 이름으로 인그레스를 만들 수 없어야 합니다. 해당 서비스에 액세스할 수 없더라도 클러스터의 다른 서비스에 대한 트래픽을 가로챌 수 있기 때문입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

block-wildcard-ingress
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: block-wildcard-ingress
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
허용됨
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: non-wildcard-ingress
spec:
  rules:
  - host: myservice.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
허용되지 않음
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: ""
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: valid.example.com
    http:
      paths:
      - backend:
          service:
            name: example
            port:
              number: 80
        path: /
        pathType: Prefix

K8sContainerEphemeralStorageLimit

컨테이너 임시 스토리지 한도 v1.0.2

컨테이너에 임시 스토리지 한도를 설정해야 하며 지정된 최댓값 내로 한도를 제한합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # ephemeral-storage <string>: The maximum allowed ephemeral storage limit
    # on a Pod, exclusive.
    ephemeral-storage: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

container-ephemeral-storage-limit
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
  name: container-ephemeral-storage-limit
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ephemeral-storage: 500Mi
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 100Mi
        memory: 1Gi
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: init-opa
    resources:
      limits:
        cpu: 100m
        ephemeral-storage: 1Pi
        memory: 1Gi

K8sContainerLimits

컨테이너 한도 v1.0.1

컨테이너에 메모리 및 CPU 한도를 설정해야 하며 지정된 최댓값 내로 한도를 제한해야 합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory limit on a Pod, exclusive.
    memory: <string>

예시

container-must-have-limits
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 2Gi

K8sContainerRatios

컨테이너 비율 v1.0.1

요청에 대한 컨테이너 리소스 한도의 최대 비율을 설정합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
    # `resources.requests.cpu` on a container. If not specified, equal to
    # `ratio`.
    cpuRatio: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # ratio <string>: The maximum allowed ratio of `resources.limits` to
    # `resources.requests` on a container.
    ratio: <string>

예시

container-must-meet-ratio
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ratio: "2"
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 200m
        memory: 200Mi
      requests:
        cpu: 100m
        memory: 100Mi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 800m
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 100Mi
container-must-meet-memory-and-cpu-ratio
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-memory-and-cpu-ratio
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpuRatio: "10"
    ratio: "1"
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: "1"
        memory: 2Gi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: "4"
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi

K8sContainerRequests

컨테이너 요청 v1.0.1

컨테이너에 메모리 및 CPU 요청을 설정해야 하며 지정된 최댓값 내로 요청을 제한해야 합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
    cpu: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # memory <string>: The maximum allowed memory request on a Pod, exclusive.
    memory: <string>

예시

container-must-have-requests
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: container-must-have-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    cpu: 200m
    memory: 1Gi
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 1Gi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi

K8sCronJobAllowedRepos

CronJob 허용 저장소 v1.0.1

CronJob의 컨테이너 이미지가 지정된 목록의 문자열로 시작해야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is allowed to have.
    repos:
      - <string>

예시

cronjob-restrict-repos
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
  name: cronjob-restrict-repos
spec:
  match:
    kinds:
    - apiGroups:
      - batch
      kinds:
      - CronJob
  parameters:
    repos:
    - gke.gcr.io/
허용됨
apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: gke.gcr.io/busybox:1.28
            name: hello
  schedule: '* * * * *'
허용되지 않음
apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: busybox:1.28
            name: hello
  schedule: '* * * * *'

K8sDisallowAnonymous

익명 액세스 금지 v1.0.0

system:anonymous 사용자 및 system:unauthenticated 그룹에 대해 ClusterRole 및 Role 리소스 연결을 금지합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRoles <array>: The list of ClusterRoles and Roles that may be
    # associated with the `system:unauthenticated` group and `system:anonymous`
    # user.
    allowedRoles:
      - <string>

예시

no-anonymous
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: no-anonymous
spec:
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRoleBinding
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
  parameters:
    allowedRoles:
    - cluster-role-1
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-1
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-2
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowInteractiveTTY

대화형 TTY 컨테이너 허용 안함 v1.0.0

객체의 spec.ttyspec.stdin 필드가 설정되지 않거나 false로 설정되어야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

no-interactive-tty-containers
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
  name: no-interactive-tty-containers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-interactive-tty
  name: nginx-interactive-tty-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    stdin: false
    tty: false
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    stdin: true
    tty: true

K8sDisallowedRepos

허용되지 않는 저장소 v1.0.0

지정된 목록의 문자열로 시작하는 허용되지 않는 컨테이너 저장소입니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # repos <array>: The list of prefixes a container image is not allowed to
    # have.
    repos:
      - <string>

예시

repo-must-not-be-k8s-gcr-io
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: repo-must-not-be-k8s-gcr-io
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    repos:
    - k8s.gcr.io/
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-allowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: registry.k8s.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  ephemeralContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize
  initContainers:
  - image: k8s.gcr.io/kustomize/kustomize:v3.8.9
    name: kustomize

K8sDisallowedRoleBindingSubjects

허용되지 않는 Rolebinding 주체 v1.0.1

매개변수로 전달된 모든 disallowedSubjects와 일치하는 RoleBindings 또는 ClusterRoleBindings를 금지합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # disallowedSubjects <array>: A list of subjects that cannot appear in a
    # RoleBinding.
    disallowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the disallowed role
        # binding subject. Currently ignored.
        apiGroup: <string>
        # kind <string>: The kind of the disallowed role binding subject.
        kind: <string>
        # name <string>: The name of the disallowed role binding subject.
        name: <string>

예시

disallowed-rolebinding-subjects
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
  name: disallowed-rolebinding-subjects
spec:
  parameters:
    disallowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:unauthenticated
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

K8sDisallowedTags

태그 허용 안함 v1.0.1

컨테이너 이미지가 지정된 목록에 있는 것과 다른 이미지 태그를 갖도록 지정합니다. https://kubernetes.io/docs/concepts/containers/images/#image-names

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # tags <array>: Disallowed container image tags.
    tags:
      - <string>

예시

container-image-must-not-have-latest-tag
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
  name: container-image-must-not-have-latest-tag
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    exemptImages:
    - openpolicyagent/opa-exp:latest
    - openpolicyagent/opa-exp2:latest
    tags:
    - latest
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-exempt-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa-exp
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:v1
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-2
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-ephemeral
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:latest
    name: opa
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed-3
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp:latest
    name: opa
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/init:latest
    name: opa-init
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa-exp2:latest
    name: opa-exp2
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/monitor:latest
    name: opa-monitor

K8sEmptyDirHasSizeLimit

빈 디렉터리의 크기 한도 v1.0.5

모든 emptyDir 볼륨은 sizeLimit를 지정해야 합니다. 선택적으로 최대 허용 크기 한도를 지정하기 위해 제약조건에 maxSizeLimit 매개변수를 제공할 수 있습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptVolumesRegex <array>: Exempt Volume names as regex match.
    exemptVolumesRegex:
      - <string>
    # maxSizeLimit <string>: When set, the declared size limit for each volume
    # must be less than `maxSizeLimit`.
    maxSizeLimit: <string>

예시

empty-dir-has-size-limit
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-size-limit
spec:
  match:
    excludedNamespaces:
    - istio-system
    - kube-system
    - gatekeeper-system
  parameters:
    exemptVolumesRegex:
    - ^istio-[a-z]+$
    maxSizeLimit: 4Gi
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir:
      sizeLimit: 2Gi
    name: good-pod-volume
apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: istio-envoy
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - emptyDir: {}
    name: bad-pod-volume

K8sEnforceCloudArmorBackendConfig

BackendConfig 리소스에 Cloud Armor 적용 v1.0.2

BackendConfig 리소스에 Cloud Armor 구성을 적용합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

enforce-cloudarmor-backendconfig
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
  name: enforce-cloudarmor-backendconfig
spec:
  enforcementAction: dryrun
허용됨
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: example-security-policy
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: second-backendconfig
spec:
  securityPolicy:
    name: my-security-policy
허용되지 않음
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: null
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
  namespace: examplenamespace
spec:
  securityPolicy:
    name: ""
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backendconfig
spec:
  logging:
    enable: true
    sampleRate: 0.5

K8sEnforceConfigManagement

Config Management 적용 v1.1.6

Config Management가 존재하고 작동해야 합니다. 이 ConstraintTemplate를 사용하는 제약조건은 enforcementAction 값에 관계없이 감사됩니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # requireDriftPrevention <boolean>: Require Config Sync drift prevention to
    # prevent config drift.
    requireDriftPrevention: <boolean>
    # requireRootSync <boolean>: Require a Config Sync `RootSync` object for
    # cluster config management.
    requireRootSync: <boolean>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "configsync.gke.io"
        version: "v1beta1"
        kind: "RootSync"

예시

enforce-config-management
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
  name: enforce-config-management
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - configmanagement.gke.io
      kinds:
      - ConfigManagement
허용됨
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    proxy: {}
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2
  healthy: true
허용되지 않음
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
  annotations:
    configmanagement.gke.io/managed-by-hub: "true"
    configmanagement.gke.io/update-time: "1663586155"
  name: config-management
spec:
  binauthz:
    enabled: true
  clusterName: tec6ea817b5b4bb2-cluster
  enableMultiRepo: true
  git:
    syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
  hierarchyController: {}
  policyController:
    auditIntervalSeconds: 60
    enabled: true
    monitoring:
      backends:
      - prometheus
      - cloudmonitoring
    mutation: {}
    referentialRulesEnabled: true
    templateLibraryInstalled: true
status:
  configManagementVersion: v1.12.2-rc.2

K8sExternalIPs

외부 IP v1.0.0

Service externalIPs를 허용된 IP 주소 목록으로 제한합니다. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedIPs <array>: An allow-list of external IP addresses.
    allowedIPs:
      - <string>

예시

external-ips
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    allowedIPs:
    - 203.0.113.0
허용됨
apiVersion: v1
kind: Service
metadata:
  name: allowed-external-ip
spec:
  externalIPs:
  - 203.0.113.0
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  name: disallowed-external-ip
spec:
  externalIPs:
  - 1.1.1.1
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: MyApp

K8sHorizontalPodAutoscaler

수평형 포드 자동 확장 처리 v1.0.1

HorizontalPodAutoscalers 1을 배포할 때 다음 시나리오를 허용하지 않습니다. 제약조건 2에 정의된 범위를 벗어난 .spec.minReplicas 또는 .spec.maxReplicas를 사용하여 HorizontalPodAutoscaler의 배포 .spec.minReplicas.spec.maxReplicas 간의 차이가 구성된 minimumReplicaSpread 3보다 작은 HorizontalPodAutoscaler의 배포 유효한 scaleTargetRef를 참조하지 않는 HorizontalPodAutoscaler의 배포(예: Deployment, ReplicationController, ReplicaSet, StatefulSet)

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # enforceScaleTargetRef <boolean>: If set to true it validates the HPA
    # scaleTargetRef exists
    enforceScaleTargetRef: <boolean>
    # minimumReplicaSpread <integer>: If configured it enforces the minReplicas
    # and maxReplicas in an HPA must have a spread of at least this many
    # replicas
    minimumReplicaSpread: <integer>
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "apps"
        version: "v1"
        kind: "Deployment"
      OR
      - group: "apps"
        version: "v1"
        kind: "StatefulSet"

예시

수평형 포드 자동 확장 처리
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
  name: horizontal-pod-autoscaler
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    enforceScaleTargetRef: true
    minimumReplicaSpread: 1
    ranges:
    - max_replicas: 6
      min_replicas: 3
허용됨
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-allowed
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
허용되지 않음
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicas
  namespace: default
spec:
  maxReplicas: 7
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 2
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-replicaspread
  namespace: default
spec:
  maxReplicas: 4
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 4
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: nginx-hpa-disallowed-scaletarget
  namespace: default
spec:
  maxReplicas: 6
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 900
        type: Utilization
    type: Resource
  minReplicas: 3
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: nginx-deployment-missing
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sHttpsOnly

HTTPS 전용 v1.0.2

인그레스 리소스가 HTTPS 전용이어야 합니다. 인그레스 리소스 kubernetes.io/ingress.allow-http 주석을 포함하고, false로 설정되어야 합니다. 기본적으로 유효한 TLS {} 구성이 필요하며, tlsOptional 매개변수를 true로 설정하여 선택사항으로 만들 수 있습니다. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # tlsOptional <boolean>: When set to `true` the TLS {} is optional,
    # defaults to false.
    tlsOptional: <boolean>

예시

ingress-https-only
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
허용됨
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - {}
허용되지 않음
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
ingress-https-only-tls-optional
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
  name: ingress-https-only-tls-optional
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
  parameters:
    tlsOptional: true
허용됨
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-demo-allowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
허용되지 않음
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-demo-disallowed-tls-optional
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sImageDigests

이미지 다이제스트 v1.0.1

다이제스트를 포함할 컨테이너 이미지가 있어야 합니다. https://kubernetes.io/docs/concepts/containers/images/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

container-image-must-have-digest
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
    name: opa
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit
apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
  initContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opainit

K8sLocalStorageRequireSafeToEvict

로컬 스토리지에 Safe to Evict 필요 v1.0.1

로컬 스토리지(emptyDir 또는 hostPath)를 사용하는 포드에 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 주석이 포함되어야 합니다. 클러스터 자동 확장 처리는 이 주석이 없는 포드를 삭제하지 않습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

local-storage-require-safe-to-evict
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
spec:
  match:
    excludedNamespaces:
    - kube-system
    - istio-system
    - gatekeeper-system
허용됨
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  name: good-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: redis
    name: redis
    volumeMounts:
    - mountPath: /data/redis
      name: redis-storage
  volumes:
  - emptyDir: {}
    name: redis-storage

K8sMemoryRequestEqualsLimit

한도와 동일한 메모리 요청 v1.0.4

컨테이너의 요청된 메모리가 메모리 한도와 정확하게 동일하도록 요구함으로써 포드에서 메모리 사용량이 요청된 양을 초과하는 상태가 되지 않도록 포드 안정성을 향상시켜 줍니다. 그렇지 않으면 Kubernetes가 노드에 메모리가 필요한 경우 추가 메모리를 요청하는 포드를 종료할 수 있습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptContainersRegex <array>: Exempt Container names as regex match.
    exemptContainersRegex:
      - <string>

예시

container-must-request-limit
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
  name: container-must-request-limit
spec:
  match:
    excludedNamespaces:
    - kube-system
    - resource-group-system
    - asm-system
    - istio-system
    - config-management-system
    - config-management-monitoring
  parameters:
    exemptContainersRegex:
    - ^istio-[a-z]+$
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: good-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 4Gi
apiVersion: v1
kind: Pod
metadata:
  name: exempt-pod
  namespace: default
spec:
  containers:
  - image: auto
    name: istio-proxy
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: bad-pod
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 100m
        memory: 4Gi
      requests:
        cpu: 50m
        memory: 2Gi

K8sNoEnvVarSecrets

환경 변수 보안 비밀 없음 v1.0.1

포드 컨테이너 정의에서 보안 비밀을 환경 변수로 사용하는 것을 금지합니다. 그 대신 마운트된 보안 정보 파일을 데이터 볼륨에 사용하세요. https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

no-secrets-as-env-vars-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
  name: no-secrets-as-env-vars-sample
spec:
  enforcementAction: dryrun
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: redis
    name: test
    volumeMounts:
    - mountPath: /etc/test
      name: test
      readOnly: true
  volumes:
  - name: test
    secret:
      secretName: mysecret
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - env:
    - name: MY_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: mysecret
    image: redis
    name: test

K8sNoExternalServices

외부 서비스 없음 v1.0.3

워크로드를 외부 IP로 노출하는 알려진 리소스 생성을 금지합니다. 여기에는 Istio 게이트웨이 리소스와 Kubernetes 인그레스 리소스가 포함됩니다. Kubernetes 서비스도 다음 기준을 충족하지 않으면 허용되지 않습니다. Google Cloud에서 LoadBalancer 유형의 모든 서비스에는 "networking.gke.io/load-balancer-type": "Internal" 주석이 있어야 합니다. AWS에서 LoadBalancer 유형의 모든 서비스에는 service.beta.kubernetes.io/aws-load-balancer-internal: "true 주석이 있어야 합니다. 서비스에 바인딩된 '외부 IP'는 제약조건에 제공된 대로 내부 CIDR 범위의 구성원이어야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
    # are supported currently.
    cloudPlatform: <string>
    # internalCIDRs <array>: A list of CIDRs that are only accessible
    # internally, for example: `10.3.27.0/24`. Which IP ranges are
    # internal-only is determined by the underlying network infrastructure.
    internalCIDRs:
      - <string>

예시

no-external
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external
spec:
  parameters:
    internalCIDRs:
    - 10.0.0.1/32
허용됨
apiVersion: v1
kind: Service
metadata:
  name: good-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.1
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
apiVersion: v1
kind: Service
metadata:
  annotations:
    networking.gke.io/load-balancer-type: Internal
  name: allowed-internal-load-balancer
  namespace: default
spec:
  type: LoadBalancer
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  name: bad-service
  namespace: default
spec:
  externalIPs:
  - 10.0.0.2
  ports:
  - port: 8888
    protocol: TCP
    targetPort: 8888
no-external-aws
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
  name: no-external-aws
spec:
  parameters:
    cloudPlatform: AWS
허용됨
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
  name: good-aws-service
  namespace: default
spec:
  type: LoadBalancer
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  annotations:
    cloud.google.com/load-balancer-type: Internal
  name: bad-aws-service
  namespace: default
spec:
  type: LoadBalancer

K8sPSPAllowPrivilegeEscalationContainer

컨테이너 v1.0.1에서 권한 에스컬레이션 허용

루트 권한으로의 에스컬레이션 제한을 제어합니다. PodSecurityPolicy의 allowPrivilegeEscalation 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation을 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

psp-allow-privilege-escalation-container-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: false
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privilege-escalation
  name: nginx-privilege-escalation-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      allowPrivilegeEscalation: true

K8sPSPAllowedUsers

허용된 사용자 v1.0.2

컨테이너의 사용자 및 그룹 ID와 일부 볼륨을 제어합니다. PodSecurityPolicy의 runAsUser, runAsGroup, supplementalGroups, fsGroup 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
    # or container-level SecurityContext.
    fsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the fsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsGroup <object>: Controls which group ID values are allowed in a Pod
    # or container-level SecurityContext.
    runAsGroup:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsGroup restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>
    # runAsUser <object>: Controls which user ID values are allowed in a Pod or
    # container-level SecurityContext.
    runAsUser:
      # ranges <array>: A list of user ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of user IDs affected by the rule.
        - # max <integer>: The maximum user ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum user ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the runAsUser restriction.
      # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
      rule: <string>
    # supplementalGroups <object>: Controls the supplementalGroups values that
    # are allowed in a Pod or container-level SecurityContext.
    supplementalGroups:
      # ranges <array>: A list of group ID ranges affected by the rule.
      ranges:
        # <list item: object>: The range of group IDs affected by the rule.
        - # max <integer>: The maximum group ID in the range, inclusive.
          max: <integer>
          # min <integer>: The minimum group ID in the range, inclusive.
          min: <integer>
      # rule <string>: A strategy for applying the supplementalGroups
      # restriction.
      # Allowed Values: MustRunAs, MayRunAs, RunAsAny
      rule: <string>

예시

psp-pods-allowed-user-ranges
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    fsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsGroup:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    runAsUser:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
    supplementalGroups:
      ranges:
      - max: 200
        min: 100
      rule: MustRunAs
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 199
      runAsUser: 199
  securityContext:
    fsGroup: 199
    supplementalGroups:
    - 199
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-users
  name: nginx-users-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      runAsGroup: 250
      runAsUser: 250
  securityContext:
    fsGroup: 250
    supplementalGroups:
    - 250

K8sPSPAppArmor

App Armor v1.0.0

컨테이너에서 사용할 AppArmor 프로필 허용 목록을 구성합니다. PodSecurityPolicy에 적용된 특정 주석에 해당합니다. AppArmor에 대한 자세한 내용은 https://kubernetes.io/docs/tutorials/clusters/apparmor/를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedProfiles <array>: An array of AppArmor profiles. Examples:
    # `runtime/default`, `unconfined`.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

psp-apparmor
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
허용됨
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-allowed
spec:
  containers:
  - image: nginx
    name: nginx
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-apparmor
  name: nginx-apparmor-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPAutomountServiceAccountTokenPod

포드 v1.0.1용 자동 마운트 서비스 계정 토큰

모든 포드의 automountServiceAccountToken 사용 설정 기능을 제어합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

예시

psp-automount-serviceaccount-token-pod
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
  name: psp-automount-serviceaccount-token-pod
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-not-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-allowed
spec:
  automountServiceAccountToken: false
  containers:
  - image: nginx
    name: nginx
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-automountserviceaccounttoken
  name: nginx-automountserviceaccounttoken-disallowed
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx

K8sPSPCapabilities

기능 v1.0.2

컨테이너의 Linux 기능을 제어합니다. PodSecurityPolicy의 allowedCapabilitiesrequiredDropCapabilities 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedCapabilities <array>: A list of Linux capabilities that can be
    # added to a container.
    allowedCapabilities:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # requiredDropCapabilities <array>: A list of Linux capabilities that are
    # required to be dropped from a container.
    requiredDropCapabilities:
      - <string>

예시

capabilities-demo
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
  name: capabilities-demo
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - default
  parameters:
    allowedCapabilities:
    - something
    requiredDropCapabilities:
    - must_drop
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - something
        drop:
        - must_drop
        - another_one
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  ephemeralContainers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 30Mi
    securityContext:
      capabilities:
        add:
        - disallowedcapability

K8sPSPFSGroup

FS Group v1.0.2

포드 볼륨을 소유한 FSGroup 할당을 제어합니다. PodSecurityPolicy의 fsGroup 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: GID ranges affected by the rule.
    ranges:
      - # max <integer>: The maximum GID in the range, inclusive.
        max: <integer>
        # min <integer>: The minimum GID in the range, inclusive.
        min: <integer>
    # rule <string>: An FSGroup rule name.
    # Allowed Values: MayRunAs, MustRunAs, RunAsAny
    rule: <string>

예시

psp-fsgroup
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    ranges:
    - max: 1000
      min: 1
    rule: MayRunAs
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 500
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1h
    image: busybox
    name: fsgroup-demo
    volumeMounts:
    - mountPath: /data/demo
      name: fsgroup-demo-vol
  securityContext:
    fsGroup: 2000
  volumes:
  - emptyDir: {}
    name: fsgroup-demo-vol

K8sPSPFlexVolumes

FlexVolume v1.0.1

FlexVolume 드라이버의 허용 목록을 제어합니다. PodSecurityPolicy의 allowedFlexVolumes 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
    allowedFlexVolumes:
      - # driver <string>: The name of the FlexVolume driver.
        driver: <string>

예시

psp-flexvolume-drivers
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedFlexVolumes:
    - driver: example/lvm
    - driver: example/cifs
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/lvm
    name: test-volume
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-flexvolume-driver
  name: nginx-flexvolume-driver-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /test
      name: test-volume
      readOnly: true
  volumes:
  - flexVolume:
      driver: example/testdriver
    name: test-volume

K8sPSPForbiddenSysctls

금지된 Sysctls v1.1.3

컨테이너에 사용되는 sysctl 프로필을 제어합니다. PodSecurityPolicy의 allowedUnsafeSysctlsforbiddenSysctls 필드에 해당합니다. 지정하면 allowedSysctls 매개변수에 없는 sysctl은 금지된 것으로 간주됩니다. forbiddenSysctls 매개변수는 allowedSysctls 매개변수보다 우선 적용됩니다. 자세한 내용은 https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
    # not listed in the `forbiddenSysctls` parameter.
    allowedSysctls:
      - <string>
    # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
    # sysctls.
    forbiddenSysctls:
      - <string>

예시

psp-forbidden-sysctls
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSysctls:
    - '*'
    forbiddenSysctls:
    - kernel.*
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: net.core.somaxconn
      value: "1024"
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-forbidden-sysctls
  name: nginx-forbidden-sysctls-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  securityContext:
    sysctls:
    - name: kernel.msgmax
      value: "65536"
    - name: net.core.somaxconn
      value: "1024"

K8sPSPHostFilesystem

호스트 파일 시스템 v1.0.2

호스트 파일 시스템 사용량을 제어합니다. PodSecurityPolicy의 allowedHostPaths 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedHostPaths <array>: An array of hostpath objects, representing
    # paths and read/write configuration.
    allowedHostPaths:
      - # pathPrefix <string>: The path prefix that the host volume must
        # match.
        pathPrefix: <string>
        # readOnly <boolean>: when set to true, any container volumeMounts
        # matching the pathPrefix must include `readOnly: true`.
        readOnly: <boolean>

예시

psp-host-filesystem
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedHostPaths:
    - pathPrefix: /foo
      readOnly: true
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /foo/bar
    name: cache-volume
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-filesystem-disallowed
  name: nginx-host-filesystem
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume

K8sPSPHostNamespace

호스트 네임스페이스 v1.0.1

포드 컨테이너별로 호스트 PID 및 IPC 네임스페이스를 공유할 수 없습니다. PodSecurityPolicy의 hostPIDhostIPC 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    <object>

예시

psp-host-namespace-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
  name: psp-host-namespace-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-allowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: false
  hostPID: false
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-namespace
  name: nginx-host-namespace-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
  hostIPC: true
  hostPID: true

K8sPSPHostNetworkingPorts

호스트 네트워킹 포트 v1.0.2

포드 컨테이너로 호스트 네트워크 네임스페이스 사용을 제어합니다. 특정 포트를 지정해야 합니다. PodSecurityPolicy의 hostNetworkhostPorts 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # hostNetwork <boolean>: Determines if the policy allows the use of
    # HostNetwork in the pod spec.
    hostNetwork: <boolean>
    # max <integer>: The end of the allowed port range, inclusive.
    max: <integer>
    # min <integer>: The start of the allowed port range, inclusive.
    min: <integer>

예시

psp-host-network-ports-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports-sample
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    hostNetwork: true
    max: 9000
    min: 80
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9000
      hostPort: 80
  hostNetwork: false
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-host-networking-ports
  name: nginx-host-networking-ports-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 9001
      hostPort: 9001
  hostNetwork: true

K8sPSPPrivilegedContainer

권한이 있는 컨테이너 v1.0.1

컨테이너에서 권한 모드를 사용 설정하는 기능을 제어합니다. PodSecurityPolicy의 privileged 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

psp-privileged-container-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
  name: psp-privileged-container-sample
spec:
  match:
    excludedNamespaces:
    - kube-system
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: false
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-privileged
  name: nginx-privileged-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      privileged: true

K8sPSPProcMount

Proc Mount v1.0.3

컨테이너에 허용되는 procMount 유형을 제어합니다. PodSecurityPolicy의 allowedProcMountTypes 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # procMount <string>: Defines the strategy for the security exposure of
    # certain paths in `/proc` by the container runtime. Setting to `Default`
    # uses the runtime defaults, where `Unmasked` bypasses the default
    # behavior.
    # Allowed Values: Default, Unmasked
    procMount: <string>

예시

psp-proc-mount
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    procMount: Default
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Default
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-proc-mount
  name: nginx-proc-mount-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      procMount: Unmasked

K8sPSPReadOnlyRootFilesystem

루트 파일 시스템 v1.0.1 읽기 전용

포드 컨테이너에서 읽기 전용 루트 파일 시스템을 사용해야 합니다. PodSecurityPolicy의 readOnlyRootFilesystem 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

psp-readonlyrootfilesystem
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: true
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-readonlyrootfilesystem
  name: nginx-readonlyrootfilesystem-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      readOnlyRootFilesystem: false

K8sPSPSELinuxV2

SELinux V2 v1.0.2

포드 컨테이너의 seLinuxOptions 구성 허용 목록을 정의합니다. SELinux 구성이 필요한 PodSecurityPolicy에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSELinuxOptions <array>: An allow-list of SELinux options
    # configurations.
    allowedSELinuxOptions:
      # <list item: object>: An allowed configuration of SELinux options for a
      # pod container.
      - # level <string>: An SELinux level.
        level: <string>
        # role <string>: An SELinux role.
        role: <string>
        # type <string>: An SELinux type.
        type: <string>
        # user <string>: An SELinux user.
        user: <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

psp-selinux-v2
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedSELinuxOptions:
    - level: s0:c123,c456
      role: object_r
      type: svirt_sandbox_file_t
      user: system_u
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-selinux
  name: nginx-selinux-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        role: sysadm_r
        type: svirt_lxc_net_t
        user: sysadm_u

K8sPSPSeccomp

Seccomp v1.0.1

컨테이너에 사용되는 seccomp 프로필을 제어합니다. PodSecurityPolicy의 seccomp.security.alpha.kubernetes.io/allowedProfileNames 주석에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedLocalhostFiles <array>: When using securityContext naming scheme
    # for seccomp and including `Localhost` this array holds the allowed
    # profile JSON files. Putting a `*` in this array will allows all JSON
    # files to be used. This field is required to allow `Localhost` in
    # securityContext as with an empty list it will block.
    allowedLocalhostFiles:
      - <string>
    # allowedProfiles <array>: An array of allowed profile values for seccomp
    # on Pods/Containers. Can use the annotation naming scheme:
    # `runtime/default`, `docker/default`, `unconfined` and/or
    # `localhost/some-profile.json`. The item `localhost/*` will allow any
    # localhost based profile. Can also use the securityContext naming scheme:
    # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
    # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
    # allowed profile JSON files. The policy code will translate between the
    # two schemes so it is not necessary to use both. Putting a `*` in this
    # array allows all Profiles to be used. This field is required since with
    # an empty list this policy will block all workloads.
    allowedProfiles:
      - <string>
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>

예시

psp-seccomp
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedProfiles:
    - runtime/default
    - docker/default
허용됨
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: runtime/default
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-allowed2
spec:
  containers:
  - image: nginx
    name: nginx
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  annotations:
    seccomp.security.alpha.kubernetes.io/pod: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed2
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  annotations:
    container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
  labels:
    app: nginx-seccomp
  name: nginx-seccomp-disallowed
spec:
  ephemeralContainers:
  - image: nginx
    name: nginx

K8sPSPVolumeTypes

볼륨 유형 v1.0.2

마운트 가능한 볼륨 유형을 사용자가 지정한 유형으로 제한합니다. PodSecurityPolicy의 volumes 필드에 해당합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # volumes <array>: `volumes` is an array of volume types. All volume types
    # can be enabled using `*`.
    volumes:
      - <string>

예시

psp-volume-types
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    volumes:
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
    - flexVolume
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-allowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - emptyDir: {}
    name: cache-volume
  - emptyDir: {}
    name: demo-vol
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx-volume-types
  name: nginx-volume-types-disallowed
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - image: nginx
    name: nginx2
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - hostPath:
      path: /tmp
    name: cache-volume
  - emptyDir: {}
    name: demo-vol

K8sPSPWindowsHostProcess

Windows HostProcess 컨테이너/포드 제한 v1.0.0

Windows HostProcess 컨테이너/포드의 실행을 제한합니다. 자세한 내용은 https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

restrict-windows-hostprocess
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
  name: restrict-windows-hostprocess
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-loop
  nodeSelector:
    kubernetes.io/os: windows
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-container
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
    securityContext:
      windowsOptions:
        hostProcess: true
        runAsUserName: NT AUTHORITY\SYSTEM
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows
apiVersion: v1
kind: Pod
metadata:
  name: nanoserver-ping-loop-hostprocess-pod
spec:
  containers:
  - command:
    - ping
    - -t
    - 127.0.0.1
    image: mcr.microsoft.com/windows/nanoserver:1809
    name: ping-test
  hostNetwork: true
  nodeSelector:
    kubernetes.io/os: windows
  securityContext:
    windowsOptions:
      hostProcess: true
      runAsUserName: NT AUTHORITY\SYSTEM

K8sPSSRunAsNonRoot

컨테이너가 루트가 아닌 사용자로 실행되어야 합니다. v1.0.0

컨테이너가 루트가 아닌 사용자로 실행되어야 합니다. 자세한 내용은 https://kubernetes.io/docs/concepts/security/pod-security-standards/를 참조하세요.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

restrict-runasnonroot
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
  name: restrict-runasnonroot
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-allowed
spec:
  containers:
  - image: nginx
    name: nginx-container-allowed
    securityContext:
      runAsNonRoot: true
  securityContext:
    runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
  name: nginx-allowed
spec:
  containers:
  - image: nginx
    name: nginx-allowed
  securityContext:
    runAsNonRoot: true
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-allowed
spec:
  containers:
  - image: nginx
    name: nginx-container-disallowed
    securityContext:
      runAsNonRoot: false
  securityContext:
    runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-disallowed
spec:
  containers:
  - image: nginx
    name: nginx-container-allowed
    securityContext:
      runAsNonRoot: true
  securityContext:
    runAsNonRoot: false
apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod-disallowed
spec:
  containers:
  - image: nginx
    name: nginx-container-disallowed
  securityContext:
    runAsNonRoot: false

K8sPodDisruptionBudget

포드 중단 예산 v1.0.3

PodDisruptionBudget 또는 복제본 하위 리소스를 구현하는 리소스(예: Deployment, ReplicationController, ReplicaSet, StatefulSet)를 배포할 때 다음 시나리오를 허용하지 않음: 1. .spec.maxUnavailable == 0인 PodDisruptionBudget의 배포 2. 복제본 하위 리소스가 있는 리소스에서 .spec.minAvailable == .spec.replicas인 PodPodruruBudget의 배포. 이는 PodDisruptionBudget이 노드 드레이닝과 같은 자발적 중단을 차단하지 않도록 합니다. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "policy"
        version: "v1"
        kind: "PodDisruptionBudget"

예시

pod-distruption-budget
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
  name: pod-distruption-budget
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
    - apiGroups:
      - ""
      kinds:
      - ReplicationController
허용됨
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-allowed
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-1
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-1
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-1
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-2
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-2
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-2
  namespace: default
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-2
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-allowed-3
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: allowed-deployment-3
  template:
    metadata:
      labels:
        app: nginx
        example: allowed-deployment-3
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: nginx
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: non-matching-nginx
  name: nginx-deployment-allowed-4
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: non-matching-nginx
      example: allowed-deployment-4
  template:
    metadata:
      labels:
        app: non-matching-nginx
        example: allowed-deployment-4
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-mongo-pdb-allowed-3
  namespace: default
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: mongo
      example: non-matching-deployment-3
허용되지 않음
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: nginx-pdb-disallowed
  namespace: default
spec:
  maxUnavailable: 0
  selector:
    matchLabels:
      foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment-disallowed
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment
  template:
    metadata:
      labels:
        app: nginx
        example: disallowed-deployment
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: inventory-nginx-pdb-disallowed
  namespace: default
spec:
  minAvailable: 3
  selector:
    matchLabels:
      app: nginx
      example: disallowed-deployment

K8sPodResourcesBestPractices

컨테이너는 최선의 옵션이 아니며 버스팅 가능한 권장사항을 따라야 함 v1.0.5

컨테이너가 최선의 옵션이 아니며(CPU 및 메모리 요청을 설정) 버스팅 가능한 권장사항을 따라야 합니다(메모리 요청이 정확히 동일한 한도여야 함). 선택적으로 여러 검증 건너뛰기를 허용하도록 주석 키를 구성할 수 있습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>
    # skipBestEffortValidationAnnotationKey <string>: Optional annotation key
    # to skip best-effort container validation.
    skipBestEffortValidationAnnotationKey: <string>
    # skipBurstableValidationAnnotationKey <string>: Optional annotation key to
    # skip burstable container validation.
    skipBurstableValidationAnnotationKey: <string>
    # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
    # annotation key to skip both best-effort and burstable validation.
    skipResourcesBestPracticesValidationAnnotationKey: <string>

예시

gke-pod-resources-best-practices
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
  name: gke-pod-resources-best-practices
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    skipBestEffortValidationAnnotationKey: skip_besteffort_validation
    skipBurstableValidationAnnotationKey: skip_burstable_validation
    skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-limits-only
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-requests-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  annotations:
    skip_besteffort_validation: "true"
    skip_burstable_validation: "true"
    skip_resources_best_practices_validation: "false"
  name: pod-skip-validation
spec:
  containers:
  - image: nginx
    name: nginx
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-cpu-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-not-setting-requests
spec:
  containers:
  - image: nginx
    name: nginx
  restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-cpu-not-burstable-on-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 500Mi
      requests:
        cpu: 250m
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-memory-requests-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 30m
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-cpu
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        cpu: 500m
      requests:
        cpu: 250m
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-limits
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 250Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory-requests
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      requests:
        memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
  name: pod-setting-only-memory
spec:
  containers:
  - image: nginx
    name: nginx
    resources:
      limits:
        memory: 100Mi
      requests:
        memory: 100Mi

K8sPodsRequireSecurityContext

포드에 보안 컨텍스트 필요 v1.1.1

모든 포드에서 securityContext를 정의해야 합니다. 포드에 정의된 모든 컨테이너에 포드 또는 컨테이너 수준에서 정의된 SecurityContext가 있어야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: A list of exempt Images.
    exemptImages:
      - <string>

예시

pods-require-security-context-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
  name: pods-require-security-context-sample
spec:
  enforcementAction: dryrun
  parameters:
    exemptImages:
    - nginix-exempt
    - alpine*
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
spec:
  containers:
  - image: nginx
    name: nginx
    securityContext:
      runAsUser: 2000
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage
spec:
  containers:
  - image: nginix-exempt
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-exemptImage-wildcard
spec:
  containers:
  - image: alpine17
    name: alpine
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
spec:
  containers:
  - image: nginx
    name: nginx

K8sProhibitRoleWildcardAccess

역할 와일드 카드 액세스 금지 v1.0.5

Roles 및 ClusterRoles가 예외적으로 제외된 Roles 및 ClusterRoles를 제외하고 리소스 액세스를 와일드 카드 "" 값으로 설정하지 않도록 해야 합니다. '"/status"' 같은 하위 리소스까지 와일드 카드 액세스를 제한하지 않습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptions <object>: The list of exempted Roles and/or ClusterRoles name
    # that are allowed to set  resource access to a wildcard.
    exemptions:
      clusterRoles:
        - # name <string>: The name of the ClusterRole to be exempted.
          name: <string>
          # regexMatch <boolean>: The flag to allow a regular expression
          # based match on the name.
          regexMatch: <boolean>
      roles:
        - # name <string>: The name of the Role to be exempted.
          name: <string>
          # namespace <string>: The namespace of the Role to be exempted.
          namespace: <string>

예시

prohibit-role-wildcard-access-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-role-wildcard-access-sample
spec:
  enforcementAction: dryrun
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-bad-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
prohibit-wildcard-except-exempted-cluster-role
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
  name: prohibit-wildcard-except-exempted-cluster-role
spec:
  enforcementAction: dryrun
  parameters:
    exemptions:
      clusterRoles:
      - name: cluster-role-allowed-example
      roles:
      - name: role-allowed-example
        namespace: role-ns-allowed-example
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-allowed-example
  namespace: role-ns-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-not-allowed-example
  namespace: role-ns-not-allowed-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - '*'

K8sReplicaLimits

복제본 한도 v1.0.2

spec.replicas 필드가 있는 객체(Deployments, ReplicaSets 등)가 정의된 범위 내에 있는 복제본 수를 지정해야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # ranges <array>: Allowed ranges for numbers of replicas.  Values are
    # inclusive.
    ranges:
      # <list item: object>: A range of allowed replicas.  Values are
      # inclusive.
      - # max_replicas <integer>: The maximum number of replicas allowed,
        # inclusive.
        max_replicas: <integer>
        # min_replicas <integer>: The minimum number of replicas allowed,
        # inclusive.
        min_replicas: <integer>

예시

replica-limits
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
  name: replica-limits
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
  parameters:
    ranges:
    - max_replicas: 50
      min_replicas: 3
허용됨
apiVersion: apps/v1
kind: Deployment
metadata:
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
허용되지 않음
apiVersion: apps/v1
kind: Deployment
metadata:
  name: disallowed-deployment
spec:
  replicas: 100
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

K8sRequireAdmissionController

허용 컨트롤러 필요 v1.0.0

포드 보안 허용 또는 외부 정책 제어 시스템 필요

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # permittedValidatingWebhooks <array>: List of permitted validating
    # webhooks which are valid external policy control systems
    permittedValidatingWebhooks:
      - <string>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "admissionregistration.k8s.io"
        version: "v1" OR "v1beta1"
        kind: "ValidatingWebhookConfiguration"

예시

require-admission-controller
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
  name: require-admission-controller
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
허용됨
apiVersion: v1
kind: Namespace
metadata:
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: v1.28
  name: allowed-namespace
허용되지 않음
apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequireBinAuthZ

Binary Authorization 필요 v1.0.2

허용 웹훅 검증을 위한 Binary Authorization이 필요합니다. 이 ConstraintTemplate를 사용하는 제약조건은 enforcementAction 값에 관계없이 감사됩니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "admissionregistration.k8s.io"
        version: "v1" OR "v1beta1"
        kind: "ValidatingWebhookConfiguration"

예시

require-binauthz
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
  name: require-binauthz
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
허용됨
apiVersion: v1
kind: Namespace
metadata:
  name: default
---
# Referential Data
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: binauthz-admission-controller
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview
  name: imagepolicywebhook.image-policy.k8s.io
  rules:
  - operations:
    - CREATE
    - UPDATE
  - apiVersion:
    - v1
  sideEffects: None
허용되지 않음
apiVersion: v1
kind: Namespace
metadata:
  name: default

K8sRequireCosNodeImage

COS 노드 이미지 필요 v1.1.1

노드에서 Google의 Container-Optimized OS를 사용합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptOsImages <array>: A list of exempt OS Images.
    exemptOsImages:
      - <string>

예시

nodes-have-consistent-time
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
  name: nodes-have-consistent-time
spec:
  enforcementAction: dryrun
  parameters:
    exemptOsImages:
    - Debian
    - Ubuntu*
허용됨
apiVersion: v1
kind: Node
metadata:
  name: allowed-example
status:
  nodeInfo:
    osImage: Container-Optimized OS from Google
apiVersion: v1
kind: Node
metadata:
  name: example-exempt
status:
  nodeInfo:
    osImage: Debian
apiVersion: v1
kind: Node
metadata:
  name: example-exempt-wildcard
status:
  nodeInfo:
    osImage: Ubuntu 18.04.5 LTS
허용되지 않음
apiVersion: v1
kind: Node
metadata:
  name: disallowed-example
status:
  nodeInfo:
    osImage: Debian GNUv1.0

K8sRequireDaemonsets

Daemonsets 필요 v1.1.2

daemonsets 목록이 존재하도록 지정해야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # requiredDaemonsets <array>: A list of names and namespaces of the
    # required daemonsets.
    requiredDaemonsets:
      - # name <string>: The name of the required daemonset.
        name: <string>
        # namespace <string>: The namespace for the required daemonset.
        namespace: <string>
    # restrictNodeSelector <boolean>: The daemonsets cannot include
    # `NodeSelector`.
    restrictNodeSelector: <boolean>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "DaemonSet"
      OR
      - group: "apps"
        version: "v1beta2" OR "v1"
        kind: "DaemonSet"

예시

require-daemonset
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
  name: require-daemonset
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    requiredDaemonsets:
    - name: clamav
      namespace: pci-dss-av
    restrictNodeSelector: true
허용됨
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: clamav-host-scanner
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    metadata:
      labels:
        name: clamav
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/clamav:latest
        livenessProbe:
          exec:
            command:
            - /health.sh
          initialDelaySeconds: 60
          periodSeconds: 30
        name: clamav-scanner
        resources:
          limits:
            memory: 3Gi
          requests:
            cpu: 500m
            memory: 2Gi
        volumeMounts:
        - mountPath: /data
          name: data-vol
        - mountPath: /host-fs
          name: host-fs
          readOnly: true
        - mountPath: /logs
          name: logs
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
      - emptyDir: {}
        name: data-vol
      - hostPath:
          path: /
        name: host-fs
      - hostPath:
          path: /var/log/clamav
        name: logs
허용되지 않음
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: other
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: other
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: other
apiVersion: v1
kind: Namespace
metadata:
  name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: clamav
  namespace: pci-dss-av
spec:
  selector:
    matchLabels:
      name: clamav
  template:
    spec:
      containers:
      - image: us.gcr.io/{your-project-id}/other:latest
        name: clamav
      nodeSelector:
        cloud.google.com/gke-spot: "true"

K8sRequireDefaultDenyEgressPolicy

기본 거부 이그레스 정책 필요 v1.0.3

클러스터에 정의된 모든 네임스페이스에 이그레스에 대한 기본 거부 NetworkPolicy가 있어야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

예시

require-default-deny-network-policies
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
  name: require-default-deny-network-policies
spec:
  enforcementAction: dryrun
허용됨
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress
허용되지 않음
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace2
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: example-namespace
spec:
  podSelector: {}
  policyTypes:
  - Egress

K8sRequireNamespaceNetworkPolicies

네임스페이스 네트워크 정책 필요 v1.0.6

클러스터에 정의된 모든 네임스페이스에 NetworkPolicy가 있어야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "NetworkPolicy"
      OR
      - group: "networking.k8s.io"
        version: "v1"
        kind: "NetworkPolicy"

예시

require-namespace-network-policies-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
  name: require-namespace-network-policies-sample
spec:
  enforcementAction: dryrun
허용됨
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: require-namespace-network-policies-example
허용되지 않음
apiVersion: v1
kind: Namespace
metadata:
  name: require-namespace-network-policies-example

K8sRequireValidRangesForNetworks

네트워크에 유효한 범위 필요 v1.0.2

네트워크 인그레스 및 이그레스에 허용되는 CIDR 블록을 적용합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for egress.
    allowedEgress:
      - <string>
    # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
    # allowed for ingress.
    allowedIngress:
      - <string>

예시

require-valid-network-ranges
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
  name: require-valid-network-ranges
spec:
  enforcementAction: dryrun
  parameters:
    allowedEgress:
    - 10.0.0.0/32
    allowedIngress:
    - 10.0.0.0/24
허용됨
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 10.0.0.0/32
  ingress:
  - from:
    - ipBlock:
        cidr: 10.0.0.0/29
    - ipBlock:
        cidr: 10.0.0.100/29
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
허용되지 않음
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy-disallowed
  namespace: default
spec:
  egress:
  - ports:
    - port: 5978
      protocol: TCP
    to:
    - ipBlock:
        cidr: 1.1.2.0/31
  ingress:
  - from:
    - ipBlock:
        cidr: 1.1.2.0/24
    - ipBlock:
        cidr: 2.1.2.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - port: 6379
      protocol: TCP
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress

K8sRequiredAnnotations

필수 주석 v1.0.1

리소스가 제공된 정규 표현식과 일치하는 값으로 지정된 주석을 포함하도록 요구합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # annotations <array>: A list of annotations and values the object must
    # specify.
    annotations:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required annotation.
        key: <string>
    message: <string>

예시

all-must-have-certain-set-of-annotations
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
  name: all-must-have-certain-set-of-annotations
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
  parameters:
    annotations:
    - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
      key: a8r.io/owner
    - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
      key: a8r.io/runbook
    message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
허용됨
apiVersion: v1
kind: Service
metadata:
  annotations:
    a8r.io/owner: dev-team-alfa@contoso.com
    a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
  name: allowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  name: disallowed-service
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: foo

K8sRequiredLabels

필수 라벨 v1.0.1

리소스가 제공된 정규 표현식과 일치하는 값으로 지정된 라벨을 포함하도록 요구합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # labels <array>: A list of labels and values the object must specify.
    labels:
      - # allowedRegex <string>: If specified, a regular expression the
        # annotation's value must match. The value must contain at least one
        # match for the regular expression.
        allowedRegex: <string>
        # key <string>: The required label.
        key: <string>
    message: <string>

예시

all-must-have-owner
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
  name: all-must-have-owner
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace
  parameters:
    labels:
    - allowedRegex: ^[a-zA-Z]+.agilebank.demo$
      key: owner
    message: All namespaces must have an `owner` label that points to your company
      username
허용됨
apiVersion: v1
kind: Namespace
metadata:
  labels:
    owner: user.agilebank.demo
  name: allowed-namespace
허용되지 않음
apiVersion: v1
kind: Namespace
metadata:
  name: disallowed-namespace

K8sRequiredProbes

필수 프로브 v1.0.1

포드에 준비 상태 또는 활성 프로브가 있어야 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # probeTypes <array>: The probe must define a field listed in `probeType`
    # in order to satisfy the constraint (ex. `tcpSocket` satisfies
    # `['tcpSocket', 'exec']`)
    probeTypes:
      - <string>
    # probes <array>: A list of probes that are required (ex: `readinessProbe`)
    probes:
      - <string>

예시

must-have-probes
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    probeTypes:
    - tcpSocket
    - httpGet
    - exec
    probes:
    - readinessProbe
    - livenessProbe
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: tomcat
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: test-pod1
spec:
  containers:
  - image: nginx:1.7.9
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume
apiVersion: v1
kind: Pod
metadata:
  name: test-pod2
spec:
  containers:
  - image: nginx:1.7.9
    livenessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 80
    name: nginx-1
    ports:
    - containerPort: 80
    volumeMounts:
    - mountPath: /tmp/cache
      name: cache-volume
  - image: tomcat
    name: tomcat
    ports:
    - containerPort: 8080
    readinessProbe:
      initialDelaySeconds: 5
      periodSeconds: 10
      tcpSocket:
        port: 8080
  volumes:
  - emptyDir: {}
    name: cache-volume

K8sRequiredResources

필수 리소스 v1.0.1

컨테이너에 정의된 리소스를 설정해야 합니다. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exemptImages <array>: Any container that uses an image that matches an
    # entry in this list will be excluded from enforcement. Prefix-matching can
    # be signified with `*`. For example: `my-image-*`. It is recommended that
    # users use the fully-qualified Docker image name (e.g. start with a domain
    # name) in order to avoid unexpectedly exempting images from an untrusted
    # repository.
    exemptImages:
      - <string>
    # limits <array>: A list of limits that should be enforced (`cpu`,
    # `memory`, or both).
    limits:
      # Allowed Values: cpu, memory
      - <string>
    # requests <array>: A list of requests that should be enforced (`cpu`,
    # `memory`, or both).
    requests:
      # Allowed Values: cpu, memory
      - <string>

예시

container-must-have-limits-and-requests
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - cpu
    - memory
    requests:
    - cpu
    - memory
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    limits:
    - memory
    requests:
    - cpu
    - memory
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
        memory: 2Gi
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}
no-enforcements
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: no-enforcements
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-allowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        cpu: 100m
        memory: 1Gi
      requests:
        cpu: 100m
        memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      requests:
        cpu: 100m
        memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources:
      limits:
        memory: 2Gi
      requests:
        cpu: 100m
apiVersion: v1
kind: Pod
metadata:
  labels:
    owner: me.agilebank.demo
  name: opa-disallowed
spec:
  containers:
  - args:
    - run
    - --server
    - --addr=localhost:8080
    image: openpolicyagent/opa:0.9.2
    name: opa
    resources: {}

K8sRestrictAdmissionController

허용 컨트롤러 제한 v1.0.0

동적 허용 컨트롤러를 허용된 컨트롤러로 제한합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # permittedMutatingWebhooks <array>: List of permitted mutating webhooks
    # (mutating admission controllers)
    permittedMutatingWebhooks:
      - <string>
    # permittedValidatingWebhooks <array>: List of permitted validating
    # webhooks (validating admission controllers)
    permittedValidatingWebhooks:
      - <string>

예시

restrict-admission-controller
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
  name: restrict-admission-controller
spec:
  match:
    kinds:
    - apiGroups:
      - admissionregistration.k8s.io
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
  parameters:
    permittedMutatingWebhooks:
    - allowed-mutating-webhook
    permittedValidatingWebhooks:
    - allowed-validating-webhook
허용됨
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: allowed-validating-webhook
허용되지 않음
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: disallowed-validating-webhook

K8sRestrictAutomountServiceAccountTokens

서비스 계정 토큰 제한 v1.0.1

서비스 계정 토큰 사용을 제한합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

restrict-serviceaccounttokens
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
  name: restrict-serviceaccounttokens
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
      - ServiceAccount
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example-pod
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: ServiceAccount
metadata:
  name: disallowed-example-serviceaccount
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example-pod
spec:
  automountServiceAccountToken: true
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  name: allowed-example-serviceaccount

K8sRestrictLabels

라벨 제한 v1.0.2

특정 리소스에 대한 예외가 없으면 리소스에 지정된 라벨이 포함되지 않도록 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # exceptions <array>: Objects listed here are exempt from enforcement of
    # this constraint. All fields must be provided.
    exceptions:
      # <list item: object>: A single object's identification, based on group,
      # kind, namespace, and name.
      - # group <string>: The Kubernetes group of the exempt object.
        group: <string>
        # kind <string>: The Kubernetes kind of the exempt object.
        kind: <string>
        # name <string>: The name of the exempt object.
        name: <string>
        # namespace <string>: The namespace of the exempt object. For
        # cluster-scoped resources, use the empty string `""`.
        namespace: <string>
    # restrictedLabels <array>: A list of label keys strings.
    restrictedLabels:
      - <string>

예시

restrict-label-example
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    exceptions:
    - group: ""
      kind: Pod
      name: allowed-example
      namespace: default
    restrictedLabels:
    - label-example
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNamespaces

네임스페이스 제한 v1.0.1

리소스가 restrictedNamespaces 매개변수에 나열된 네임스페이스를 사용하지 못하도록 제한합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # restrictedNamespaces <array>: A list of Namespaces to restrict.
    restrictedNamespaces:
      - <string>

예시

restrict-default-namespace-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
  name: restrict-default-namespace-sample
spec:
  enforcementAction: dryrun
  parameters:
    restrictedNamespaces:
    - default
허용됨
apiVersion: v1
kind: Pod
metadata:
  name: allowed-example
  namespace: test-namespace
spec:
  containers:
  - image: nginx
    name: nginx
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  name: disallowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx

K8sRestrictNfsUrls

NFS URL 제한 v1.0.1

지정되지 않은 경우 리소스가 NFS URLS를 포함하지 못하도록 합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedNfsUrls <array>: A list of allowed NFS URLs
    allowedNfsUrls:
      - <string>

예시

restrict-label-example
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
  name: restrict-label-example
spec:
  enforcementAction: dryrun
  parameters:
    allowedNfsUrls:
    - my-nfs-server.example.com/my-nfs-volume
    - my-nfs-server.example.com/my-wildcard-nfs-volume/*
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: allowed-example-nfs-wildcard
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  - name: test-volume
    nfs:
      path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path
      server: my-nfs-server.example.com
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
  labels:
    label-example: example
  name: disallowed-example-nfs-mixed
  namespace: default
spec:
  containers:
  - image: nginx
    name: nginx
  volumes:
  - name: test-volume-allowed
    nfs:
      path: /my-nfs-volume
      server: my-nfs-server.example.com
  - name: test-volume-disallowed
    nfs:
      path: /my-nfs-volume
      server: disallowed-nfs-server.example.com

K8sRestrictRbacSubjects

제한된 RBAC 주체 v1.0.3

RBAC 주제에서 이름 사용을 허용된 값으로 제한합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of names permitted in RBAC subjects.
    allowedSubjects:
      - # name <string>: The exact-name or the pattern of the allowed subject
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>

예시

restrict-rbac-subjects
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
  name: restrict-rbac-subjects
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - RoleBinding
      - ClusterRoleBinding
  parameters:
    allowedSubjects:
    - name: system:masters
    - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@system.gserviceaccount.com$
      regexMatch: true
    - name: ^.+@google.com$
      regexMatch: true
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user@google.com
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-1234567890@gcp-sa-ktd-control.iam.gserviceaccount.com
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user1@example.com
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user2@example.com

K8sRestrictRoleBindings

역할 바인딩 제한 v1.0.3

ClusterRoleBindings 및 RoleBindings에 지정된 대상을 허용되는 대상 목록으로 제한합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedSubjects <array>: The list of subjects that are allowed to bind to
    # the restricted role.
    allowedSubjects:
      - # apiGroup <string>: The Kubernetes API group of the subject.
        apiGroup: <string>
        # kind <string>: The Kubernetes kind of the subject.
        kind: <string>
        # name <string>: The name of the subject which is matched exactly as
        # provided as well as based on a regular expression.
        name: <string>
        # regexMatch <boolean>: The flag to allow a regular expression based
        # match on the name.
        regexMatch: <boolean>
    # restrictedRole <object>: The role that cannot be bound to unless
    # expressly allowed.
    restrictedRole:
      # apiGroup <string>: The Kubernetes API group of the role.
      apiGroup: <string>
      # kind <string>: The Kubernetes kind of the role.
      kind: <string>
      # name <string>: The name of the role.
      name: <string>

예시

restrict-clusteradmin-rolebindings-sample
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-sample
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: Group
      name: system:masters
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings-regex
spec:
  enforcementAction: dryrun
  parameters:
    allowedSubjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
      regexMatch: true
    restrictedRole:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: good-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bad-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

K8sRestrictRoleRules

Role 및 ClusterRole 규칙 제한 v1.0.4

Role 및 ClusterRole 객체에 설정할 수 있는 규칙을 제한합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedRules <array>: AllowedRules is the list of rules that are allowed
    # on Role or ClusterRole objects. If set, any item off this list will be
    # rejected.
    allowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be allowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # disallowedRules <array>: DisallowedRules is the list of rules that are
    # NOT allowed on Role or ClusterRole objects. If set, any item on this list
    # will be rejected.
    disallowedRules:
      - # apiGroups <array>: APIGroups is the name of the APIGroup that
        # contains the resources. If multiple API groups are specified, any
        # action requested against one of the enumerated resources in any API
        # group will be disallowed. "" represents the core API group and "*"
        # represents all API groups.
        apiGroups:
          - <string>
        # resources <array>: Resources is a list of resources this rule
        # applies to. '*' represents all resources.
        resources:
          - <string>
        # verbs <array>: Verbs is a list of Verbs that apply to ALL the
        # ResourceKinds contained in this rule. '*' represents all verbs.
        verbs:
          - <string>
    # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
    # names that are allowed to violate this policy.
    exemptions:
      clusterRoles:
        - # name <string>: Name is the name or a pattern of the ClusterRole
          # to be exempted.
          name: <string>
          # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
          # regex match of the ClusterRole name.
          regexMatch: <boolean>
      roles:
        - # name <string>: Name is the name of the Role to be exempted.
          name: <string>
          # namespace <string>: Namespace is the namespace of the Role to be
          # exempted.
          namespace: <string>

예시

restrict-pods-exec
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
  name: restrict-pods-exec
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - Role
      - ClusterRole
  parameters:
    disallowedRules:
    - apiGroups:
      - ""
      resources:
      - pods/exec
      verbs:
      - create
허용됨
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: allowed-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
허용되지 않음
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: disallowed-cluster-role-example
rules:
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - '*'

K8sStorageClass

스토리지 클래스 v1.1.2

사용할 때 스토리지 클래스를 지정해야 합니다. Gatekeeper 3.9 이상 및 비임시 컨테이너만 지원됩니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedStorageClasses <array>: An optional allow-list of storage classes.
    #  If specified, any storage class not in the `allowedStorageClasses`
    # parameter is disallowed.
    allowedStorageClasses:
      - <string>
    includeStorageClassesInMessage: <boolean>

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "storage.k8s.io"
        version: "v1"
        kind: "StorageClass"

예시

storageclass
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    includeStorageClassesInMessage: true
허용됨
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ok
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: somestorageclass
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: volumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: volumeclaimstorageclass
  serviceName: volumeclaimstorageclass
  template:
    metadata:
      labels:
        app: volumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: somestorageclass
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: somestorageclass
provisioner: foo
허용되지 않음
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: badstorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: badstorageclass
  volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: badvolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: badvolumeclaimstorageclass
  serviceName: badvolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: badvolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: badstorageclass
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nostorageclass
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: novolumeclaimstorageclass
spec:
  replicas: 1
  selector:
    matchLabels:
      app: novolumeclaimstorageclass
  serviceName: novolumeclaimstorageclass
  template:
    metadata:
      labels:
        app: novolumeclaimstorageclass
    spec:
      containers:
      - image: registry.k8s.io/nginx-slim:0.8
        name: main
        volumeMounts:
        - mountPath: /usr/share/nginx/html
          name: data
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
allowed-storageclass
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
  name: allowed-storageclass
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolumeClaim
    - apiGroups:
      - apps
      kinds:
      - StatefulSet
  parameters:
    allowedStorageClasses:
    - allowed-storage-class
    includeStorageClassesInMessage: true
허용됨
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: allowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: allowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo
허용되지 않음
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disallowed-storage-class-pvc
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
  storageClassName: disallowed-storage-class
  volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: allowed-storage-class
provisioner: foo

K8sUniqueIngressHost

고유한 인그레스 호스트 v1.0.4

모든 인그레스 규칙 호스트가 고유해야 합니다. 호스트 이름 와일드 카드를 처리하지 않습니다. https://kubernetes.io/docs/concepts/services-networking/ingress/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: "extensions"
        version: "v1beta1"
        kind: "Ingress"
      OR
      - group: "networking.k8s.io"
        version: "v1beta1" OR "v1"
        kind: "Ingress"

예시

unique-ingress-host
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
  name: unique-ingress-host
spec:
  match:
    kinds:
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
허용됨
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-allowed
  namespace: default
spec:
  rules:
  - host: example-allowed-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-allowed-host1.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix
허용되지 않음
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example
  namespace: default
spec:
  rules:
  - host: example-host.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-disallowed2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: example-host3.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx2
            port:
              number: 80
        path: /
        pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-host-example2
  namespace: default
spec:
  rules:
  - host: example-host2.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: Prefix

K8sUniqueServiceSelector

고유한 서비스 선택기 v1.0.2

서비스에 네임스페이스 내에서 고유한 선택기가 있어야 합니다. 선택기가 키와 값이 동일한 경우 동일한 선택기로 간주됩니다. 선택기는 별개의 키-값 쌍이 하나 이상 있는 한 키-값 쌍을 공유할 수 있습니다. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

참조 제약조건

이 제약조건은 참조용으로 제공됩니다. 사용하기 전에 참조 제약조건을 사용 설정하고 정책 컨트롤러에 감시할 객체 종류를 알려주는 구성을 만들어야 합니다.

정책 컨트롤러 Config는 다음과 비슷한 syncOnly 항목이 필요합니다.

spec:
  sync:
    syncOnly:
      - group: ""
        version: "v1"
        kind: "Service"

예시

unique-service-selector
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
  labels:
    owner: admin.agilebank.demo
  name: unique-service-selector
허용됨
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: other-value
허용되지 않음
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-disallowed
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
  name: gatekeeper-test-service-example
  namespace: default
spec:
  ports:
  - port: 443
  selector:
    key: value

NoUpdateServiceAccount

서비스 계정 업데이트 차단 v1.0.1

포드를 추상화하는 리소스에서 서비스 계정 업데이트를 차단합니다. 이 정책은 감사 모드에서 무시됩니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedGroups <array>: Groups that should be allowed to bypass the
    # policy.
    allowedGroups:
      - <string>
    # allowedUsers <array>: Users that should be allowed to bypass the policy.
    allowedUsers:
      - <string>

예시

no-update-kube-system-service-account
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
  name: no-update-kube-system-service-account
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - ReplicationController
    - apiGroups:
      - apps
      kinds:
      - ReplicaSet
      - Deployment
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - batch
      kinds:
      - CronJob
    namespaces:
    - kube-system
  parameters:
    allowedGroups: []
    allowedUsers: []
허용됨
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: policy-test
  name: policy-test
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: policy-test-deploy
  template:
    metadata:
      labels:
        app: policy-test-deploy
    spec:
      containers:
      - command:
        - /bin/bash
        - -c
        - sleep 99999
        image: ubuntu
        name: policy-test
      serviceAccountName: policy-test-sa-1

PolicyStrictOnly

엄격한 Istio mTLS 정책 필요 v1.0.4

PeerAuthentication을 사용할 때 항상 STRICT Istio 상호 TLS가 지정되어야 합니다. 또한 이 제약조건을 사용하면 지원 중단된 정책 및 MeshPolicy 리소스가 STRICT 상호 TLS를 적용합니다. 참조: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

peerauthentication-strict-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: peerauthentication-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - PeerAuthentication
    namespaces:
    - default
허용됨
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict
  namespace: default
spec:
  mtls:
    mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-level
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-unset
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: UNSET
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: empty-mtls
  namespace: default
spec:
  mtls: {}
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: unspecified-mtls
  namespace: default
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-null
  namespace: default
spec:
  mtls:
    mode: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mtls-null
  namespace: default
spec:
  mtls: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-permissive
  namespace: default
spec:
  mtls:
    mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: mode-strict-port-permissive
  namespace: default
spec:
  mtls:
    mode: STRICT
  portLevelMtls:
    "8080":
      mode: PERMISSIVE
    "8081":
      mode: STRICT
deprecated-policy-strict-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
  name: deprecated-policy-strict-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - authentication.istio.io
      kinds:
      - Policy
    namespaces:
    - default
허용됨
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mode-strict
  namespace: default
spec:
  peers:
  - mtls:
      mode: STRICT
허용되지 않음
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-empty
  namespace: default
spec:
  peers:
  - mtls: {}
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default-mtls-null
  namespace: default
spec:
  peers:
  - mtls: null
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: peers-empty
  namespace: default
spec:
  peers: []
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-no-peers
  namespace: default
spec:
  targets:
  - name: httpbin
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: policy-permissive
  namespace: default
spec:
  peers:
  - mtls:
      mode: PERMISSIVE

RestrictNetworkExclusions

네트워크 제외 제한 v1.0.2

Istio 네트워크 캡처에서 제외할 수 있는 인바운드 포트, 아웃바운드 포트, 아웃바운드 IP 범위를 제어합니다. Istio 네트워크 캡처를 우회하는 포트 및 IP 범위는 Istio 프록시에서 처리되지 않으며 Istio mTLS 인증, 승인 정책, 기타 Istio 기능으로 제한되지 않습니다. 이 제약조건을 사용하여 다음 주석 사용에 제한을 적용할 수 있습니다.

  • traffic.sidecar.istio.io/excludeInboundPorts
  • traffic.sidecar.istio.io/excludeOutboundPorts
  • traffic.sidecar.istio.io/excludeOutboundIPRanges

https://istio.io/latest/docs/reference/config/annotations/를 참조하세요.

아웃바운드 IP 범위를 제한할 때 이 제약조건은 제외된 IP 범위가 일치하는지 또는 허용된 IP 범위 제외 항목에 포함되는지 계산합니다.

이 제약조건을 사용할 때 인바운드 포트, 아웃바운드 포트, 아웃바운드 IP 범위는 모두 해당 'include' 주석을 "*"로 설정하거나 설정되지 않은 상태로 두어서 항상 포함해야 합니다. 다음 주석을 "*"가 아닌 값으로 설정하는 것은 허용되지 않습니다.

  • traffic.sidecar.istio.io/includeInboundPorts
  • traffic.sidecar.istio.io/includeOutboundPorts
  • traffic.sidecar.istio.io/includeOutboundIPRanges

Istio 사이드카 인젝터가 항상 이를 traffic.sidecar.istio.io/excludeInboundPorts 주석에 추가하여 상태 확인에 사용할 수 있도록 하므로 이 제약조건은 항상 포트 15020을 제외하도록 허용합니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # allowedInboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
    allowedInboundPortExclusions:
      - <string>
    # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
    # constraint calculates whether excluded IP ranges match or are a subset of
    # the ranges in this list.
    allowedOutboundIPRangeExclusions:
      - <string>
    # allowedOutboundPortExclusions <array>: A list of ports that this
    # constraint will allow in the
    # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
    allowedOutboundPortExclusions:
      - <string>

예시

restrict-network-exclusions
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
  name: restrict-network-exclusions
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
  parameters:
    allowedInboundPortExclusions:
    - "80"
    allowedOutboundIPRangeExclusions:
    - 169.254.169.254/32
    allowedOutboundPortExclusions:
    - "8888"
허용됨
apiVersion: v1
kind: Pod
metadata:
  labels:
    app: nginx
  name: nothing-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeInboundPorts: "80"
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
  labels:
    app: nginx
  name: allowed-port-and-ip-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
  labels:
    app: nginx
  name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: '*'
    traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
    traffic.sidecar.istio.io/includeOutboundPorts: '*'
  labels:
    app: nginx
  name: everything-included-with-no-exclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
허용되지 않음
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
  labels:
    app: nginx
  name: disallowed-ip-range-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
  labels:
    app: nginx
  name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80
    - containerPort: 443
apiVersion: v1
kind: Pod
metadata:
  annotations:
    traffic.sidecar.istio.io/includeInboundPorts: 80,443
    traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
    traffic.sidecar.istio.io/includeOutboundPorts: "8888"
  labels:
    app: nginx
  name: disallowed-specific-port-and-ip-inclusions
spec:
  containers:
  - image: nginx
    name: nginx
    ports:
    - containerPort: 80

SourceNotAllAuthz

Istio AuthorizationPolicy 소스가 모두는 아니어야 함 v1.0.1

Istio AuthorizationPolicy 규칙에 '*' 이외의 다른 값으로 설정된 소스 주 구성원이 있어야 합니다. https://istio.io/latest/docs/reference/config/security/authorization-policy/

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]

예시

sourcenotall-authz-constraint
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
  name: sourcenotall-authz-constraint
spec:
  enforcementAction: dryrun
  match:
    kinds:
    - apiGroups:
      - security.istio.io
      kinds:
      - AuthorizationPolicy
허용됨
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-good
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
허용되지 않음
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-dne
  namespace: foo
spec:
  rules:
  - from:
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-all
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: source-principals-someall
  namespace: foo
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
        - '*'
    - source:
        namespaces:
        - test
    to:
    - operation:
        methods:
        - GET
        paths:
        - /info*
    - operation:
        methods:
        - POST
        paths:
        - /data
    when:
    - key: request.auth.claims[iss]
      values:
      - https://accounts.google.com
  selector:
    matchLabels:
      app: httpbin
      version: v1

VerifyDeprecatedAPI

지원 중단된 API 확인 v1.0.0

지원 중단된 Kubernetes API에서 모든 API 버전이 최신인지 확인합니다. 감사에서 지원 중단되지 않은 API 버전이 있는 클러스터에 이미 있는 리소스를 확인하므로 이 템플릿이 감사에 적용되지 않습니다.

제약조건 스키마

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: example
spec:
  # match <object>: lets you configure which resources are in scope for this
  # constraint. For more information, see the Policy Controller Constraint
  # match documentation:
  # https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/reference/match
  match:
    [match schema]
  parameters:
    # k8sVersion <number>: kubernetes version
    k8sVersion: <number>
    # kvs <array>: Deprecated api versions and corresponding kinds
    kvs:
      - # deprecatedAPI <string>: deprecated api
        deprecatedAPI: <string>
        # kinds <array>: impacted list of kinds
        kinds:
          - <string>
        # targetAPI <string>: target api
        targetAPI: <string>

예시

verify-1.16
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.16
spec:
  match:
    kinds:
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - extensions
      kinds:
      - PodSecurityPolicy
      - ReplicaSet
      - Deployment
      - DaemonSet
      - NetworkPolicy
  parameters:
    k8sVersion: 1.16
    kvs:
    - deprecatedAPI: apps/v1beta1
      kinds:
      - Deployment
      - ReplicaSet
      - StatefulSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - ReplicaSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: policy/v1beta1
    - deprecatedAPI: apps/v1beta2
      kinds:
      - ReplicaSet
      - StatefulSet
      - Deployment
      - DaemonSet
      targetAPI: apps/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - NetworkPolicy
      targetAPI: networking.k8s.io/v1
허용됨
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: allowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
허용되지 않음
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: disallowed-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80
verify-1.22
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.22
spec:
  match:
    kinds:
    - apiGroups:
      - admissionregistration.k8s.io
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
    - apiGroups:
      - apiextensions.k8s.io
      kinds:
      - CustomResourceDefinition
    - apiGroups:
      - apiregistration.k8s.io
      kinds:
      - APIService
    - apiGroups:
      - authentication.k8s.io
      kinds:
      - TokenReview
    - apiGroups:
      - authorization.k8s.io
      kinds:
      - SubjectAccessReview
    - apiGroups:
      - certificates.k8s.io
      kinds:
      - CertificateSigningRequest
    - apiGroups:
      - coordination.k8s.io
      kinds:
      - Lease
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
    - apiGroups:
      - networking.k8s.io
      kinds:
      - IngressClass
    - apiGroups:
      - rbac.authorization.k8s.io
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
    - apiGroups:
      - scheduling.k8s.io
      kinds:
      - PriorityClass
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
  parameters:
    k8sVersion: 1.22
    kvs:
    - deprecatedAPI: admissionregistration.k8s.io/v1beta1
      kinds:
      - MutatingWebhookConfiguration
      - ValidatingWebhookConfiguration
      targetAPI: admissionregistration.k8s.io/v1
    - deprecatedAPI: apiextensions.k8s.io/v1beta1
      kinds:
      - CustomResourceDefinition
      targetAPI: apiextensions.k8s.io/v1
    - deprecatedAPI: apiregistration.k8s.io/v1beta1
      kinds:
      - APIService
      targetAPI: apiregistration.k8s.io/v1
    - deprecatedAPI: authentication.k8s.io/v1beta1
      kinds:
      - TokenReview
      targetAPI: authentication.k8s.io/v1
    - deprecatedAPI: authorization.k8s.io/v1beta1
      kinds:
      - SubjectAccessReview
      targetAPI: authorization.k8s.io/v1
    - deprecatedAPI: certificates.k8s.io/v1beta1
      kinds:
      - CertificateSigningRequest
      targetAPI: certificates.k8s.io/v1
    - deprecatedAPI: coordination.k8s.io/v1beta1
      kinds:
      - Lease
      targetAPI: coordination.k8s.io/v1
    - deprecatedAPI: extensions/v1beta1
      kinds:
      - Ingress
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: networking.k8s.io/v1beta1
      kinds:
      - Ingress
      - IngressClass
      targetAPI: networking.k8s.io/v1
    - deprecatedAPI: rbac.authorization.k8s.io/v1beta1
      kinds:
      - ClusterRole
      - ClusterRoleBinding
      - Role
      - RoleBinding
      targetAPI: rbac.authorization.k8s.io/v1
    - deprecatedAPI: scheduling.k8s.io/v1beta1
      kinds:
      - PriorityClass
      targetAPI: scheduling.k8s.io/v1
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIDriver
      - CSINode
      - StorageClass
      - VolumeAttachment
      targetAPI: storage.k8s.io/v1
허용됨
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: allowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix
허용되지 않음
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: disallowed-ingress
spec:
  ingressClassName: nginx-example
  rules:
  - http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 80
        path: /testpath
        pathType: Prefix
verify-1.25
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.25
spec:
  match:
    kinds:
    - apiGroups:
      - batch
      kinds:
      - CronJob
    - apiGroups:
      - discovery.k8s.io
      kinds:
      - EndpointSlice
    - apiGroups:
      - events.k8s.io
      kinds:
      - Event
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
    - apiGroups:
      - policy
      kinds:
      - PodDisruptionBudget
      - PodSecurityPolicy
    - apiGroups:
      - node.k8s.io
      kinds:
      - RuntimeClass
  parameters:
    k8sVersion: 1.25
    kvs:
    - deprecatedAPI: batch/v1beta1
      kinds:
      - CronJob
      targetAPI: batch/v1
    - deprecatedAPI: discovery.k8s.io/v1beta1
      kinds:
      - EndpointSlice
      targetAPI: discovery.k8s.io/v1
    - deprecatedAPI: events.k8s.io/v1beta1
      kinds:
      - Event
      targetAPI: events.k8s.io/v1
    - deprecatedAPI: autoscaling/v2beta1
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodDisruptionBudget
      targetAPI: policy/v1
    - deprecatedAPI: policy/v1beta1
      kinds:
      - PodSecurityPolicy
      targetAPI: None
    - deprecatedAPI: node.k8s.io/v1beta1
      kinds:
      - RuntimeClass
      targetAPI: node.k8s.io/v1
허용됨
apiVersion: batch/v1
kind: CronJob
metadata:
  name: allowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'
허용되지 않음
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: disallowed-cronjob
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - command:
            - /bin/sh
            - -c
            - date; echo Hello from the Kubernetes cluster
            image: busybox:1.28
            imagePullPolicy: IfNotPresent
            name: hello
          restartPolicy: OnFailure
  schedule: '* * * * *'
verify-1.26
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.26
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
    - apiGroups:
      - autoscaling
      kinds:
      - HorizontalPodAutoscaler
  parameters:
    k8sVersion: 1.26
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
    - deprecatedAPI: autoscaling/v2beta2
      kinds:
      - HorizontalPodAutoscaler
      targetAPI: autoscaling/v2
허용됨
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
허용되지 않음
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
verify-1.27
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.27
spec:
  match:
    kinds:
    - apiGroups:
      - storage.k8s.io
      kinds:
      - CSIStorageCapacity
  parameters:
    k8sVersion: 1.27
    kvs:
    - deprecatedAPI: storage.k8s.io/v1beta1
      kinds:
      - CSIStorageCapacity
      targetAPI: storage.k8s.io/v1
허용됨
apiVersion: storage.k8s.io/v1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
storageClassName: standard
허용되지 않음
apiVersion: storage.k8s.io/v1beta1
kind: CSIStorageCapacity
metadata:
  name: allowed-csistoragecapacity
  namespace: default
storageClassName: standard
verify-1.29
제약조건
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
  name: verify-1.29
spec:
  match:
    kinds:
    - apiGroups:
      - flowcontrol.apiserver.k8s.io
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
  parameters:
    k8sVersion: 1.29
    kvs:
    - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2
      kinds:
      - FlowSchema
      - PriorityLevelConfiguration
      targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
허용됨
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
  name: allowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group
허용되지 않음
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: FlowSchema
metadata:
  name: disallowed-flowcontrol
  namespace: default
spec:
  matchingPrecedence: 1000
  priorityLevelConfiguration:
    name: exempt
  rules:
  - nonResourceRules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      verbs:
      - '*'
    subjects:
    - group:
        name: system:unauthenticated
      kind: Group

다음 단계