Les modèles de contrainte vous permettent de définir le fonctionnement d'une contrainte mais délèguent la définition des spécificités de la contrainte à une personne ou à un groupe ayant une expertise en la matière. En plus de séparer les divers problèmes, cela sépare également la logique de la contrainte de sa définition.
Toutes les contraintes contiennent une section match qui définit les objets auxquels une contrainte s'applique. Pour en savoir plus sur la configuration de cette section, consultez la page Section de correspondance de contrainte.
Certains modèles de contraintes ne sont pas disponibles pour toutes les versions de Policy Controller. Les modèles peuvent changer d'une version à l'autre. Utilisez les liens suivants pour comparer les contraintes des versions compatibles :
Liens vers les versions compatibles de cette page
Pour bénéficier d'une assistance complète, nous vous recommandons d'utiliser des modèles de contraintes issus d'une version compatible de Policy Controller.
Pour vous aider à comprendre le fonctionnement des modèles de contraintes, chaque modèle inclut un exemple de contrainte et une ressource qui ne respecte pas la contrainte.
Modèles de contrainte disponibles
| Modèle de contrainte | Description | Référentiel |
|---|---|---|
| AllowedServicePortName | Nécessite que les noms de port du service comportent un préfixe provenant d'une liste spécifiée. | Non |
| AsmAuthzPolicyDefaultDeny | Appliquez la règle de refus AuthorizationPolicy par défaut au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns. | Oui |
| AsmAuthzPolicyDisallowedPrefix | Nécessite que les comptes principaux et les espaces de noms des règles AuthorizationPolicy d'Istio ne comportent pas de préfixe provenant d'une liste spécifiée. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Non |
| AsmAuthzPolicyEnforceSourcePrincipals | Nécessite que le champ "from" de la règle AuthorizationPolicy d'Istio, lorsqu'il est défini, possède des principes sources, qui doivent être définis sur une valeur autre que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Non |
| AsmAuthzPolicyNormalization | Appliquez la normalisation de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/reference/config/security/normalization/. | Non |
| AsmAuthzPolicySafePattern | Appliquez les modèles sécurisés de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. | Non |
| AsmIngressgatewayLabel | N'appliquez le libellé ingressgateway d'Istio que sur les pods ingressgateway. | Non |
| AsmPeerAuthnMeshStrictMtls | Appliquez PeerAuthentication en mode mTLS strict au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | Oui |
| AsmPeerAuthnStrictMtls | L'application de l'ensemble des PeerAuthentications ne peut pas écraser le mode mTLS strict. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | Non |
| AsmRequestAuthnProhibitedOutputHeaders | Dans RequestAuthentication, appliquez le champ jwtRules.outPayloadToHeader pour qu'il ne contienne pas d'en-têtes de requête HTTP connus ou d'en-têtes personnalisés interdits. Consultez la documentation de référence sur la page https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. | Non |
| AsmSidecarInjection | Appliquez le proxy side-car Istio, toujours injecté dans les pods de la charge de travail. | Non |
| DestinationRuleTLSEnabled | Interdit la désactivation du protocole TLS pour tous les hôtes et sous-ensembles d'hôtes dans les DestinationRules d'Istio. | Non |
| DisallowedAuthzPrefix | Nécessite que les comptes principaux et les espaces de noms des règles AuthorizationPolicy d'Istio ne comportent pas de préfixe provenant d'une liste spécifiée. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Non |
| GCPStorageLocationConstraintV1 | Limite les emplacements (locations) autorisés pour les ressources Config Connector de StorageBucket à la liste des emplacements fournis dans la contrainte. Les noms de buckets de la liste exemptions sont exclus. | Non |
| GkeSpotVMTerminationGrace | Nécessite que les pods et les modèles de pods dotés des paramètres "nodeSelector" ou "nodeAfffinty" pour "gke-spot" aient une valeur "terminationGracePeriodSeconds" de 15 secondes ou moins. | Oui |
| K8sAllowedRepos | Nécessite que les images de conteneur commencent par une chaîne de la liste spécifiée. | Non |
| K8sAvoidUseOfSystemMastersGroup | Interdit l'utilisation du groupe "system:masters". N'a aucun effet lors de l'audit. | Non |
| K8sBlockAllIngress | Interdit la création d'objets Ingress (types "Ingress", "Gateway" et "Service" de "NodePort" et "LoadBalancer"). | Non |
| K8sBlockCreationWithDefaultServiceAccount | Interdit la création de ressources à l'aide d'un compte de service par défaut. N'a aucun effet lors de l'audit. | Non |
| K8sBlockEndpointEditDefaultRole | Par défaut, de nombreuses installations Kubernetes comportent un ClusterRole system:aggregate-to-edit qui ne limite pas correctement l'accès à la modification des points de terminaison. Ce ConstraintTemplate empêche le système ClusterRole:system-aggregate-to-edit d'accorder l'autorisation de créer, d'appliquer des correctifs et de mettre à jour des points de terminaison. ClusterRole/system:aggregate-to-edit ne doit pas accepter les autorisations de modification des points de terminaison en raison de la norme CVE-2021-25740, les autorisations Endpoint & EndpointSlice permettent le transfert d'espaces de noms multiples, https://github.com/kubernetes/kubernetes/issues/103675 | Non |
| K8sBlockLoadBalancer | Interdit tous les services de type LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | Non |
| K8sBlockNodePort | Interdit tous les services de type NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | Non |
| K8sBlockObjectsOfType | Interdiction des objets de types interdits. | Non |
| K8sBlockProcessNamespaceSharing | Interdit les spécifications des pods avec "shareProcessNamespace" défini sur "true". Cela permet d'éviter des scénarios dans lesquels tous les conteneurs d'un pod partagent un espace de noms PID et peuvent accéder au système de fichiers et à la mémoire de chacun d'entre eux. | Non |
| K8sBlockWildcardIngress | Les utilisateurs ne doivent pas pouvoir créer d'objets Ingress avec un nom d'hôte vide ou générique (*), car cela leur permettrait d'intercepter le trafic pour d'autres services du cluster, même s'ils n'ont pas accès à ces services. | Non |
| K8sContainerEphemeralStorageLimit | Exige une limite de stockage éphémère pour les conteneurs, avec des limites correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Non |
| K8sContainerLimits | Exige des limites de mémoire et de processeur pour les conteneurs, avec des limites correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Non |
| K8sContainerRatios | Définit un ratio maximal pour les limites de ressources de conteneurs des requêtes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Non |
| K8sContainerRequests | Exige des requêtes de mémoire et de processeur pour les conteneurs, avec des requêtes correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Non |
| K8sCronJobAllowedRepos | Nécessite que les images de conteneur des jobs CronJob commencent par une chaîne de la liste spécifiée. | Non |
| K8sDisallowAnonymous | Interdit l'association des ressources ClusterRole et Role à l'utilisateur system:anonymous et au groupe system:unauthenticated. | Non |
| K8sDisallowInteractiveTTY | Nécessite que les champs "spec.tty" et "spec.stdin" des objets soient définis sur "false" ou non définis. | Non |
| K8sDisallowedRepos | Dépôts de conteneurs non autorisés qui commencent par une chaîne de la liste spécifiée. | Non |
| K8sDisallowedRoleBindingSubjects | Interdit les objets RoleBinding ou ClusterRoleBinding avec les sujets correspondant à un "disallowedSubjects" transmis en tant que paramètre. | Non |
| K8sDisallowedTags | Nécessite que les images de conteneur aient un tag d'image différent de celui de la liste spécifiée. https://kubernetes.io/docs/concepts/containers/images/#image-names | Non |
| K8sEmptyDirHasSizeLimit | Nécessite que les volumes "emptyDir" spécifient une valeur "sizeLimit". Vous pouvez éventuellement spécifier un paramètre "maxSizeLimit" dans la contrainte pour spécifier une limite de taille maximale autorisée. | Non |
| K8sEnforceCloudArmorBackendConfig | Applique la configuration de Cloud Armor aux ressources BackendConfig. | Non |
| K8sEnforceConfigManagement | Nécessite la présence et le fonctionnement de Config Management. Les contraintes utilisant ce "ConstraintTemplate" seront auditées uniquement, quelle que soit la valeur de "enforcementAction". | Oui |
| K8sExternalIPs | Limite les adresses IP externes du service à une liste d'adresses IP autorisées. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | Non |
| K8sHorizontalPodAutoscaler | Interdire les scénarios suivants lors du déploiement de "HorizontalPodAutoscalers" 1. Déploiement d'objets HorizontalPodAutoscaler avec ".spec.minReplicas" ou ".spec.maxReplicas" en dehors des plages définies dans la contrainte 2. Déploiement d'objets HorizontalPodAutoscaler où la différence entre ".spec.minReplicas" et ".spec.maxReplicas" est inférieure à la valeur "minimumReplicaSpread" configurée 3. Déploiement d'HorizontalPodAutoscalers qui ne font pas référence à une valeur "scaleTargetRef" valide (par exemple, Deployment, ReplicationController, ReplicaSet, StatefulSet). | Oui |
| K8sHttpsOnly | Exige que les ressources Ingress soient de type HTTPS uniquement. Les ressources Ingress doivent inclure l'annotation "kubernetes.io/ingress.allow-http", définie sur "false". Par défaut, une configuration TLS {} valide est requise. Vous pouvez la rendre facultative en définissant le paramètre "tlsOptional" sur "true". https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | Non |
| K8sImageDigests | Nécessite que les images de conteneur contiennent un condensé. https://kubernetes.io/docs/concepts/containers/images/ | Non |
| K8sLocalStorageRequireSafeToEvict | Nécessite que les pods utilisant le stockage local ("emptyDir" ou "hostPath") comportent l'annotation "cluster-autoscaler.kubernetes.io/safe-to-evict" : "true". Cluster Autoscaler ne supprime pas les pods qui ne comportent pas cette annotation. | Non |
| K8sMemoryRequestEqualsLimit | Favorise la stabilité du pod en exigeant que la mémoire demandée de tous les conteneurs soit exactement égale à la limite de mémoire. Ainsi, les pods ne sont jamais dans un état où l'utilisation de mémoire dépasse la quantité demandée. Sinon, Kubernetes peut arrêter les pods qui demandent de la mémoire supplémentaire si de la mémoire est nécessaire sur le nœud. | Non |
| K8sNoEnvVarSecrets | Interdit les secrets en tant que variables d'environnement dans les définitions de conteneur des pods. Utilisez plutôt des fichiers secrets installés dans des volumes de données : https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod | Non |
| K8sNoExternalServices | Interdit la création de ressources connues qui exposent les charges de travail à des adresses IP externes. Cela inclut les ressources Istio Gateway et Kubernetes Ingress. Les services Kubernetes ne sont pas autorisés non plus, sauf s'ils répondent aux critères suivants : tout service de type "LoadBalancer" dans Google Cloud doit comporter une annotation "networking.gke.io/load-balancer-type" : "Internal". Tout service de type "LoadBalancer" dans AWS doit comporter une annotation "service.beta.kubernetes.io/aws-load-balancer-internal" : "true". Toutes les "adresses IP externes" (externes au cluster) liées au service doivent être membres d'une plage de CIDR internes, comme indiqué dans la contrainte. | Non |
| K8sPSPAllowPrivilegeEscalationContainer | Contrôle la limite de passage aux droits racine. Correspond au champ "allowPrivilegeEscalation" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-élévation. | Non |
| K8sPSPAllowedUsers | Contrôle les ID d'utilisateur et de groupe du conteneur, ainsi que certains volumes. Correspond aux champs "runAsUser", "runAsGroup", "supplementalGroups" et "fsGroup" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups | Non |
| K8sPSPAppArmor | Configure une liste d'autorisation de profils AppArmor à utiliser par les conteneurs. Cela correspond aux annotations spécifiques appliquées à une règle PodSecurityPolicy. Pour plus d'informations sur AppArmor, consultez la page https://kubernetes.io/docs/tutorials/clusters/apparmor/. | Non |
| K8sPSPAutomountServiceAccountTokenPod | Contrôle la capacité de n'importe quel pod à activer automountServiceAccountToken. | Non |
| K8sPSPCapabilities | Contrôle les capacités Linux sur les conteneurs. Correspond aux champs "allowedCapabilities" et "requiredDropCapabilities" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#Capabilities | Non |
| K8sPSPFSGroup | Contrôle l'allocation d'un FSGroup qui est propriétaire des volumes du pod. Correspond au champ "fsGroup" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems. | Non |
| K8sPSPFlexVolumes | Contrôle la liste d'autorisation des pilotes FlexVolume. Correspond au champ "allowedFlexVolumes" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers | Non |
| K8sPSPForbiddenSysctls | Contrôle le profil "sysctl" utilisé par les conteneurs. Correspond aux champs "allowedUnsafeSysctls" et "forbiddenSysctls" dans une règle PodSecurityPolicy. Si spécifié, tout sysctl qui ne figure pas dans le paramètre "allowedSysctls" est considéré comme interdit. Le paramètre "forbiddenSysctls" est prioritaire sur le paramètre "allowedSysctls". Pour en savoir plus, consultez la page https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/. | Non |
| K8sPSPHostFilesystem | Contrôle l'utilisation du système de fichiers hôte. Correspond au champ "allowedHostPaths" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems. | Non |
| K8sPSPHostNamespace | Interdit le partage des espaces de noms PID et IPC hôtes par les conteneurs de pods. Correspond aux champs "hostPID" et "hostIPC" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces. | Non |
| K8sPSPHostNetworkingPorts | Contrôle l'utilisation de l'espace de noms du réseau hôte par les conteneurs de pods. Des ports spécifiques doivent être spécifiés. Correspond aux champs "hostNetwork" et "hostPorts" d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces. | Non |
| K8sPSPPrivilegedContainer | Contrôle la capacité de n'importe quel conteneur à activer le mode privilégié. Correspond au champ "privileged" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged. | Non |
| K8sPSPProcMount | Contrôle les types "procMount" pour le conteneur. Correspond au champ "allowedProcMountTypes" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes. | Non |
| K8sPSPReadOnlyRootFilesystem | Nécessite l'utilisation d'un système de fichiers racine en lecture seule par les conteneurs de pods. Correspond au champ "readOnlyRootFilesystem" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems. | Non |
| K8sPSPSELinuxV2 | Définit une liste d'autorisation de configurations seLinuxOptions pour les conteneurs de pods. Correspond à une règle PodSecurityPolicy nécessitant des configurations SELinux. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux. | Non |
| K8sPSPSeccomp | Contrôle le profil seccomp utilisé par les conteneurs. Correspond à l'annotation "seccomp.security.alpha.kubernetes.io/allowedProfileNames" sur une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp. | Non |
| K8sPSPVolumeTypes | Limite les types de volumes installables à ceux spécifiés par l'utilisateur. Correspond au champ "volumes" de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems. | Non |
| K8sPSPWindowsHostProcess | Restriction de l'exécution des conteneurs/pods Windows HostProcess. Pour en savoir plus, consultez la page https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/. | Non |
| K8sPSSRunAsNonRoot | Nécessite l'exécution des conteneurs en tant qu'utilisateurs non racine. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/security/pod-security-standards/. | Non |
| K8sPodDisruptionBudget | Interdire les scénarios suivants lors du déploiement de PodDisruptionBudgets ou de ressources qui mettent en œuvre la sous-ressource d'instance dupliquée (par exemple Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Déploiement de PodDisruptionBudgets avec .spec.maxUnavailable == 0 2. Déploiement de PodDisruptionBudgets avec .spec.minAvailable == .spec.replicas de la ressource avec sous-ressource d'instance dupliquée. Cette opération empêche PodDisruptionBudgets de bloquer les interruptions volontaires telles que le drainage de nœud. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | Oui |
| K8sPodResourcesBestPractices | Nécessite que les conteneurs ne soient pas optimisés (en définissant les demandes de ressources de processeur et de mémoire) et suivent les bonnes pratiques d'utilisation intensive (la demande de mémoire doit être exactement égale à la limite). Vous pouvez également configurer des clés d'annotation pour permettre d'ignorer les différentes validations. | Non |
| K8sPodsRequireSecurityContext | Nécessite que tous les pods définissent securityContext. Nécessite que tous les conteneurs définis dans les pods aient un contexte SecurityContext défini au niveau du pod ou du conteneur. | Non |
| K8sProhibitRoleWildcardAccess | Requiert que Roles et ClusterRole ne définissent pas l'accès aux ressources sur un caractère générique "*", à l'exception des Roles et des ClusterRoles exemptés fournis en tant qu'exceptions. Ne limite pas l'accès générique aux sous-ressources, comme "*/status". | Non |
| K8sReplicaLimits | Nécessite que les objets comportant le champ "spec.replicas" (Deployments, ReplicaSets, etc.) spécifient un nombre d'instances dupliquées dans les plages définies. | Non |
| K8sRequireAdmissionController | Nécessite une admission de sécurité du pod ou un système de contrôle de règles externe | Oui |
| K8sRequireBinAuthZ | Nécessite le webhook d'admission de validation d'autorisation binaire. Les contraintes utilisant ce "ConstraintTemplate" seront auditées uniquement, quelle que soit la valeur de "enforcementAction". | Oui |
| K8sRequireCosNodeImage | Applique l'utilisation de Container-Optimized OS de Google sur les nœuds. | Non |
| K8sRequireDaemonsets | Nécessite la présence de la liste des daemonsets spécifiés. | Oui |
| K8sRequireDefaultDenyEgressPolicy | Nécessite que chaque espace de noms défini dans le cluster ait un objet NetworkPolicy de refus par défaut pour la sortie. | Oui |
| K8sRequireNamespaceNetworkPolicies | Nécessite que chaque espace de noms défini dans le cluster ait un objet NetworkPolicy. | Oui |
| K8sRequireValidRangesForNetworks | Applique les blocs CIDR autorisés pour l'entrée et la sortie réseau. | Non |
| K8sRequiredAnnotations | Exige que les ressources contiennent des annotations spécifiées, avec des valeurs correspondant aux expressions régulières fournies. | Non |
| K8sRequiredLabels | Exige que les ressources contiennent des libellés spécifiés, avec des valeurs correspondant aux expressions régulières fournies. | Non |
| K8sRequiredProbes | Exige que les pods fassent l'objet de vérifications d'aptitude et/ou d'activité. | Non |
| K8sRequiredResources | Nécessite que les conteneurs aient un ensemble de ressources définies. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Non |
| K8sRestrictAdmissionController | Limiter les contrôleurs d'admission dynamiques aux contrôleurs autorisés | Non |
| K8sRestrictAutomountServiceAccountTokens | Limite l'utilisation des jetons de comptes de service. | Non |
| K8sRestrictLabels | Empêche les ressources de contenir des libellés spécifiés, sauf en cas d'exception pour la ressource spécifique. | Non |
| K8sRestrictNamespaces | Empêche les ressources d'utiliser des espaces de noms répertoriés dans le paramètre restrictedNamespaces. | Non |
| K8sRestrictNfsUrls | Empêche les ressources de contenir des URL NFS, sauf indication contraire. | Non |
| K8sRestrictRbacSubjects | Limite l'utilisation des noms dans les objets RBAC aux valeurs autorisées. | Non |
| K8sRestrictRoleBindings | Limite les sujets spécifiés dans les objets ClusterRoleBinding et RoleBinding à une liste de sujets autorisés. | Non |
| K8sRestrictRoleRules | Limite les règles pouvant être définies sur les objets Role et ClusterRole. | Non |
| K8sStorageClass | Nécessite la spécification des classes de stockage lors de leur utilisation. Seuls Gatekeeper 3.9+ et les conteneurs non éphémères sont compatibles. | Oui |
| K8sUniqueIngressHost | Exige que tous les hôtes de règle Ingress soient uniques. N'accepte pas les caractères génériques du nom d'hôte : https://kubernetes.io/docs/concepts/services-networking/ingress/ | Oui |
| K8sUniqueServiceSelector | Exige que les Services aient des sélecteurs uniques au sein d'un espace de noms. Les sélecteurs sont considérés comme identiques s'ils possèdent des clés et des valeurs identiques. Les sélecteurs peuvent partager une paire clé/valeur s'il existe au moins une paire clé/valeur distincte entre eux. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | Oui |
| NoUpdateServiceAccount | Bloque la mise à jour du compte de service sur les ressources qui extraient sur les pods. Cette règle est ignorée en mode audit. | Non |
| PolicyStrictOnly | Nécessite que l'authentification TLS mutuelle Istio STRICT soit toujours spécifiée lorsque vous utilisez [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). Cette contrainte garantit également que les ressources obsolètes [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) et MeshPolicy appliquent également le protocole TLS mutuel "STRICT". Consultez la page https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh. | Non |
| RestrictNetworkExclusions | Contrôlez les ports entrants, les ports sortants et les plages d'adresses IP sortantes pouvant être exclues de la capture du réseau Istio. Les ports et les plages d'adresses IP qui contournent la capture du réseau Istio ne sont pas gérés par le proxy Istio et ne sont pas soumis à l'authentification mTLS d'Istio, à la règle d'autorisation et à d'autres fonctionnalités d'Istio. Cette contrainte peut être utilisée pour appliquer des restrictions à l'utilisation des annotations suivantes:
Voir https://istio.io/latest/docs/reference/config/annotations/. Lorsque vous limitez des plages d'adresses IP sortantes, la contrainte calcule si les plages d'adresses IP exclues correspondent ou sont un sous-ensemble des exclusions de plages d'adresses IP autorisées. Lorsque vous utilisez cette contrainte, tous les ports entrants, ports sortants et plages d'adresses IP sortantes doivent toujours être inclus en définissant les annotations "include" correspondantes sur "*" ou en les laissant non défini. La définition de l'une des annotations suivantes sur une valeur autre que "*" n'est pas autorisée :
Cette contrainte permet toujours d'exclure le port 15020, car l'injecteur de side-car Istio l'ajoute toujours à l'annotation |
Non |
| SourceNotAllAuthz | Nécessite que les comptes principaux sources des règles AuthorizationPolicy d'Istio soient définis sur autre chose que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Non |
| VerifyDeprecatedAPI | Vérifie les API Kubernetes obsolètes pour s'assurer que toutes les versions d'API sont à jour. Ce modèle ne s'applique pas à l'audit, car celui-ci examine les ressources déjà présentes dans le cluster avec des versions d'API non obsolètes. | Non |
AllowedServicePortName
Noms de compte de service autorisés v1.0.1
Nécessite que les noms de port du service comportent un préfixe provenant d'une liste spécifiée.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prefixes <array>: Prefixes of allowed service port names.
prefixes:
- <string>
Examples
port-name-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AllowedServicePortName
metadata:
name: port-name-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
prefixes:
- http-
- http2-
- grpc-
- mongo-
- redis-
- tcp-
Autorisés
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-http
spec:
ports:
- name: http-helloport
port: 5000
selector:
app: helloworld
Non autorisé
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-tcp
spec:
ports:
- name: foo-helloport
port: 5000
selector:
app: helloworld
apiVersion: v1
kind: Service
metadata:
labels:
app: helloworld
name: port-name-bad
spec:
ports:
- name: helloport
port: 5000
selector:
app: helloworld
AsmAuthzPolicyDefaultDeny
Refus par défaut AuthorizationPolicy ASM v1.0.4
Appliquez la règle de refus AuthorizationPolicy par défaut au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "AuthorizationPolicy"
Examples
asm-authz-policy-default-deny-with-input-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
Autorisés
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Non autorisé
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: istio-system
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
asm-authz-policy-default-deny-no-input-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Autorisés
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-no-action
namespace: istio-system
spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny-with-action
namespace: istio-system
spec:
action: ALLOW
Non autorisé
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDefaultDeny
metadata:
name: asm-authz-policy-default-deny-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: not-default-deny
namespace: istio-system
spec:
action: DENY
rules:
- to:
- operation:
notMethods:
- GET
- POST
AsmAuthzPolicyDisallowedPrefix
Préfixes non autorisés pour la règle AuthorizationPolicy ASM v1.0.2
Nécessite que les comptes principaux et les espaces de noms des règles AuthorizationPolicy d'Istio ne comportent pas de préfixe provenant d'une liste spécifiée.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.
disallowedNamespacePrefixes:
- <string>
# disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.
disallowedPrincipalPrefixes:
- <string>
Examples
asm-authz-policy-disallowed-prefix-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyDisallowedPrefix
metadata:
name: asm-authz-policy-disallowed-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedNamespacePrefixes:
- bad-ns-prefix
- worse-ns-prefix
disallowedPrincipalPrefixes:
- bad-principal-prefix
- worse-principal-prefix
Autorisés
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/worse-principal-prefix-sleep
- source:
namespaces:
- test
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- bad-ns-prefix-test
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
Comptes principaux d'application pour la règle AuthorizationPolicy ASM v1.0.2
Nécessite que le champ "from" de la règle AuthorizationPolicy d'Istio, lorsqu'il est défini, possède des principes sources, qui doivent être définis sur une valeur autre que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
asm-authz-policy-enforce-source-principals-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyEnforceSourcePrincipals
metadata:
name: asm-authz-policy-enforce-source-principals-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Autorisés
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: valid-authz-policy
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: no-source-principals
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-wildcard
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-contains-wildcard
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
AsmAuthzPolicyNormalization
Normalisation pour la règle AuthorizationPolicy ASM v1.0.2
Appliquez la normalisation de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/reference/config/security/normalization/.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
asm-authz-policy-normalization-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicyNormalization
metadata:
name: asm-authz-policy-normalization-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Autorisés
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-method-lowercase
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- get
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-request-header-whitespace
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Ag ent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: path-unnormalized
spec:
action: ALLOW
rules:
- to:
- operation:
methods:
- GET
paths:
- /test\/foo
- when:
- key: source.ip
values:
- 10.1.2.3
- 10.2.0.0/16
- key: request.headers[User-Agent]
values:
- Mozilla/*
selector:
matchLabels:
app: httpbin
AsmAuthzPolicySafePattern
Modèles sécurisés pour la règle AuthorizationPolicy ASM v1.0.4
Appliquez les modèles sécurisés de la règle AuthorizationPolicy. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of AuthorizationPolicy strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-authz-policy-safe-pattern-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmAuthzPolicySafePattern
metadata:
name: asm-authz-policy-safe-pattern-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
strictnessLevel: High
Autorisés
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-istio-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good-authz-policy-asm-ingress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
asm: ingressgateway
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: hosts-on-noningress
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: invalid-hosts
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-negative-match
spec:
action: ALLOW
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
notMethods:
- GET
selector:
matchLabels:
istio: ingressgateway
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-positive-match
spec:
action: DENY
rules:
- to:
- operation:
hosts:
- test.com
- test.com:*
methods:
- GET
selector:
matchLabels:
istio: ingressgateway
AsmIngressgatewayLabel
Libellé de passerelle d'entrée ASM v1.0.3
N'appliquez le libellé ingressgateway d'Istio que sur les pods ingressgateway.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
asm-ingressgateway-label-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmIngressgatewayLabel
metadata:
name: asm-ingressgateway-label-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: istio
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: istio-ingressgateway
istio: ingressgateway
name: istio-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
labels:
app: asm-ingressgateway
asm: ingressgateway
name: asm-ingressgateway
spec:
containers:
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
asm: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
apiVersion: v1
kind: Pod
metadata:
labels:
app: sleep
istio: ingressgateway
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
AsmPeerAuthnMeshStrictMtls
Mode mTLS Strict de réseau maillé d'authentification de l'entité homologue ASM v1.0.4
Appliquez PeerAuthentication en mode mTLS strict au niveau du maillage. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# rootNamespace <string>: Anthos Service Mesh root namespace, default value
# is "istio-system" if not specified.
rootNamespace: <string>
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "security.istio.io"
version: "v1beta1"
kind: "PeerAuthentication"
Examples
asm-peer-authn-mesh-strict-mtls-with-input-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
Autorisés
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: asm-root
spec:
mtls:
mode: STRICT
Non autorisé
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-with-input-constraint
spec:
enforcementAction: dryrun
parameters:
rootNamespace: asm-root
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: asm-root
spec:
mtls:
mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
Autorisés
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-strict-mtls
namespace: istio-system
spec:
mtls:
mode: STRICT
Non autorisé
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnMeshStrictMtls
metadata:
name: asm-peer-authn-mesh-strict-mtls-no-input-constraint
spec:
enforcementAction: dryrun
parameters:
strictnessLevel: High
---
# Referential Data
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mesh-permissive-mtls
namespace: istio-system
spec:
mtls:
mode: PERMISSIVE
AsmPeerAuthnStrictMtls
Mode mTLS Strict d'authentification de l'entité homologue ASM v1.0.3
L'application de l'ensemble des PeerAuthentications ne peut pas écraser le mode mTLS strict. Référence à l'adresse https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of PeerAuthentication strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-peer-authn-strict-mtls-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmPeerAuthnStrictMtls
metadata:
name: asm-peer-authn-strict-mtls-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
parameters:
strictnessLevel: High
Autorisés
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: valid-strict-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-permissive-mtls-pa
namespace: foo
spec:
mtls:
mode: PERMISSIVE
portLevelMtls:
"80":
mode: UNSET
"443":
mode: STRICT
selector:
matchLabels:
app: bar
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: invalid-port-disable-mtls-pa
namespace: foo
spec:
mtls:
mode: UNSET
portLevelMtls:
"80":
mode: DISABLE
"443":
mode: STRICT
selector:
matchLabels:
app: bar
AsmRequestAuthnProhibitedOutputHeaders
En-têtes de sortie interdits RequestAuthentication ASM v1.0.2
Dans RequestAuthentication, appliquez le champ jwtRules.outPayloadToHeader pour qu'il ne contienne pas d'en-têtes de requête HTTP connus ou d'en-têtes personnalisés interdits. Consultez la documentation de référence sur la page https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# prohibitedHeaders <array>: User predefined prohibited headers.
prohibitedHeaders:
- <string>
Examples
asm-request-authn-prohibited-output-headers-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmRequestAuthnProhibitedOutputHeaders
metadata:
name: asm-request-authn-prohibited-output-headers-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- RequestAuthentication
parameters:
prohibitedHeaders:
- Bad-Header
- X-Bad-Header
Autorisés
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: valid-request-authn
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Good-Header
selector:
matchLabels:
app: istio-ingressgateway
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: Host
selector:
matchLabels:
app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: deny-predefined-output-header
namespace: istio-system
spec:
jwtRules:
- issuer: example.com
outputPayloadToHeader: X-Bad-Header
selector:
matchLabels:
app: istio-ingressgateway
AsmSidecarInjection
Injection de side-car ASM v1.0.2
Appliquez le proxy side-car Istio, toujours injecté dans les pods de la charge de travail.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# strictnessLevel <string>: Level of sidecar injection strictness.
# Allowed Values: Low, High
strictnessLevel: <string>
Examples
asm-sidecar-injection-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AsmSidecarInjection
metadata:
name: asm-sidecar-injection-sample
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
strictnessLevel: High
Autorisés
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "true"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
apiVersion: v1
kind: Pod
metadata:
annotations:
"false": "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
- image: gcr.io/gke-release/asm/proxyv2:release
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
Non autorisé
apiVersion: v1
kind: Pod
metadata:
annotations:
sidecar.istio.io/inject: "false"
name: sleep
spec:
containers:
- image: curlimages/curl
name: sleep
DestinationRuleTLSEnabled
Règle de destination avec TLS v1.0.1
Interdit la désactivation du protocole TLS pour tous les hôtes et sous-ensembles d'hôtes dans les DestinationRules d'Istio.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
dr-tls-enabled
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DestinationRuleTLSEnabled
metadata:
name: dr-tls-enabled
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- networking.istio.io
kinds:
- DestinationRule
Non autorisé
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-subset-tls-disable
namespace: default
spec:
host: myservice
subsets:
- name: v1
trafficPolicy:
tls:
mode: DISABLE
- name: v2
trafficPolicy:
tls:
mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-traffic-tls-disable
namespace: default
spec:
host: myservice
trafficPolicy:
tls:
mode: DISABLE
DisallowedAuthzPrefix
Interdire les préfixes AuthorizationPolicy Istio v1.0.2
Nécessite que les comptes principaux et les espaces de noms des règles AuthorizationPolicy d'Istio ne comportent pas de préfixe provenant d'une liste spécifiée.
https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedprefixes <array>: Disallowed prefixes of principals and
# namespaces.
disallowedprefixes:
- <string>
Examples
disallowed-authz-prefix-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DisallowedAuthzPrefix
metadata:
name: disallowed-authz-prefix-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
parameters:
disallowedprefixes:
- badprefix
- reallybadprefix
Autorisés
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-principal
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/badprefix-sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bad-source-namespace
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- badprefix-test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
GCPStorageLocationConstraintV1
Contrainte d'emplacement de stockage GCP v1.0.3
Limite les emplacements (locations) autorisés pour les ressources Config Connector de StorageBucket à la liste des emplacements fournis dans la contrainte. Les noms de buckets de la liste exemptions sont exclus.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <array>: A list of bucket names that are exempt from this
# constraint.
exemptions:
- <string>
# locations <array>: A list of locations that a bucket is permitted to
# have.
locations:
- <string>
Examples
singapore-and-jakarta-only
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPStorageLocationConstraintV1
metadata:
name: singapore-and-jakarta-only
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- storage.cnrm.cloud.google.com
kinds:
- StorageBucket
parameters:
exemptions:
- my_project_id_cloudbuild
locations:
- asia-southeast1
- asia-southeast2
Autorisés
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Non autorisé
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
GkeSpotVMTerminationGrace
Limite le paramètre terminationGracePeriodSeconds pour les VM Spot GKE v1.1.3
Nécessite les pods et les modèles de pods avec la valeur nodeSelector ou nodeAfffinty de gke-spot pour avoir une valeur terminationGracePeriodSeconds de 15 s ou moins.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`
# of 15s or less for all `Pod` on a `gke-spot` Node.
includePodOnSpotNodes: <boolean>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Node"
Examples
spotvm-termination-grace
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GkeSpotVMTerminationGrace
metadata:
name: spotvm-termination-grace
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
includePodOnSpotNodes: true
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: example-allowed
spec:
containers:
- image: nginx
name: nginx
nodeSelector:
cloud.google.com/gke-spot: "true"
terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
name: example-allowed
spec:
containers:
- image: nginx
name: nginx
nodeSelector:
cloud.google.com/gke-spot: "true"
terminationGracePeriodSeconds: 15
apiVersion: v1
kind: Pod
metadata:
name: example-with-termGrace
spec:
Nodename: default
containers:
- image: nginx
name: nginx
terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
labels:
cloud.google.com/gke-spot: "true"
name: default
apiVersion: v1
kind: Pod
metadata:
name: example-with-termGrace
spec:
Nodename: default
containers:
- image: nginx
name: nginx
terminationGracePeriodSeconds: 15
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
name: default
apiVersion: v1
kind: Pod
metadata:
name: example-without-termGrace
spec:
Nodename: default
containers:
- image: nginx
name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
name: default
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cloud.google.com/gke-spot
operator: In
values:
- "true"
containers:
- image: nginx
name: nginx
terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cloud.google.com/gke-spot
operator: In
values:
- "true"
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
containers:
- image: nginx
name: nginx
nodeSelector:
cloud.google.com/gke-spot: "true"
terminationGracePeriodSeconds: 30
apiVersion: v1
kind: Pod
metadata:
name: example-disallowed
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: cloud.google.com/gke-spot
operator: In
values:
- "true"
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
name: example-without-termGrace
spec:
Nodename: default
containers:
- image: nginx
name: nginx
---
# Referential Data
apiVersion: v1
kind: Node
metadata:
labels:
cloud.google.com/gke-spot: "true"
name: default
K8sAllowedRepos
Dépôts autorisés v1.0.1
Nécessite que les images de conteneur commencent par une chaîne de la liste spécifiée.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Examples
repo-is-openpolicyagent
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: repo-is-openpolicyagent
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
repos:
- openpolicyagent/
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginxinit
resources:
limits:
cpu: 100m
memory: 30Mi
apiVersion: v1
kind: Pod
metadata:
name: nginx-disallowed
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
ephemeralContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
initContainers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 30Mi
K8sAvoidUseOfSystemMastersGroup
Interdire l'utilisation de la version 1.0.0 du groupe "system:masters"
Interdit l'utilisation du groupe "system:masters". N'a aucun effet lors de l'audit.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAvoidUseOfSystemMastersGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowlistedUsernames <array>: allowlistedUsernames is the list of
# usernames that are allowed to use system:masters group.
allowlistedUsernames:
- <string>
Examples
avoid-use-of-system-masters-group
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: avoid-use-of-system-masters-group
Autorisé
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockAllIngress
Bloquer tous les objets Ingress v1.0.4
Interdit la création d'objets Ingress (types Ingress, Gateway et Service de NodePort et LoadBalancer).
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowList <array>: A list of regular expressions for the Ingress object
# names that are exempt from the constraint.
allowList:
- <string>
Examples
block-all-ingress
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockAllIngress
metadata:
name: block-all-ingress
spec:
enforcementAction: dryrun
parameters:
allowList:
- name1
- name2
- name3
- my-*
Autorisés
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: allowed-clusterip-service-example
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: ClusterIP
Non autorisé
apiVersion: v1
kind: Service
metadata:
name: disallowed-service-example
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: disallowed-service-example
spec:
ports:
- port: 80
protocol: TCP
targetPort: 9376
selector:
app.kubernetes.io/name: MyApp
type: LoadBalancer
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: disallowed-gateway-example
spec:
gatewayClassName: istio
listeners:
- allowedRoutes:
namespaces:
from: All
hostname: '*.example.com'
name: default
port: 80
protocol: HTTP
K8sBlockCreationWithDefaultServiceAccount
Bloquer la création avec le compte de service par défaut v1.0.2
Interdit la création de ressources à l'aide d'un compte de service par défaut. N'a aucun effet lors de l'audit.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockCreationWithDefaultServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-creation-with-default-serviceaccount
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
Autorisé
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockEndpointEditDefaultRole
Bloquer le rôle par défaut de modification de point de terminaison v1.0.0
Par défaut, de nombreuses installations Kubernetes comportent un ClusterRole system:aggregate-to-edit qui ne limite pas correctement l'accès à la modification des points de terminaison. Ce ConstraintTemplate empêche le système ClusterRole:system-aggregate-to-edit d'accorder l'autorisation de créer, d'appliquer des correctifs et de mettre à jour des points de terminaison. ClusterRole/system:aggregate-to-edit ne doit pas accepter les autorisations de modification des points de terminaison en raison de la norme CVE-2021-25740, les autorisations Endpoint & EndpointSlice permettent le transfert d'espaces de noms multiples, https://github.com/kubernetes/kubernetes/issues/103675
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-endpoint-edit-default-role
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
name: block-endpoint-edit-default-role
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
Autorisés
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: system:aggregate-to-edit
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- endpoints
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
K8sBlockLoadBalancer
Bloquer les services de type LoadBalancer v1.0.0
Interdit tous les services de type LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-load-balancer
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
Autorisés
apiVersion: v1
kind: Service
metadata:
name: my-service-allowed
spec:
ports:
- port: 80
targetPort: 80
type: ClusterIP
Non autorisé
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: LoadBalancer
K8sBlockNodePort
Bloquer NodePort v1.0.0
Interdit tous les services de type NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-node-port
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
Non autorisé
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- nodePort: 30007
port: 80
targetPort: 80
type: NodePort
K8sBlockObjectsOfType
Objets blocs de type v1.0.1
Interdiction des objets de types interdits.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
forbiddenTypes:
- <string>
Examples
block-secrets-of-type-basic-auth
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockObjectsOfType
metadata:
name: block-secrets-of-type-basic-auth
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Secret
parameters:
forbiddenTypes:
- kubernetes.io/basic-auth
Autorisés
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
Non autorisé
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
K8sBlockProcessNamespaceSharing
Bloquer le partage d'espace de noms de processus v1.0.1
Interdit les spécifications de pod quand shareProcessNamespace est défini sur true. Cela permet d'éviter des scénarios dans lesquels tous les conteneurs d'un pod partagent un espace de noms PID et peuvent accéder au système de fichiers et à la mémoire de chacun d'entre eux.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockProcessNamespaceSharing
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-process-namespace-sharing
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
shareProcessNamespace: true
K8sBlockWildcardIngress
Bloquer l'entrée de caractère générique v1.0.1
Les utilisateurs ne doivent pas pouvoir créer d'objets Ingress avec un nom d'hôte vide ou générique (*), car cela leur permettrait d'intercepter le trafic pour d'autres services du cluster, même s'ils n'ont pas accès à ces services.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
block-wildcard-ingress
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
name: block-wildcard-ingress
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Autorisés
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: non-wildcard-ingress
spec:
rules:
- host: myservice.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
Non autorisé
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: ""
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wildcard-ingress
spec:
rules:
- host: '*.example.com'
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
- host: valid.example.com
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: Prefix
K8sContainerEphemeralStorageLimit
Limite de stockage éphémère de conteneur v1.0.2
Exige une limite de stockage éphémère pour les conteneurs, avec des limites correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ephemeral-storage <string>: The maximum allowed ephemeral storage limit
# on a Pod, exclusive.
ephemeral-storage: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
container-ephemeral-storage-limit
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerEphemeralStorageLimit
metadata:
name: container-ephemeral-storage-limit
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ephemeral-storage: 500Mi
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: init-opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 1Pi
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
ephemeral-storage: 100Mi
memory: 1Gi
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: init-opa
resources:
limits:
cpu: 100m
ephemeral-storage: 1Pi
memory: 1Gi
K8sContainerLimits
Limites de conteneur v1.0.1
Exige des limites de mémoire et de processeur pour les conteneurs, avec des limites correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory limit on a Pod, exclusive.
memory: <string>
Examples
container-must-have-limits
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 2Gi
K8sContainerRatios
Ratios de conteneur v1.0.1
Définit un ratio maximal pour les limites de ressources de conteneurs des requêtes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to
# `resources.requests.cpu` on a container. If not specified, equal to
# `ratio`.
cpuRatio: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# ratio <string>: The maximum allowed ratio of `resources.limits` to
# `resources.requests` on a container.
ratio: <string>
Examples
container-must-meet-ratio
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ratio: "2"
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 800m
memory: 2Gi
requests:
cpu: 100m
memory: 100Mi
container-must-meet-memory-and-cpu-ratio
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
name: container-must-meet-memory-and-cpu-ratio
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpuRatio: "10"
ratio: "1"
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: "1"
memory: 2Gi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: "4"
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
K8sContainerRequests
Requêtes de conteneur v1.0.1
Exige des requêtes de mémoire et de processeur pour les conteneurs, avec des requêtes correspondant aux valeurs maximales spécifiées. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cpu <string>: The maximum allowed cpu request on a Pod, exclusive.
cpu: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# memory <string>: The maximum allowed memory request on a Pod, exclusive.
memory: <string>
Examples
container-must-have-requests
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: container-must-have-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
cpu: 200m
memory: 1Gi
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 1Gi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
K8sCronJobAllowedRepos
Dépôts autorisés CronJob v1.0.1
Nécessite que les images de conteneur des jobs CronJob commencent par une chaîne de la liste spécifiée.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is allowed to have.
repos:
- <string>
Examples
cronjob-restrict-repos
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sCronJobAllowedRepos
metadata:
name: cronjob-restrict-repos
spec:
match:
kinds:
- apiGroups:
- batch
kinds:
- CronJob
parameters:
repos:
- gke.gcr.io/
Autorisés
apiVersion: batch/v1
kind: CronJob
metadata:
name: hello
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: gke.gcr.io/busybox:1.28
name: hello
schedule: '* * * * *'
Non autorisé
apiVersion: batch/v1
kind: CronJob
metadata:
name: hello
spec:
jobTemplate:
spec:
template:
spec:
containers:
- image: busybox:1.28
name: hello
schedule: '* * * * *'
K8sDisallowAnonymous
Interdire l'accès anonyme v1.0.0
Interdit l'association des ressources ClusterRole et Role à l'utilisateur system:anonymous et au groupe system:unauthenticated.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRoles <array>: The list of ClusterRoles and Roles that may be
# associated with the `system:unauthenticated` group and `system:anonymous`
# user.
allowedRoles:
- <string>
Examples
no-anonymous
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: no-anonymous
spec:
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRoleBinding
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
parameters:
allowedRoles:
- cluster-role-1
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowInteractiveTTY
Interdire les conteneurs TTY interactifs v1.0.0
Les champs spec.tty et spec.stdin doivent être définis sur "false" ou non définis pour les objets.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
no-interactive-tty-containers
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowInteractiveTTY
metadata:
name: no-interactive-tty-containers
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-interactive-tty
name: nginx-interactive-tty-allowed
spec:
containers:
- image: nginx
name: nginx
stdin: false
tty: false
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
containers:
- image: nginx
name: nginx
stdin: true
tty: true
K8sDisallowedRepos
Dépôts non autorisés v1.0.0
Dépôts de conteneurs non autorisés qui commencent par une chaîne de la liste spécifiée.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# repos <array>: The list of prefixes a container image is not allowed to
# have.
repos:
- <string>
Examples
repo-must-not-be-k8s-gcr-io
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
name: repo-must-not-be-k8s-gcr-io
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
repos:
- k8s.gcr.io/
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: kustomize-allowed
spec:
containers:
- image: registry.k8s.io/kustomize/kustomize:v3.8.9
name: kustomize
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: registry.k8s.io/kustomize/kustomize:v3.8.9
name: kustomize
initContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
initContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomizeinit
apiVersion: v1
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
ephemeralContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
initContainers:
- image: k8s.gcr.io/kustomize/kustomize:v3.8.9
name: kustomize
K8sDisallowedRoleBindingSubjects
Sujets Rolebinding non autorisés v1.0.1
Interdit les objets RoleBinding ou ClusterRoleBinding avec les sujets correspondant à un disallowedSubjects transmis en tant que paramètre.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# disallowedSubjects <array>: A list of subjects that cannot appear in a
# RoleBinding.
disallowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the disallowed role
# binding subject. Currently ignored.
apiGroup: <string>
# kind <string>: The kind of the disallowed role binding subject.
kind: <string>
# name <string>: The name of the disallowed role binding subject.
name: <string>
Examples
disallowed-rolebinding-subjects
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRoleBindingSubjects
metadata:
name: disallowed-rolebinding-subjects
spec:
parameters:
disallowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Interdire les tags v1.0.1
Nécessite que les images de conteneur aient un tag d'image différent de celui de la liste spécifiée. https://kubernetes.io/docs/concepts/containers/images/#image-names
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# tags <array>: Disallowed container image tags.
tags:
- <string>
Examples
container-image-must-not-have-latest-tag
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedTags
metadata:
name: container-image-must-not-have-latest-tag
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
exemptImages:
- openpolicyagent/opa-exp:latest
- openpolicyagent/opa-exp2:latest
tags:
- latest
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-exempt-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa-exp
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:v1
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-2
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-ephemeral
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:latest
name: opa
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed-3
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp:latest
name: opa
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/init:latest
name: opa-init
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa-exp2:latest
name: opa-exp2
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/monitor:latest
name: opa-monitor
K8sEmptyDirHasSizeLimit
Un répertoire vide a une limite de taille v1.0.5
Nécessite que les volumes emptyDir spécifient une limite de taille (sizeLimit). Vous pouvez également spécifier un paramètre maxSizeLimit dans la contrainte pour indiquer une limite de taille maximale autorisée.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptVolumesRegex <array>: Exempt Volume names as regex match.
exemptVolumesRegex:
- <string>
# maxSizeLimit <string>: When set, the declared size limit for each volume
# must be less than `maxSizeLimit`.
maxSizeLimit: <string>
Examples
empty-dir-has-size-limit
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-size-limit
spec:
match:
excludedNamespaces:
- istio-system
- kube-system
- gatekeeper-system
parameters:
exemptVolumesRegex:
- ^istio-[a-z]+$
maxSizeLimit: 4Gi
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir:
sizeLimit: 2Gi
name: good-pod-volume
apiVersion: v1
kind: Pod
metadata:
name: exempt-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: istio-envoy
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- emptyDir: {}
name: bad-pod-volume
K8sEnforceCloudArmorBackendConfig
Appliquer Cloud Armor aux ressources BackendConfig v1.0.2
Applique la configuration de Cloud Armor aux ressources BackendConfig.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceCloudArmorBackendConfig
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
enforce-cloudarmor-backendconfig
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
Autorisés
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: example-security-policy
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: second-backendconfig
spec:
securityPolicy:
name: my-security-policy
Non autorisé
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: null
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
namespace: examplenamespace
spec:
securityPolicy:
name: ""
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: my-backendconfig
spec:
logging:
enable: true
sampleRate: 0.5
K8sEnforceConfigManagement
Enforce Config Management v1.1.6
Nécessite la présence et le fonctionnement de Config Management. Les contraintes utilisant ce champ ConstraintTemplate seront auditées uniquement, quelle que soit la valeur enforcementAction.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# requireDriftPrevention <boolean>: Require Config Sync drift prevention to
# prevent config drift.
requireDriftPrevention: <boolean>
# requireRootSync <boolean>: Require a Config Sync `RootSync` object for
# cluster config management.
requireRootSync: <boolean>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "configsync.gke.io"
version: "v1beta1"
kind: "RootSync"
Examples
enforce-config-management
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sEnforceConfigManagement
metadata:
name: enforce-config-management
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- configmanagement.gke.io
kinds:
- ConfigManagement
Autorisés
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
annotations:
configmanagement.gke.io/managed-by-hub: "true"
configmanagement.gke.io/update-time: "1663586155"
name: config-management
spec:
binauthz:
enabled: true
clusterName: tec6ea817b5b4bb2-cluster
enableMultiRepo: true
git:
proxy: {}
syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
hierarchyController: {}
policyController:
auditIntervalSeconds: 60
enabled: true
monitoring:
backends:
- prometheus
- cloudmonitoring
mutation: {}
referentialRulesEnabled: true
templateLibraryInstalled: true
status:
configManagementVersion: v1.12.2-rc.2
healthy: true
Non autorisé
apiVersion: configmanagement.gke.io/v1
kind: ConfigManagement
metadata:
annotations:
configmanagement.gke.io/managed-by-hub: "true"
configmanagement.gke.io/update-time: "1663586155"
name: config-management
spec:
binauthz:
enabled: true
clusterName: tec6ea817b5b4bb2-cluster
enableMultiRepo: true
git:
syncRepo: git@test-git-server.config-management-system-test:/git-server/repos/sot.git
hierarchyController: {}
policyController:
auditIntervalSeconds: 60
enabled: true
monitoring:
backends:
- prometheus
- cloudmonitoring
mutation: {}
referentialRulesEnabled: true
templateLibraryInstalled: true
status:
configManagementVersion: v1.12.2-rc.2
K8sExternalIPs
Adresses IP externes v1.0.0
Limite les adresses IP externes du service à une liste d'adresses IP autorisées. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedIPs <array>: An allow-list of external IP addresses.
allowedIPs:
- <string>
Examples
external-ips
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
allowedIPs:
- 203.0.113.0
Autorisés
apiVersion: v1
kind: Service
metadata:
name: allowed-external-ip
spec:
externalIPs:
- 203.0.113.0
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
Non autorisé
apiVersion: v1
kind: Service
metadata:
name: disallowed-external-ip
spec:
externalIPs:
- 1.1.1.1
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
K8sHorizontalPodAutoscaler
Autoscaler horizontal des pods v1.0.1
Interdire les scénarios suivants lors du déploiement de HorizontalPodAutoscalers 1. Déploiement d'objets HorizontalPodAutoscaler avec .spec.minReplicas ou .spec.maxReplicas en dehors des plages définies dans la contrainte 2. Déploiement d'HorizontalPodAutoscalers où la différence entre .spec.minReplicas et .spec.maxReplicas est inférieure à la valeur minimumReplicaSpread configurée 3. Déploiement d'HorizontalPodAutoscalers qui ne font pas référence à un scaleTargetRef valide (par exemple, Deployment, ReplicationController, ReplicaSet, StatefulSet).
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# enforceScaleTargetRef <boolean>: If set to true it validates the HPA
# scaleTargetRef exists
enforceScaleTargetRef: <boolean>
# minimumReplicaSpread <integer>: If configured it enforces the minReplicas
# and maxReplicas in an HPA must have a spread of at least this many
# replicas
minimumReplicaSpread: <integer>
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "apps"
version: "v1"
kind: "Deployment"
OR
- group: "apps"
version: "v1"
kind: "StatefulSet"
Examples
horizontal-pod-autoscaler
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHorizontalPodAutoscaler
metadata:
name: horizontal-pod-autoscaler
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- autoscaling
kinds:
- HorizontalPodAutoscaler
parameters:
enforceScaleTargetRef: true
minimumReplicaSpread: 1
ranges:
- max_replicas: 6
min_replicas: 3
Autorisés
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-allowed
namespace: default
spec:
maxReplicas: 6
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 3
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Non autorisé
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-disallowed-replicas
namespace: default
spec:
maxReplicas: 7
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 2
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-disallowed-replicaspread
namespace: default
spec:
maxReplicas: 4
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 4
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa-disallowed-scaletarget
namespace: default
spec:
maxReplicas: 6
metrics:
- resource:
name: cpu
target:
averageUtilization: 900
type: Utilization
type: Resource
minReplicas: 3
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment-missing
---
# Referential Data
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment
template:
metadata:
labels:
app: nginx
example: allowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
K8sHttpsOnly
HTTPS uniquement v1.0.2
Exige que les ressources Ingress soient de type HTTPS uniquement. Les ressources Ingress doivent inclure l'annotation kubernetes.io/ingress.allow-http, définie sur false. Par défaut, une configuration TLS {} valide est requise. Vous pouvez la rendre facultative en définissant le paramètre tlsOptional sur true.
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# tlsOptional <boolean>: When set to `true` the TLS {} is optional,
# defaults to false.
tlsOptional: <boolean>
Examples
ingress-https-only
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Autorisés
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-allowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- {}
Non autorisé
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo-disallowed
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
ingress-https-only-tls-optional
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sHttpsOnly
metadata:
name: ingress-https-only-tls-optional
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
parameters:
tlsOptional: true
Autorisés
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
name: ingress-demo-allowed-tls-optional
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
Non autorisé
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-demo-disallowed-tls-optional
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
K8sImageDigests
Condensés d'images v1.0.1
Nécessite que les images de conteneur contiennent un condensé. https://kubernetes.io/docs/concepts/containers/images/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
container-image-must-have-digest
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
name: opa
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opainit
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
initContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opainit
K8sLocalStorageRequireSafeToEvict
Le stockage local nécessite l'éviction sécurisée v1.0.1
Nécessite que les pods qui utilisent un stockage local (emptyDir ou hostPath) comportent l'annotation "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Cluster Autoscaler ne supprime pas les pods qui ne comportent pas cette annotation.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
local-storage-require-safe-to-evict
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
excludedNamespaces:
- kube-system
- istio-system
- gatekeeper-system
Autorisés
apiVersion: v1
kind: Pod
metadata:
annotations:
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
name: good-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: redis
name: redis
volumeMounts:
- mountPath: /data/redis
name: redis-storage
volumes:
- emptyDir: {}
name: redis-storage
K8sMemoryRequestEqualsLimit
Requête de mémoire égale à la limite v1.0.4
Favorise la stabilité du pod en exigeant que la mémoire demandée de tous les conteneurs soit exactement égale à la limite de mémoire. Ainsi, les pods ne sont jamais dans un état où l'utilisation de mémoire dépasse la quantité demandée. Sinon, Kubernetes peut arrêter les pods qui demandent de la mémoire supplémentaire si de la mémoire est nécessaire sur le nœud.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptContainersRegex <array>: Exempt Container names as regex match.
exemptContainersRegex:
- <string>
Examples
container-must-request-limit
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sMemoryRequestEqualsLimit
metadata:
name: container-must-request-limit
spec:
match:
excludedNamespaces:
- kube-system
- resource-group-system
- asm-system
- istio-system
- config-management-system
- config-management-monitoring
parameters:
exemptContainersRegex:
- ^istio-[a-z]+$
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: good-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 4Gi
apiVersion: v1
kind: Pod
metadata:
name: exempt-pod
namespace: default
spec:
containers:
- image: auto
name: istio-proxy
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: bad-pod
namespace: default
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 100m
memory: 4Gi
requests:
cpu: 50m
memory: 2Gi
K8sNoEnvVarSecrets
Aucun secret de variable d'environnement v1.0.1
Interdit les secrets en tant que variables d'environnement dans les définitions de conteneur des pods. Utilisez plutôt des fichiers secrets installés dans des volumes de données : https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoEnvVarSecrets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
no-secrets-as-env-vars-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: redis
name: test
volumeMounts:
- mountPath: /etc/test
name: test
readOnly: true
volumes:
- name: test
secret:
secretName: mysecret
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- env:
- name: MY_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: mysecret
image: redis
name: test
K8sNoExternalServices
Aucun service externe v1.0.3
Interdit la création de ressources connues qui exposent les charges de travail à des adresses IP externes. Cela inclut les ressources Istio Gateway et Kubernetes Ingress. Les services Kubernetes ne sont pas non plus autorisés, sauf s'ils répondent aux critères suivants : tout service de type LoadBalancer dans Google Cloud doit comporter une annotation "networking.gke.io/load-balancer-type": "Internal".
Tout service de type LoadBalancer dans AWS doit comporter une annotation service.beta.kubernetes.io/aws-load-balancer-internal: "true.
Toutes les "adresses IP externes" (externes au cluster) liées au service doivent être membres d'une plage de CIDR internes, comme indiqué dans la contrainte.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`
# are supported currently.
cloudPlatform: <string>
# internalCIDRs <array>: A list of CIDRs that are only accessible
# internally, for example: `10.3.27.0/24`. Which IP ranges are
# internal-only is determined by the underlying network infrastructure.
internalCIDRs:
- <string>
Examples
no-external
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external
spec:
parameters:
internalCIDRs:
- 10.0.0.1/32
Autorisés
apiVersion: v1
kind: Service
metadata:
name: good-service
namespace: default
spec:
externalIPs:
- 10.0.0.1
ports:
- port: 8888
protocol: TCP
targetPort: 8888
apiVersion: v1
kind: Service
metadata:
annotations:
networking.gke.io/load-balancer-type: Internal
name: allowed-internal-load-balancer
namespace: default
spec:
type: LoadBalancer
Non autorisé
apiVersion: v1
kind: Service
metadata:
name: bad-service
namespace: default
spec:
externalIPs:
- 10.0.0.2
ports:
- port: 8888
protocol: TCP
targetPort: 8888
no-external-aws
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sNoExternalServices
metadata:
name: no-external-aws
spec:
parameters:
cloudPlatform: AWS
Autorisés
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
name: good-aws-service
namespace: default
spec:
type: LoadBalancer
Non autorisé
apiVersion: v1
kind: Service
metadata:
annotations:
cloud.google.com/load-balancer-type: Internal
name: bad-aws-service
namespace: default
spec:
type: LoadBalancer
K8sPSPAllowPrivilegeEscalationContainer
Autoriser l'élévation des privilèges dans le conteneur v1.0.1
Contrôle la limite de passage aux droits racine. Correspond au champ allowPrivilegeEscalation de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-élévation.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-allow-privilege-escalation-container-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: false
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privilege-escalation
name: nginx-privilege-escalation-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Utilisateurs autorisés v1.0.2
Contrôle les ID d'utilisateur et de groupe du conteneur, ainsi que certains volumes. Correspond aux champs runAsUser, runAsGroup, supplementalGroups et fsGroup d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# fsGroup <object>: Controls the fsGroup values that are allowed in a Pod
# or container-level SecurityContext.
fsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the fsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsGroup <object>: Controls which group ID values are allowed in a Pod
# or container-level SecurityContext.
runAsGroup:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsGroup restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
# runAsUser <object>: Controls which user ID values are allowed in a Pod or
# container-level SecurityContext.
runAsUser:
# ranges <array>: A list of user ID ranges affected by the rule.
ranges:
# <list item: object>: The range of user IDs affected by the rule.
- # max <integer>: The maximum user ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum user ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the runAsUser restriction.
# Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny
rule: <string>
# supplementalGroups <object>: Controls the supplementalGroups values that
# are allowed in a Pod or container-level SecurityContext.
supplementalGroups:
# ranges <array>: A list of group ID ranges affected by the rule.
ranges:
# <list item: object>: The range of group IDs affected by the rule.
- # max <integer>: The maximum group ID in the range, inclusive.
max: <integer>
# min <integer>: The minimum group ID in the range, inclusive.
min: <integer>
# rule <string>: A strategy for applying the supplementalGroups
# restriction.
# Allowed Values: MustRunAs, MayRunAs, RunAsAny
rule: <string>
Examples
psp-pods-allowed-user-ranges
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
fsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsGroup:
ranges:
- max: 200
min: 100
rule: MustRunAs
runAsUser:
ranges:
- max: 200
min: 100
rule: MustRunAs
supplementalGroups:
ranges:
- max: 200
min: 100
rule: MustRunAs
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 199
runAsUser: 199
securityContext:
fsGroup: 199
supplementalGroups:
- 199
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-users
name: nginx-users-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
runAsGroup: 250
runAsUser: 250
securityContext:
fsGroup: 250
supplementalGroups:
- 250
K8sPSPAppArmor
App Armor v1.0.0
Configure une liste d'autorisation de profils AppArmor à utiliser par les conteneurs. Cela correspond aux annotations spécifiques appliquées à une règle PodSecurityPolicy. Pour plus d'informations sur AppArmor, consultez la page https://kubernetes.io/docs/tutorials/clusters/apparmor/.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedProfiles <array>: An array of AppArmor profiles. Examples:
# `runtime/default`, `unconfined`.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-apparmor
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
Autorisés
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
name: nginx-apparmor-allowed
spec:
containers:
- image: nginx
name: nginx
Non autorisé
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
name: nginx-apparmor-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
K8sPSPAutomountServiceAccountTokenPod
Jeton de compte de service d'installation automatique pour le pod v1.0.1
Contrôle la capacité de n'importe quel pod à activer automountServiceAccountToken.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Examples
psp-automount-serviceaccount-token-pod
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAutomountServiceAccountTokenPod
metadata:
name: psp-automount-serviceaccount-token-pod
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-not-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-allowed
spec:
automountServiceAccountToken: false
containers:
- image: nginx
name: nginx
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-automountserviceaccounttoken
name: nginx-automountserviceaccounttoken-disallowed
spec:
automountServiceAccountToken: true
containers:
- image: nginx
name: nginx
K8sPSPCapabilities
Fonctionnalités v1.0.2
Contrôle les capacités Linux sur les conteneurs. Correspond aux champs allowedCapabilities et requiredDropCapabilities d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#Capabilities
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedCapabilities <array>: A list of Linux capabilities that can be
# added to a container.
allowedCapabilities:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# requiredDropCapabilities <array>: A list of Linux capabilities that are
# required to be dropped from a container.
requiredDropCapabilities:
- <string>
Examples
capabilities-demo
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: capabilities-demo
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
namespaces:
- default
parameters:
allowedCapabilities:
- something
requiredDropCapabilities:
- must_drop
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- something
drop:
- must_drop
- another_one
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
ephemeralContainers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 30Mi
securityContext:
capabilities:
add:
- disallowedcapability
K8sPSPFSGroup
Groupe FS v1.0.2
Contrôle l'allocation d'un FSGroup qui est propriétaire des volumes du pod. Correspond au champ fsGroup de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: GID ranges affected by the rule.
ranges:
- # max <integer>: The maximum GID in the range, inclusive.
max: <integer>
# min <integer>: The minimum GID in the range, inclusive.
min: <integer>
# rule <string>: An FSGroup rule name.
# Allowed Values: MayRunAs, MustRunAs, RunAsAny
rule: <string>
Examples
psp-fsgroup
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
ranges:
- max: 1000
min: 1
rule: MayRunAs
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 500
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
containers:
- command:
- sh
- -c
- sleep 1h
image: busybox
name: fsgroup-demo
volumeMounts:
- mountPath: /data/demo
name: fsgroup-demo-vol
securityContext:
fsGroup: 2000
volumes:
- emptyDir: {}
name: fsgroup-demo-vol
K8sPSPFlexVolumes
FlexVolumes v1.0.1
Contrôle la liste d'autorisation des pilotes FlexVolume. Correspond au champ allowedFlexVolumes de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.
allowedFlexVolumes:
- # driver <string>: The name of the FlexVolume driver.
driver: <string>
Examples
psp-flexvolume-drivers
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/lvm
name: test-volume
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flexvolume-driver
name: nginx-flexvolume-driver-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- flexVolume:
driver: example/testdriver
name: test-volume
K8sPSPForbiddenSysctls
Sysctls interdits v1.1.3
Contrôle le profil sysctl utilisé par les conteneurs. Correspond aux champs allowedUnsafeSysctls et forbiddenSysctls d'une règle PodSecurityPolicy. Si spécifié, tout sysctl qui ne figure pas dans le paramètre allowedSysctls est considéré comme interdit. Le paramètre forbiddenSysctls est prioritaire sur le paramètre allowedSysctls. Pour en savoir plus, consultez la page https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls
# not listed in the `forbiddenSysctls` parameter.
allowedSysctls:
- <string>
# forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all
# sysctls.
forbiddenSysctls:
- <string>
Examples
psp-forbidden-sysctls
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSysctls:
- '*'
forbiddenSysctls:
- kernel.*
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-forbidden-sysctls
name: nginx-forbidden-sysctls-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
- name: net.core.somaxconn
value: "1024"
K8sPSPHostFilesystem
Système de fichiers hôte v1.0.2
Contrôle l'utilisation du système de fichiers hôte. Correspond au champ allowedHostPaths de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedHostPaths <array>: An array of hostpath objects, representing
# paths and read/write configuration.
allowedHostPaths:
- # pathPrefix <string>: The path prefix that the host volume must
# match.
pathPrefix: <string>
# readOnly <boolean>: when set to true, any container volumeMounts
# matching the pathPrefix must include `readOnly: true`.
readOnly: <boolean>
Examples
psp-host-filesystem
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedHostPaths:
- pathPrefix: /foo
readOnly: true
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /foo/bar
name: cache-volume
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-filesystem-disallowed
name: nginx-host-filesystem
spec:
ephemeralContainers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- hostPath:
path: /tmp
name: cache-volume
K8sPSPHostNamespace
Espace de noms hôte v1.0.1
Interdit le partage des espaces de noms PID et IPC hôtes par les conteneurs de pods. Correspond aux champs hostPID et hostIPC d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
<object>
Examples
psp-host-namespace-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-allowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: false
hostPID: false
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-namespace
name: nginx-host-namespace-disallowed
spec:
containers:
- image: nginx
name: nginx
hostIPC: true
hostPID: true
K8sPSPHostNetworkingPorts
Ports de mise en réseau hôte v1.0.2
Contrôle l'utilisation de l'espace de noms du réseau hôte par les conteneurs de pods. Des ports spécifiques doivent être spécifiés. Correspond aux champs hostNetwork et hostPorts d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# hostNetwork <boolean>: Determines if the policy allows the use of
# HostNetwork in the pod spec.
hostNetwork: <boolean>
# max <integer>: The end of the allowed port range, inclusive.
max: <integer>
# min <integer>: The start of the allowed port range, inclusive.
min: <integer>
Examples
psp-host-network-ports-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports-sample
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
hostNetwork: true
max: 9000
min: 80
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-allowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9000
hostPort: 80
hostNetwork: false
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-host-networking-ports
name: nginx-host-networking-ports-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
ports:
- containerPort: 9001
hostPort: 9001
hostNetwork: true
K8sPSPPrivilegedContainer
Conteneur avec privilège v1.0.1
Contrôle la capacité de n'importe quel conteneur à activer le mode privilégié. Correspond au champ privileged de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-privileged-container-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container-sample
spec:
match:
excludedNamespaces:
- kube-system
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: false
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-privileged
name: nginx-privileged-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
privileged: true
K8sPSPProcMount
Installation Proc v1.0.3
Contrôle les types procMount autorisés pour le conteneur. Correspond au champ allowedProcMountTypes de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# procMount <string>: Defines the strategy for the security exposure of
# certain paths in `/proc` by the container runtime. Setting to `Default`
# uses the runtime defaults, where `Unmasked` bypasses the default
# behavior.
# Allowed Values: Default, Unmasked
procMount: <string>
Examples
psp-proc-mount
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
procMount: Default
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Default
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-proc-mount
name: nginx-proc-mount-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Système de fichiers racine en lecture seule v1.0.1
Nécessite l'utilisation d'un système de fichiers racine en lecture seule par les conteneurs de pods. Correspond au champ readOnlyRootFilesystem de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-readonlyrootfilesystem
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: true
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-readonlyrootfilesystem
name: nginx-readonlyrootfilesystem-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
readOnlyRootFilesystem: false
K8sPSPSELinuxV2
SELinux V2 v1.0.3
Définit une liste d'autorisation de configurations seLinuxOptions pour les conteneurs de pods. Correspond à une règle PodSecurityPolicy nécessitant des configurations SELinux. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSELinuxOptions <array>: An allow-list of SELinux options
# configurations.
allowedSELinuxOptions:
# <list item: object>: An allowed configuration of SELinux options for a
# pod container.
- # level <string>: An SELinux level.
level: <string>
# role <string>: An SELinux role.
role: <string>
# type <string>: An SELinux type.
type: <string>
# user <string>: An SELinux user.
user: <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-selinux-v2
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-allowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
containers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-selinux
name: nginx-selinux-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
role: sysadm_r
type: svirt_lxc_net_t
user: sysadm_u
K8sPSPSeccomp
Seccomp v1.0.1
Contrôle le profil seccomp utilisé par les conteneurs. Correspond à l'annotation seccomp.security.alpha.kubernetes.io/allowedProfileNames d'une règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedLocalhostFiles <array>: When using securityContext naming scheme
# for seccomp and including `Localhost` this array holds the allowed
# profile JSON files. Putting a `*` in this array will allows all JSON
# files to be used. This field is required to allow `Localhost` in
# securityContext as with an empty list it will block.
allowedLocalhostFiles:
- <string>
# allowedProfiles <array>: An array of allowed profile values for seccomp
# on Pods/Containers. Can use the annotation naming scheme:
# `runtime/default`, `docker/default`, `unconfined` and/or
# `localhost/some-profile.json`. The item `localhost/*` will allow any
# localhost based profile. Can also use the securityContext naming scheme:
# `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext
# `Localhost`, use the parameter `allowedLocalhostProfiles` to list the
# allowed profile JSON files. The policy code will translate between the
# two schemes so it is not necessary to use both. Putting a `*` in this
# array allows all Profiles to be used. This field is required since with
# an empty list this policy will block all workloads.
allowedProfiles:
- <string>
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
Examples
psp-seccomp
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedProfiles:
- runtime/default
- docker/default
Autorisés
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: runtime/default
labels:
app: nginx-seccomp
name: nginx-seccomp-allowed2
spec:
containers:
- image: nginx
name: nginx
Non autorisé
apiVersion: v1
kind: Pod
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/pod: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed2
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
name: nginx-seccomp-disallowed
spec:
ephemeralContainers:
- image: nginx
name: nginx
K8sPSPVolumeTypes
Types de volumes v1.0.2
Limite les types de volumes installables à ceux spécifiés par l'utilisateur. Correspond au champ volumes de la règle PodSecurityPolicy. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# volumes <array>: `volumes` is an array of volume types. All volume types
# can be enabled using `*`.
volumes:
- <string>
Examples
psp-volume-types
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
- flexVolume
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-allowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- emptyDir: {}
name: cache-volume
- emptyDir: {}
name: demo-vol
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-volume-types
name: nginx-volume-types-disallowed
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- image: nginx
name: nginx2
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- hostPath:
path: /tmp
name: cache-volume
- emptyDir: {}
name: demo-vol
K8sPSPWindowsHostProcess
Limite les conteneurs/pods Windows HostProcess. V1.0.0
Restriction de l'exécution des conteneurs/pods Windows HostProcess. Pour en savoir plus, consultez la page https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
restrict-windows-hostprocess
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPWindowsHostProcess
metadata:
name: restrict-windows-hostprocess
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: nanoserver-ping-loop
spec:
containers:
- command:
- ping
- -t
- 127.0.0.1
image: mcr.microsoft.com/windows/nanoserver:1809
name: ping-loop
nodeSelector:
kubernetes.io/os: windows
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: nanoserver-ping-loop-hostprocess-container
spec:
containers:
- command:
- ping
- -t
- 127.0.0.1
image: mcr.microsoft.com/windows/nanoserver:1809
name: ping-test
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: NT AUTHORITY\SYSTEM
hostNetwork: true
nodeSelector:
kubernetes.io/os: windows
apiVersion: v1
kind: Pod
metadata:
name: nanoserver-ping-loop-hostprocess-pod
spec:
containers:
- command:
- ping
- -t
- 127.0.0.1
image: mcr.microsoft.com/windows/nanoserver:1809
name: ping-test
hostNetwork: true
nodeSelector:
kubernetes.io/os: windows
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: NT AUTHORITY\SYSTEM
K8sPSSRunAsNonRoot
Nécessite l'exécution des conteneurs en tant qu'utilisateurs non racine V1.0.0
Nécessite l'exécution des conteneurs en tant qu'utilisateurs non racine. Pour en savoir plus, consultez la page https://kubernetes.io/docs/concepts/security/pod-security-standards/.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
restrict-runasnonroot
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSSRunAsNonRoot
metadata:
name: restrict-runasnonroot
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod-allowed
spec:
containers:
- image: nginx
name: nginx-container-allowed
securityContext:
runAsNonRoot: true
securityContext:
runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
name: nginx-allowed
spec:
containers:
- image: nginx
name: nginx-allowed
securityContext:
runAsNonRoot: true
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod-allowed
spec:
containers:
- image: nginx
name: nginx-container-disallowed
securityContext:
runAsNonRoot: false
securityContext:
runAsNonRoot: true
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod-disallowed
spec:
containers:
- image: nginx
name: nginx-container-allowed
securityContext:
runAsNonRoot: true
securityContext:
runAsNonRoot: false
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod-disallowed
spec:
containers:
- image: nginx
name: nginx-container-disallowed
securityContext:
runAsNonRoot: false
K8sPodDisruptionBudget
Budget d'interruptions de pods v1.0.3
Interdire les scénarios suivants lors du déploiement de PodDisruptionBudgets ou de ressources qui mettent en œuvre la sous-ressource d'instance dupliquée (par exemple Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Déploiement de PodDisruptionBudgets avec .spec.maxUnavailable == 0 2. Déploiement de PodDisruptionBudgets avec .spec.minAvailable == .spec.replicas de la ressource avec sous-ressource d'instance dupliquée. Cette opération empêche PodDisruptionBudgets de bloquer les interruptions volontaires telles que le drainage de nœud. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "policy"
version: "v1"
kind: "PodDisruptionBudget"
Examples
pod-distruption-budget
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodDisruptionBudget
metadata:
name: pod-distruption-budget
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- apiGroups:
- policy
kinds:
- PodDisruptionBudget
- apiGroups:
- ""
kinds:
- ReplicationController
Autorisés
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-allowed
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-1
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
template:
metadata:
labels:
app: nginx
example: allowed-deployment-1
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-1
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
example: allowed-deployment-1
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-2
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
template:
metadata:
labels:
app: nginx
example: allowed-deployment-2
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-2
namespace: default
spec:
maxUnavailable: 1
selector:
matchLabels:
app: nginx
example: allowed-deployment-2
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-allowed-3
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: allowed-deployment-3
template:
metadata:
labels:
app: nginx
example: allowed-deployment-3
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-allowed-3
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: nginx
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: non-matching-nginx
name: nginx-deployment-allowed-4
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: non-matching-nginx
example: allowed-deployment-4
template:
metadata:
labels:
app: non-matching-nginx
example: allowed-deployment-4
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-mongo-pdb-allowed-3
namespace: default
spec:
minAvailable: 2
selector:
matchLabels:
app: mongo
example: non-matching-deployment-3
Non autorisé
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: nginx-pdb-disallowed
namespace: default
spec:
maxUnavailable: 0
selector:
matchLabels:
foo: bar
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: nginx-deployment-disallowed
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
template:
metadata:
labels:
app: nginx
example: disallowed-deployment
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
---
# Referential Data
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: inventory-nginx-pdb-disallowed
namespace: default
spec:
minAvailable: 3
selector:
matchLabels:
app: nginx
example: disallowed-deployment
K8sPodResourcesBestPractices
Nécessite que les conteneurs ne soient pas optimisés et suivent les bonnes pratiques pour une évolutivité optimisée v1.0.5
Nécessite que les conteneurs ne soient pas optimisés (en définissant les demandes de ressources de processeur et de mémoire) et suivent les bonnes pratiques d'utilisation intensive (la demande de mémoire doit être exactement égale à la limite). Vous pouvez également configurer des clés d'annotation pour permettre d'ignorer les différentes validations.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
# skipBestEffortValidationAnnotationKey <string>: Optional annotation key
# to skip best-effort container validation.
skipBestEffortValidationAnnotationKey: <string>
# skipBurstableValidationAnnotationKey <string>: Optional annotation key to
# skip burstable container validation.
skipBurstableValidationAnnotationKey: <string>
# skipResourcesBestPracticesValidationAnnotationKey <string>: Optional
# annotation key to skip both best-effort and burstable validation.
skipResourcesBestPracticesValidationAnnotationKey: <string>
Examples
gke-pod-resources-best-practices
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodResourcesBestPractices
metadata:
name: gke-pod-resources-best-practices
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
skipBestEffortValidationAnnotationKey: skip_besteffort_validation
skipBurstableValidationAnnotationKey: skip_burstable_validation
skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-cpu-requests-memory-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 500Mi
requests:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-limits-only
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 250m
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-requests-memory-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 100Mi
requests:
cpu: 250m
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
annotations:
skip_besteffort_validation: "true"
skip_burstable_validation: "true"
skip_resources_best_practices_validation: "false"
name: pod-skip-validation
spec:
containers:
- image: nginx
name: nginx
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: pod-not-setting-cpu-burstable-on-memory
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 500Mi
requests:
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-not-setting-requests
spec:
containers:
- image: nginx
name: nginx
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-cpu-not-burstable-on-memory
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 500Mi
requests:
cpu: 250m
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-memory-requests-cpu-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 30m
requests:
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-cpu-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-cpu-requests
spec:
containers:
- image: nginx
name: nginx
resources:
requests:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-cpu
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
cpu: 500m
requests:
cpu: 250m
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-memory-limits
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 250Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-memory-requests
spec:
containers:
- image: nginx
name: nginx
resources:
requests:
memory: 100Mi
apiVersion: v1
kind: Pod
metadata:
name: pod-setting-only-memory
spec:
containers:
- image: nginx
name: nginx
resources:
limits:
memory: 100Mi
requests:
memory: 100Mi
K8sPodsRequireSecurityContext
Les pods nécessitent un contexte de sécurité v1.1.1
Nécessite que tous les pods définissent securityContext. Nécessite que tous les conteneurs définis dans les pods aient un contexte SecurityContext défini au niveau du pod ou du conteneur.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: A list of exempt Images.
exemptImages:
- <string>
Examples
pods-require-security-context-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPodsRequireSecurityContext
metadata:
name: pods-require-security-context-sample
spec:
enforcementAction: dryrun
parameters:
exemptImages:
- nginix-exempt
- alpine*
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
spec:
containers:
- image: nginx
name: nginx
securityContext:
runAsUser: 2000
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-exemptImage
spec:
containers:
- image: nginix-exempt
name: nginx
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-exemptImage-wildcard
spec:
containers:
- image: alpine17
name: alpine
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
spec:
containers:
- image: nginx
name: nginx
K8sProhibitRoleWildcardAccess
Interdire l'accès aux ressources sur un caractère générique de rôle v1.0.5
Requiert que Roles et ClusterRole ne définissent pas l'accès aux ressources sur un caractère générique (""), à l'exception des Roles et des ClusterRoles exemptés fournis en tant qu'exceptions. Ne limite pas l'accès générique aux sous-ressources, comme "/status".
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptions <object>: The list of exempted Roles and/or ClusterRoles name
# that are allowed to set resource access to a wildcard.
exemptions:
clusterRoles:
- # name <string>: The name of the ClusterRole to be exempted.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression
# based match on the name.
regexMatch: <boolean>
roles:
- # name <string>: The name of the Role to be exempted.
name: <string>
# namespace <string>: The namespace of the Role to be exempted.
namespace: <string>
Examples
prohibit-role-wildcard-access-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sProhibitRoleWildcardAccess
metadata:
name: prohibit-wildcard-except-exempted-cluster-role
spec:
enforcementAction: dryrun
parameters:
exemptions:
clusterRoles:
- name: cluster-role-allowed-example
roles:
- name: role-allowed-example
namespace: role-ns-allowed-example
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Limites des instances dupliquées v1.0.2
Nécessite que les objets comportant le champ spec.replicas (Deployments, ReplicaSets, etc.) spécifient un nombre d'instances dupliquées dans les plages définies.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# ranges <array>: Allowed ranges for numbers of replicas. Values are
# inclusive.
ranges:
# <list item: object>: A range of allowed replicas. Values are
# inclusive.
- # max_replicas <integer>: The maximum number of replicas allowed,
# inclusive.
max_replicas: <integer>
# min_replicas <integer>: The minimum number of replicas allowed,
# inclusive.
min_replicas: <integer>
Examples
replica-limits
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
parameters:
ranges:
- max_replicas: 50
min_replicas: 3
Autorisés
apiVersion: apps/v1
kind: Deployment
metadata:
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Non autorisé
apiVersion: apps/v1
kind: Deployment
metadata:
name: disallowed-deployment
spec:
replicas: 100
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
K8sRequireAdmissionController
Exiger un contrôleur d'admission v1.0.0
Nécessite une admission de sécurité du pod ou un système de contrôle de règles externe
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# permittedValidatingWebhooks <array>: List of permitted validating
# webhooks which are valid external policy control systems
permittedValidatingWebhooks:
- <string>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "admissionregistration.k8s.io"
version: "v1" OR "v1beta1"
kind: "ValidatingWebhookConfiguration"
Examples
require-admission-controller
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireAdmissionController
metadata:
name: require-admission-controller
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
Autorisés
apiVersion: v1
kind: Namespace
metadata:
labels:
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: v1.28
name: allowed-namespace
Non autorisé
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequireBinAuthZ
Nécessite l'autorisation binaire 1.0.2
Nécessite le webhook d'admission de validation d'autorisation binaire. Les contraintes utilisant ce champ ConstraintTemplate seront auditées uniquement, quelle que soit la valeur enforcementAction.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "admissionregistration.k8s.io"
version: "v1" OR "v1beta1"
kind: "ValidatingWebhookConfiguration"
Examples
require-binauthz
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireBinAuthZ
metadata:
name: require-binauthz
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
Autorisés
apiVersion: v1
kind: Namespace
metadata:
name: default
---
# Referential Data
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: binauthz-admission-controller
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview
name: imagepolicywebhook.image-policy.k8s.io
rules:
- operations:
- CREATE
- UPDATE
- apiVersion:
- v1
sideEffects: None
Non autorisé
apiVersion: v1 kind: Namespace metadata: name: default
K8sRequireCosNodeImage
Exiger l'image de nœud COS v1.1.1
Applique l'utilisation de Container-Optimized OS de Google sur les nœuds.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptOsImages <array>: A list of exempt OS Images.
exemptOsImages:
- <string>
Examples
nodes-have-consistent-time
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireCosNodeImage
metadata:
name: nodes-have-consistent-time
spec:
enforcementAction: dryrun
parameters:
exemptOsImages:
- Debian
- Ubuntu*
Autorisés
apiVersion: v1
kind: Node
metadata:
name: allowed-example
status:
nodeInfo:
osImage: Container-Optimized OS from Google
apiVersion: v1
kind: Node
metadata:
name: example-exempt
status:
nodeInfo:
osImage: Debian
apiVersion: v1
kind: Node
metadata:
name: example-exempt-wildcard
status:
nodeInfo:
osImage: Ubuntu 18.04.5 LTS
Non autorisé
apiVersion: v1
kind: Node
metadata:
name: disallowed-example
status:
nodeInfo:
osImage: Debian GNUv1.0
K8sRequireDaemonsets
Daemonsets requis v1.1.2
Nécessite la présence de la liste des daemonsets spécifiés.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# requiredDaemonsets <array>: A list of names and namespaces of the
# required daemonsets.
requiredDaemonsets:
- # name <string>: The name of the required daemonset.
name: <string>
# namespace <string>: The namespace for the required daemonset.
namespace: <string>
# restrictNodeSelector <boolean>: The daemonsets cannot include
# `NodeSelector`.
restrictNodeSelector: <boolean>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "DaemonSet"
OR
- group: "apps"
version: "v1beta2" OR "v1"
kind: "DaemonSet"
Examples
require-daemonset
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDaemonsets
metadata:
name: require-daemonset
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
requiredDaemonsets:
- name: clamav
namespace: pci-dss-av
restrictNodeSelector: true
Autorisés
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: other
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: other
template:
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: other
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
k8s-app: clamav-host-scanner
name: clamav
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: clamav
template:
metadata:
labels:
name: clamav
spec:
containers:
- image: us.gcr.io/{your-project-id}/clamav:latest
livenessProbe:
exec:
command:
- /health.sh
initialDelaySeconds: 60
periodSeconds: 30
name: clamav-scanner
resources:
limits:
memory: 3Gi
requests:
cpu: 500m
memory: 2Gi
volumeMounts:
- mountPath: /data
name: data-vol
- mountPath: /host-fs
name: host-fs
readOnly: true
- mountPath: /logs
name: logs
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
volumes:
- emptyDir: {}
name: data-vol
- hostPath:
path: /
name: host-fs
- hostPath:
path: /var/log/clamav
name: logs
Non autorisé
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: other
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: other
template:
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: other
apiVersion: v1
kind: Namespace
metadata:
name: pci-dss-av
---
# Referential Data
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: clamav
namespace: pci-dss-av
spec:
selector:
matchLabels:
name: clamav
template:
spec:
containers:
- image: us.gcr.io/{your-project-id}/other:latest
name: clamav
nodeSelector:
cloud.google.com/gke-spot: "true"
K8sRequireDefaultDenyEgressPolicy
Nécessiter la règle de sortie de refus par défaut v1.0.3
Nécessite que chaque espace de noms défini dans le cluster ait un objet NetworkPolicy de refus par défaut pour la sortie.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireDefaultDenyEgressPolicy
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
Examples
require-default-deny-network-policies
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
Autorisés
apiVersion: v1
kind: Namespace
metadata:
name: example-namespace
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: example-namespace
spec:
podSelector: {}
policyTypes:
- Egress
Non autorisé
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1
kind: Namespace
metadata:
name: example-namespace2
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
namespace: example-namespace
spec:
podSelector: {}
policyTypes:
- Egress
K8sRequireNamespaceNetworkPolicies
Exiger des règles de réseau pour les espaces de noms v1.0.6
Nécessite que chaque espace de noms défini dans le cluster ait un objet NetworkPolicy.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireNamespaceNetworkPolicies
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "NetworkPolicy"
OR
- group: "networking.k8s.io"
version: "v1"
kind: "NetworkPolicy"
Examples
require-namespace-network-policies-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
Autorisés
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
Non autorisé
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Exiger des plages valides pour les réseaux v1.0.2
Applique les blocs CIDR autorisés pour l'entrée et la sortie réseau.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for egress.
allowedEgress:
- <string>
# allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are
# allowed for ingress.
allowedIngress:
- <string>
Examples
require-valid-network-ranges
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireValidRangesForNetworks
metadata:
name: require-valid-network-ranges
spec:
enforcementAction: dryrun
parameters:
allowedEgress:
- 10.0.0.0/32
allowedIngress:
- 10.0.0.0/24
Autorisés
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
egress:
- ports:
- port: 5978
protocol: TCP
to:
- ipBlock:
cidr: 10.0.0.0/32
ingress:
- from:
- ipBlock:
cidr: 10.0.0.0/29
- ipBlock:
cidr: 10.0.0.100/29
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
Non autorisé
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy-disallowed
namespace: default
spec:
egress:
- ports:
- port: 5978
protocol: TCP
to:
- ipBlock:
cidr: 1.1.2.0/31
ingress:
- from:
- ipBlock:
cidr: 1.1.2.0/24
- ipBlock:
cidr: 2.1.2.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- port: 6379
protocol: TCP
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
K8sRequiredAnnotations
Annotations requises v1.0.1
Exige que les ressources contiennent des annotations spécifiées, avec des valeurs correspondant aux expressions régulières fournies.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# annotations <array>: A list of annotations and values the object must
# specify.
annotations:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required annotation.
key: <string>
message: <string>
Examples
all-must-have-certain-set-of-annotations
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredAnnotations
metadata:
name: all-must-have-certain-set-of-annotations
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
parameters:
annotations:
- allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
key: a8r.io/owner
- allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
key: a8r.io/runbook
message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Autorisés
apiVersion: v1
kind: Service
metadata:
annotations:
a8r.io/owner: dev-team-alfa@contoso.com
a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks
name: allowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
Non autorisé
apiVersion: v1
kind: Service
metadata:
name: disallowed-service
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: foo
K8sRequiredLabels
Libellés requis v1.0.1
Exige que les ressources contiennent des libellés spécifiés, avec des valeurs correspondant aux expressions régulières fournies.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# labels <array>: A list of labels and values the object must specify.
labels:
- # allowedRegex <string>: If specified, a regular expression the
# annotation's value must match. The value must contain at least one
# match for the regular expression.
allowedRegex: <string>
# key <string>: The required label.
key: <string>
message: <string>
Examples
all-must-have-owner
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Namespace
parameters:
labels:
- allowedRegex: ^[a-zA-Z]+.agilebank.demo$
key: owner
message: All namespaces must have an `owner` label that points to your company
username
Autorisés
apiVersion: v1
kind: Namespace
metadata:
labels:
owner: user.agilebank.demo
name: allowed-namespace
Non autorisé
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Vérifications requises v1.0.1
Exige que les pods fassent l'objet de vérifications d'aptitude et/ou d'activité.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# probeTypes <array>: The probe must define a field listed in `probeType`
# in order to satisfy the constraint (ex. `tcpSocket` satisfies
# `['tcpSocket', 'exec']`)
probeTypes:
- <string>
# probes <array>: A list of probes that are required (ex: `readinessProbe`)
probes:
- <string>
Examples
must-have-probes
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
probeTypes:
- tcpSocket
- httpGet
- exec
probes:
- readinessProbe
- livenessProbe
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: tomcat
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- image: nginx:1.7.9
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
apiVersion: v1
kind: Pod
metadata:
name: test-pod2
spec:
containers:
- image: nginx:1.7.9
livenessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 80
name: nginx-1
ports:
- containerPort: 80
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- image: tomcat
name: tomcat
ports:
- containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
tcpSocket:
port: 8080
volumes:
- emptyDir: {}
name: cache-volume
K8sRequiredResources
Ressources requises v1.0.1
Nécessite que les conteneurs aient un ensemble de ressources définies. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exemptImages <array>: Any container that uses an image that matches an
# entry in this list will be excluded from enforcement. Prefix-matching can
# be signified with `*`. For example: `my-image-*`. It is recommended that
# users use the fully-qualified Docker image name (e.g. start with a domain
# name) in order to avoid unexpectedly exempting images from an untrusted
# repository.
exemptImages:
- <string>
# limits <array>: A list of limits that should be enforced (`cpu`,
# `memory`, or both).
limits:
# Allowed Values: cpu, memory
- <string>
# requests <array>: A list of requests that should be enforced (`cpu`,
# `memory`, or both).
requests:
# Allowed Values: cpu, memory
- <string>
Examples
container-must-have-limits-and-requests
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: container-must-have-limits-and-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
limits:
- cpu
- memory
requests:
- cpu
- memory
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
limits:
- memory
requests:
- cpu
- memory
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
memory: 2Gi
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources: {}
no-enforcements
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: no-enforcements
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
Autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-allowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
cpu: 100m
memory: 1Gi
requests:
cpu: 100m
memory: 1Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
requests:
cpu: 100m
memory: 2Gi
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources:
limits:
memory: 2Gi
requests:
cpu: 100m
apiVersion: v1
kind: Pod
metadata:
labels:
owner: me.agilebank.demo
name: opa-disallowed
spec:
containers:
- args:
- run
- --server
- --addr=localhost:8080
image: openpolicyagent/opa:0.9.2
name: opa
resources: {}
K8sRestrictAdmissionController
Restreindre le contrôleur d'admission v1.0.0
Limiter les contrôleurs d'admission dynamiques aux contrôleurs autorisés
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# permittedMutatingWebhooks <array>: List of permitted mutating webhooks
# (mutating admission controllers)
permittedMutatingWebhooks:
- <string>
# permittedValidatingWebhooks <array>: List of permitted validating
# webhooks (validating admission controllers)
permittedValidatingWebhooks:
- <string>
Examples
restrict-admission-controller
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAdmissionController
metadata:
name: restrict-admission-controller
spec:
match:
kinds:
- apiGroups:
- admissionregistration.k8s.io
kinds:
- MutatingWebhookConfiguration
- ValidatingWebhookConfiguration
parameters:
permittedMutatingWebhooks:
- allowed-mutating-webhook
permittedValidatingWebhooks:
- allowed-validating-webhook
Autorisés
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: allowed-validating-webhook
Non autorisé
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: disallowed-validating-webhook
K8sRestrictAutomountServiceAccountTokens
Restreindre les jetons de compte de service v1.0.1
Limite l'utilisation des jetons de comptes de service.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
restrict-serviceaccounttokens
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictAutomountServiceAccountTokens
metadata:
name: restrict-serviceaccounttokens
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
- ServiceAccount
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: allowed-example-pod
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1 kind: ServiceAccount metadata: name: disallowed-example-serviceaccount
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example-pod
spec:
automountServiceAccountToken: true
containers:
- image: nginx
name: nginx
apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: name: allowed-example-serviceaccount
K8sRestrictLabels
Restreindre les libellés v1.0.2
Empêche les ressources de contenir des libellés spécifiés, sauf en cas d'exception pour la ressource spécifique.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# exceptions <array>: Objects listed here are exempt from enforcement of
# this constraint. All fields must be provided.
exceptions:
# <list item: object>: A single object's identification, based on group,
# kind, namespace, and name.
- # group <string>: The Kubernetes group of the exempt object.
group: <string>
# kind <string>: The Kubernetes kind of the exempt object.
kind: <string>
# name <string>: The name of the exempt object.
name: <string>
# namespace <string>: The namespace of the exempt object. For
# cluster-scoped resources, use the empty string `""`.
namespace: <string>
# restrictedLabels <array>: A list of label keys strings.
restrictedLabels:
- <string>
Examples
restrict-label-example
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictLabels
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
exceptions:
- group: ""
kind: Pod
name: allowed-example
namespace: default
restrictedLabels:
- label-example
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictNamespaces
Restreindre les espaces de noms v1.0.1
Empêche les ressources d'utiliser des espaces de noms répertoriés dans le paramètre restrictedNamespaces.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# restrictedNamespaces <array>: A list of Namespaces to restrict.
restrictedNamespaces:
- <string>
Examples
restrict-default-namespace-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNamespaces
metadata:
name: restrict-default-namespace-sample
spec:
enforcementAction: dryrun
parameters:
restrictedNamespaces:
- default
Autorisés
apiVersion: v1
kind: Pod
metadata:
name: allowed-example
namespace: test-namespace
spec:
containers:
- image: nginx
name: nginx
Non autorisé
apiVersion: v1
kind: Pod
metadata:
name: disallowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
K8sRestrictNfsUrls
Restreindre les URL NFS v1.0.1
Empêche les ressources de contenir des URL NFS, sauf indication contraire.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedNfsUrls <array>: A list of allowed NFS URLs
allowedNfsUrls:
- <string>
Examples
restrict-label-example
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictNfsUrls
metadata:
name: restrict-label-example
spec:
enforcementAction: dryrun
parameters:
allowedNfsUrls:
- my-nfs-server.example.com/my-nfs-volume
- my-nfs-server.example.com/my-wildcard-nfs-volume/*
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example
namespace: default
spec:
containers:
- image: nginx
name: nginx
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example-nfs
namespace: default
spec:
containers:
- image: nginx
name: nginx
- name: test-volume
nfs:
path: /my-nfs-volume
server: my-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: allowed-example-nfs-wildcard
namespace: default
spec:
containers:
- image: nginx
name: nginx
- name: test-volume
nfs:
path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path
server: my-nfs-server.example.com
Non autorisé
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example-nfs
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- name: test-volume
nfs:
path: /my-nfs-volume
server: disallowed-nfs-server.example.com
apiVersion: v1
kind: Pod
metadata:
labels:
label-example: example
name: disallowed-example-nfs-mixed
namespace: default
spec:
containers:
- image: nginx
name: nginx
volumes:
- name: test-volume-allowed
nfs:
path: /my-nfs-volume
server: my-nfs-server.example.com
- name: test-volume-disallowed
nfs:
path: /my-nfs-volume
server: disallowed-nfs-server.example.com
K8sRestrictRbacSubjects
Restreindre les sujets RBAC v1.0.3
Limite l'utilisation des noms dans les objets RBAC aux valeurs autorisées.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of names permitted in RBAC subjects.
allowedSubjects:
- # name <string>: The exact-name or the pattern of the allowed subject
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
Examples
restrict-rbac-subjects
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRbacSubjects
metadata:
name: restrict-rbac-subjects
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- RoleBinding
- ClusterRoleBinding
parameters:
allowedSubjects:
- name: system:masters
- name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$
regexMatch: true
- name: ^.+@system.gserviceaccount.com$
regexMatch: true
- name: ^.+@google.com$
regexMatch: true
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user@google.com - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters - apiGroup: rbac.authorization.k8s.io kind: User name: service-1234567890@gcp-sa-ktd-control.iam.gserviceaccount.com
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: user1@example.com - apiGroup: rbac.authorization.k8s.io kind: User name: user2@example.com
K8sRestrictRoleBindings
Restreindre les liaisons de rôles v1.0.3
Limite les sujets spécifiés dans les objets ClusterRoleBinding et RoleBinding à une liste de sujets autorisés.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedSubjects <array>: The list of subjects that are allowed to bind to
# the restricted role.
allowedSubjects:
- # apiGroup <string>: The Kubernetes API group of the subject.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the subject.
kind: <string>
# name <string>: The name of the subject which is matched exactly as
# provided as well as based on a regular expression.
name: <string>
# regexMatch <boolean>: The flag to allow a regular expression based
# match on the name.
regexMatch: <boolean>
# restrictedRole <object>: The role that cannot be bound to unless
# expressly allowed.
restrictedRole:
# apiGroup <string>: The Kubernetes API group of the role.
apiGroup: <string>
# kind <string>: The Kubernetes kind of the role.
kind: <string>
# name <string>: The name of the role.
name: <string>
Examples
restrict-clusteradmin-rolebindings-sample
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-sample
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings-regex
spec:
enforcementAction: dryrun
parameters:
allowedSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: ^service-[0-9]+@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com$
regexMatch: true
restrictedRole:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sRestrictRoleRules
Limiter les règles Role et ClusterRole V1.0.4
Limite les règles pouvant être définies sur les objets Role et ClusterRole.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedRules <array>: AllowedRules is the list of rules that are allowed
# on Role or ClusterRole objects. If set, any item off this list will be
# rejected.
allowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be allowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# disallowedRules <array>: DisallowedRules is the list of rules that are
# NOT allowed on Role or ClusterRole objects. If set, any item on this list
# will be rejected.
disallowedRules:
- # apiGroups <array>: APIGroups is the name of the APIGroup that
# contains the resources. If multiple API groups are specified, any
# action requested against one of the enumerated resources in any API
# group will be disallowed. "" represents the core API group and "*"
# represents all API groups.
apiGroups:
- <string>
# resources <array>: Resources is a list of resources this rule
# applies to. '*' represents all resources.
resources:
- <string>
# verbs <array>: Verbs is a list of Verbs that apply to ALL the
# ResourceKinds contained in this rule. '*' represents all verbs.
verbs:
- <string>
# exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles
# names that are allowed to violate this policy.
exemptions:
clusterRoles:
- # name <string>: Name is the name or a pattern of the ClusterRole
# to be exempted.
name: <string>
# regexMatch <boolean>: RegexMatch is the flag to toggle exact vs
# regex match of the ClusterRole name.
regexMatch: <boolean>
roles:
- # name <string>: Name is the name of the Role to be exempted.
name: <string>
# namespace <string>: Namespace is the namespace of the Role to be
# exempted.
namespace: <string>
Examples
restrict-pods-exec
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: restrict-pods-exec
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- Role
- ClusterRole
parameters:
disallowedRules:
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
Autorisés
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allowed-role-example rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
Non autorisé
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: disallowed-cluster-role-example rules: - apiGroups: - "" resources: - pods/exec verbs: - '*'
K8sStorageClass
Classe de stockage v1.1.2
Nécessite la spécification des classes de stockage lors de leur utilisation. Seuls Gatekeeper 3.9+ et les conteneurs non éphémères sont compatibles.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedStorageClasses <array>: An optional allow-list of storage classes.
# If specified, any storage class not in the `allowedStorageClasses`
# parameter is disallowed.
allowedStorageClasses:
- <string>
includeStorageClassesInMessage: <boolean>
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "storage.k8s.io"
version: "v1"
kind: "StorageClass"
Examples
storageclass
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: storageclass
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeClaim
- apiGroups:
- apps
kinds:
- StatefulSet
parameters:
includeStorageClassesInMessage: true
Autorisés
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ok
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: somestorageclass
volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: somestorageclass
provisioner: foo
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: volumeclaimstorageclass
spec:
replicas: 1
selector:
matchLabels:
app: volumeclaimstorageclass
serviceName: volumeclaimstorageclass
template:
metadata:
labels:
app: volumeclaimstorageclass
spec:
containers:
- image: registry.k8s.io/nginx-slim:0.8
name: main
volumeMounts:
- mountPath: /usr/share/nginx/html
name: data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: somestorageclass
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: somestorageclass
provisioner: foo
Non autorisé
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: badstorageclass
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: badstorageclass
volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: badvolumeclaimstorageclass
spec:
replicas: 1
selector:
matchLabels:
app: badvolumeclaimstorageclass
serviceName: badvolumeclaimstorageclass
template:
metadata:
labels:
app: badvolumeclaimstorageclass
spec:
containers:
- image: registry.k8s.io/nginx-slim:0.8
name: main
volumeMounts:
- mountPath: /usr/share/nginx/html
name: data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: badstorageclass
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nostorageclass
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
volumeMode: Filesystem
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: novolumeclaimstorageclass
spec:
replicas: 1
selector:
matchLabels:
app: novolumeclaimstorageclass
serviceName: novolumeclaimstorageclass
template:
metadata:
labels:
app: novolumeclaimstorageclass
spec:
containers:
- image: registry.k8s.io/nginx-slim:0.8
name: main
volumeMounts:
- mountPath: /usr/share/nginx/html
name: data
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
allowed-storageclass
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sStorageClass
metadata:
name: allowed-storageclass
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeClaim
- apiGroups:
- apps
kinds:
- StatefulSet
parameters:
allowedStorageClasses:
- allowed-storage-class
includeStorageClassesInMessage: true
Autorisés
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: allowed-storage-class-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: allowed-storage-class
volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: allowed-storage-class
provisioner: foo
Non autorisé
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: disallowed-storage-class-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: disallowed-storage-class
volumeMode: Filesystem
---
# Referential Data
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: allowed-storage-class
provisioner: foo
K8sUniqueIngressHost
Hôte d'entrée unique v1.0.4
Exige que tous les hôtes de règle Ingress soient uniques. N'accepte pas les caractères génériques du nom d'hôte : https://kubernetes.io/docs/concepts/services-networking/ingress/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: "extensions"
version: "v1beta1"
kind: "Ingress"
OR
- group: "networking.k8s.io"
version: "v1beta1" OR "v1"
kind: "Ingress"
Examples
unique-ingress-host
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueIngressHost
metadata:
name: unique-ingress-host
spec:
match:
kinds:
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
Autorisés
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-allowed
namespace: default
spec:
rules:
- host: example-allowed-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
- host: example-allowed-host1.example.com
http:
paths:
- backend:
service:
name: nginx2
port:
number: 80
path: /
pathType: Prefix
Non autorisé
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-disallowed
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-example
namespace: default
spec:
rules:
- host: example-host.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-disallowed2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
- host: example-host3.example.com
http:
paths:
- backend:
service:
name: nginx2
port:
number: 80
path: /
pathType: Prefix
---
# Referential Data
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-host-example2
namespace: default
spec:
rules:
- host: example-host2.example.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
K8sUniqueServiceSelector
Sélecteur de service unique v1.0.2
Exige que les Services aient des sélecteurs uniques au sein d'un espace de noms. Les sélecteurs sont considérés comme identiques s'ils possèdent des clés et des valeurs identiques. Les sélecteurs peuvent partager une paire clé/valeur s'il existe au moins une paire clé/valeur distincte entre eux. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Contrainte référentielle
Cette contrainte est référentielle. Avant de l'utiliser, vous devez activer les contraintes référentielles et créer une configuration qui indique à Policy Controller les types d'objets à surveiller.
Votre Config Policy Controller nécessitera une entrée syncOnly semblable à :
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Service"
Examples
unique-service-selector
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
labels:
owner: admin.agilebank.demo
name: unique-service-selector
Autorisés
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: other-value
Non autorisé
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-disallowed
namespace: default
spec:
ports:
- port: 443
selector:
key: value
---
# Referential Data
apiVersion: v1
kind: Service
metadata:
name: gatekeeper-test-service-example
namespace: default
spec:
ports:
- port: 443
selector:
key: value
NoUpdateServiceAccount
Bloquer la mise à jour du compte de service v1.0.1
Bloque la mise à jour du compte de service sur les ressources qui extraient sur les pods. Cette règle est ignorée en mode audit.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedGroups <array>: Groups that should be allowed to bypass the
# policy.
allowedGroups:
- <string>
# allowedUsers <array>: Users that should be allowed to bypass the policy.
allowedUsers:
- <string>
Examples
no-update-kube-system-service-account
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: no-update-kube-system-service-account
spec:
match:
kinds:
- apiGroups:
- ""
kinds:
- ReplicationController
- apiGroups:
- apps
kinds:
- ReplicaSet
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- CronJob
namespaces:
- kube-system
parameters:
allowedGroups: []
allowedUsers: []
Autorisés
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: policy-test
name: policy-test
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: policy-test-deploy
template:
metadata:
labels:
app: policy-test-deploy
spec:
containers:
- command:
- /bin/bash
- -c
- sleep 99999
image: ubuntu
name: policy-test
serviceAccountName: policy-test-sa-1
PolicyStrictOnly
Exiger une règle mTLS Istio STRICT v1.0.4
Nécessite que l'authentification TLS mutuelle STRICT d'Istio soit toujours spécifiée lorsque vous utilisez PeerAuthentication. Cette contrainte garantit également que les ressources obsolètes Policy et MeshPolicy appliquent le protocole TLS mutuel STRICT. Consultez la page https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
peerauthentication-strict-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: peerauthentication-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- PeerAuthentication
namespaces:
- default
Autorisés
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict
namespace: default
spec:
mtls:
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-level
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: STRICT
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-unset
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: UNSET
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: empty-mtls
namespace: default
spec:
mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-null
namespace: default
spec:
mtls:
mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-permissive
namespace: default
spec:
mtls:
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mode-strict-port-permissive
namespace: default
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
"8081":
mode: STRICT
deprecated-policy-strict-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: PolicyStrictOnly
metadata:
name: deprecated-policy-strict-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- authentication.istio.io
kinds:
- Policy
namespaces:
- default
Autorisés
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mode-strict
namespace: default
spec:
peers:
- mtls:
mode: STRICT
Non autorisé
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default-mtls-empty
namespace: default
spec:
peers:
- mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: policy-permissive
namespace: default
spec:
peers:
- mtls:
mode: PERMISSIVE
RestrictNetworkExclusions
Limiter les exclusions réseau v1.0.2
Contrôlez les ports entrants, les ports sortants et les plages d'adresses IP sortantes pouvant être exclues de la capture du réseau Istio. Les ports et les plages d'adresses IP qui contournent la capture du réseau Istio ne sont pas gérés par le proxy Istio et ne sont pas soumis à l'authentification mTLS d'Istio, à la règle d'autorisation et à d'autres fonctionnalités d'Istio. Cette contrainte peut être utilisée pour appliquer des restrictions à l'utilisation des annotations suivantes:
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
Voir https://istio.io/latest/docs/reference/config/annotations/.
Lorsque vous limitez des plages d'adresses IP sortantes, la contrainte calcule si les plages d'adresses IP exclues correspondent ou sont un sous-ensemble des exclusions de plages d'adresses IP autorisées.
Lorsque vous utilisez cette contrainte, tous les ports entrants, ports sortants et plages d'adresses IP sortantes doivent toujours être inclus en définissant les annotations "include" correspondantes sur "*" ou en les laissant non défini. La définition de l'une des annotations suivantes sur une valeur autre que "*" n'est pas autorisée:
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
Cette contrainte permet toujours d'exclure le port 15020, car l'injecteur de side-car Istio l'ajoute toujours à l'annotation traffic.sidecar.istio.io/excludeInboundPorts afin de pouvoir l'utiliser pour la vérification de l'état.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# allowedInboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeInboundPorts` annotation.
allowedInboundPortExclusions:
- <string>
# allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The
# constraint calculates whether excluded IP ranges match or are a subset of
# the ranges in this list.
allowedOutboundIPRangeExclusions:
- <string>
# allowedOutboundPortExclusions <array>: A list of ports that this
# constraint will allow in the
# `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.
allowedOutboundPortExclusions:
- <string>
Examples
restrict-network-exclusions
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RestrictNetworkExclusions
metadata:
name: restrict-network-exclusions
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Pod
parameters:
allowedInboundPortExclusions:
- "80"
allowedOutboundIPRangeExclusions:
- 169.254.169.254/32
allowedOutboundPortExclusions:
- "8888"
Autorisés
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx
name: nothing-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeInboundPorts: "80"
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/excludeOutboundPorts: "8888"
labels:
app: nginx
name: allowed-port-and-ip-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
labels:
app: nginx
name: all-ip-ranges-included-with-one-allowed-ip-excluded
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: '*'
traffic.sidecar.istio.io/includeOutboundIPRanges: '*'
traffic.sidecar.istio.io/includeOutboundPorts: '*'
labels:
app: nginx
name: everything-included-with-no-exclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
Non autorisé
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24
labels:
app: nginx
name: disallowed-ip-range-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24
labels:
app: nginx
name: one-disallowed-ip-exclusion-and-one-allowed-exclusion
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
- containerPort: 443
apiVersion: v1
kind: Pod
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: 80,443
traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32
traffic.sidecar.istio.io/includeOutboundPorts: "8888"
labels:
app: nginx
name: disallowed-specific-port-and-ip-inclusions
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
SourceNotAllAuthz
Exiger la source AuthorizationPolicy Istio et non la version v1.0.1
Nécessite que les comptes principaux sources des règles AuthorizationPolicy d'Istio soient définis sur autre chose que "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
Examples
sourcenotall-authz-constraint
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SourceNotAllAuthz
metadata:
name: sourcenotall-authz-constraint
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- security.istio.io
kinds:
- AuthorizationPolicy
Autorisés
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-good
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
Non autorisé
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-dne
namespace: foo
spec:
rules:
- from:
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-all
namespace: foo
spec:
rules:
- from:
- source:
principals:
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: source-principals-someall
namespace: foo
spec:
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/sleep
- '*'
- source:
namespaces:
- test
to:
- operation:
methods:
- GET
paths:
- /info*
- operation:
methods:
- POST
paths:
- /data
when:
- key: request.auth.claims[iss]
values:
- https://accounts.google.com
selector:
matchLabels:
app: httpbin
version: v1
VerifyDeprecatedAPI
Valider les API obsolètes v1.0.0
Vérifie les API Kubernetes obsolètes pour s'assurer que toutes les versions d'API sont à jour. Ce modèle ne s'applique pas à l'audit, car celui-ci examine les ressources déjà présentes dans le cluster avec des versions d'API non obsolètes.
Schéma de contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: example
spec:
# match <object>: lets you configure which resources are in scope for this
# constraint. For more information, see the Policy Controller Constraint
# match documentation:
# https://cloud.google.com/anthos-config-management/docs/reference/match
match:
[match schema]
parameters:
# k8sVersion <number>: kubernetes version
k8sVersion: <number>
# kvs <array>: Deprecated api versions and corresponding kinds
kvs:
- # deprecatedAPI <string>: deprecated api
deprecatedAPI: <string>
# kinds <array>: impacted list of kinds
kinds:
- <string>
# targetAPI <string>: target api
targetAPI: <string>
Examples
verify-1.16
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.16
spec:
match:
kinds:
- apiGroups:
- apps
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- DaemonSet
- apiGroups:
- extensions
kinds:
- PodSecurityPolicy
- ReplicaSet
- Deployment
- DaemonSet
- NetworkPolicy
parameters:
k8sVersion: 1.16
kvs:
- deprecatedAPI: apps/v1beta1
kinds:
- Deployment
- ReplicaSet
- StatefulSet
targetAPI: apps/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- ReplicaSet
- Deployment
- DaemonSet
targetAPI: apps/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- PodSecurityPolicy
targetAPI: policy/v1beta1
- deprecatedAPI: apps/v1beta2
kinds:
- ReplicaSet
- StatefulSet
- Deployment
- DaemonSet
targetAPI: apps/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- NetworkPolicy
targetAPI: networking.k8s.io/v1
Autorisés
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nginx
name: allowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
Non autorisé
apiVersion: apps/v1beta1
kind: Deployment
metadata:
labels:
app: nginx
name: disallowed-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- image: nginx:1.14.2
name: nginx
ports:
- containerPort: 80
verify-1.22
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.22
spec:
match:
kinds:
- apiGroups:
- admissionregistration.k8s.io
kinds:
- MutatingWebhookConfiguration
- ValidatingWebhookConfiguration
- apiGroups:
- apiextensions.k8s.io
kinds:
- CustomResourceDefinition
- apiGroups:
- apiregistration.k8s.io
kinds:
- APIService
- apiGroups:
- authentication.k8s.io
kinds:
- TokenReview
- apiGroups:
- authorization.k8s.io
kinds:
- SubjectAccessReview
- apiGroups:
- certificates.k8s.io
kinds:
- CertificateSigningRequest
- apiGroups:
- coordination.k8s.io
kinds:
- Lease
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
- apiGroups:
- networking.k8s.io
kinds:
- IngressClass
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- ClusterRole
- ClusterRoleBinding
- Role
- RoleBinding
- apiGroups:
- scheduling.k8s.io
kinds:
- PriorityClass
- apiGroups:
- storage.k8s.io
kinds:
- CSIDriver
- CSINode
- StorageClass
- VolumeAttachment
parameters:
k8sVersion: 1.22
kvs:
- deprecatedAPI: admissionregistration.k8s.io/v1beta1
kinds:
- MutatingWebhookConfiguration
- ValidatingWebhookConfiguration
targetAPI: admissionregistration.k8s.io/v1
- deprecatedAPI: apiextensions.k8s.io/v1beta1
kinds:
- CustomResourceDefinition
targetAPI: apiextensions.k8s.io/v1
- deprecatedAPI: apiregistration.k8s.io/v1beta1
kinds:
- APIService
targetAPI: apiregistration.k8s.io/v1
- deprecatedAPI: authentication.k8s.io/v1beta1
kinds:
- TokenReview
targetAPI: authentication.k8s.io/v1
- deprecatedAPI: authorization.k8s.io/v1beta1
kinds:
- SubjectAccessReview
targetAPI: authorization.k8s.io/v1
- deprecatedAPI: certificates.k8s.io/v1beta1
kinds:
- CertificateSigningRequest
targetAPI: certificates.k8s.io/v1
- deprecatedAPI: coordination.k8s.io/v1beta1
kinds:
- Lease
targetAPI: coordination.k8s.io/v1
- deprecatedAPI: extensions/v1beta1
kinds:
- Ingress
targetAPI: networking.k8s.io/v1
- deprecatedAPI: networking.k8s.io/v1beta1
kinds:
- Ingress
- IngressClass
targetAPI: networking.k8s.io/v1
- deprecatedAPI: rbac.authorization.k8s.io/v1beta1
kinds:
- ClusterRole
- ClusterRoleBinding
- Role
- RoleBinding
targetAPI: rbac.authorization.k8s.io/v1
- deprecatedAPI: scheduling.k8s.io/v1beta1
kinds:
- PriorityClass
targetAPI: scheduling.k8s.io/v1
- deprecatedAPI: storage.k8s.io/v1beta1
kinds:
- CSIDriver
- CSINode
- StorageClass
- VolumeAttachment
targetAPI: storage.k8s.io/v1
Autorisés
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
name: allowed-ingress
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- backend:
service:
name: test
port:
number: 80
path: /testpath
pathType: Prefix
Non autorisé
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
name: disallowed-ingress
spec:
ingressClassName: nginx-example
rules:
- http:
paths:
- backend:
service:
name: test
port:
number: 80
path: /testpath
pathType: Prefix
verify-1.25
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.25
spec:
match:
kinds:
- apiGroups:
- batch
kinds:
- CronJob
- apiGroups:
- discovery.k8s.io
kinds:
- EndpointSlice
- apiGroups:
- events.k8s.io
kinds:
- Event
- apiGroups:
- autoscaling
kinds:
- HorizontalPodAutoscaler
- apiGroups:
- policy
kinds:
- PodDisruptionBudget
- PodSecurityPolicy
- apiGroups:
- node.k8s.io
kinds:
- RuntimeClass
parameters:
k8sVersion: 1.25
kvs:
- deprecatedAPI: batch/v1beta1
kinds:
- CronJob
targetAPI: batch/v1
- deprecatedAPI: discovery.k8s.io/v1beta1
kinds:
- EndpointSlice
targetAPI: discovery.k8s.io/v1
- deprecatedAPI: events.k8s.io/v1beta1
kinds:
- Event
targetAPI: events.k8s.io/v1
- deprecatedAPI: autoscaling/v2beta1
kinds:
- HorizontalPodAutoscaler
targetAPI: autoscaling/v2
- deprecatedAPI: policy/v1beta1
kinds:
- PodDisruptionBudget
targetAPI: policy/v1
- deprecatedAPI: policy/v1beta1
kinds:
- PodSecurityPolicy
targetAPI: None
- deprecatedAPI: node.k8s.io/v1beta1
kinds:
- RuntimeClass
targetAPI: node.k8s.io/v1
Autorisés
apiVersion: batch/v1
kind: CronJob
metadata:
name: allowed-cronjob
namespace: default
spec:
jobTemplate:
spec:
template:
spec:
containers:
- command:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: hello
restartPolicy: OnFailure
schedule: '* * * * *'
Non autorisé
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: disallowed-cronjob
namespace: default
spec:
jobTemplate:
spec:
template:
spec:
containers:
- command:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: hello
restartPolicy: OnFailure
schedule: '* * * * *'
verify-1.26
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.26
spec:
match:
kinds:
- apiGroups:
- flowcontrol.apiserver.k8s.io
kinds:
- FlowSchema
- PriorityLevelConfiguration
- apiGroups:
- autoscaling
kinds:
- HorizontalPodAutoscaler
parameters:
k8sVersion: 1.26
kvs:
- deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1
kinds:
- FlowSchema
- PriorityLevelConfiguration
targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
- deprecatedAPI: autoscaling/v2beta2
kinds:
- HorizontalPodAutoscaler
targetAPI: autoscaling/v2
Autorisés
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
name: allowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
Non autorisé
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1
kind: FlowSchema
metadata:
name: disallowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
verify-1.27
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.27
spec:
match:
kinds:
- apiGroups:
- storage.k8s.io
kinds:
- CSIStorageCapacity
parameters:
k8sVersion: 1.27
kvs:
- deprecatedAPI: storage.k8s.io/v1beta1
kinds:
- CSIStorageCapacity
targetAPI: storage.k8s.io/v1
Autorisés
apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity storageClassName: standard
Non autorisé
apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity namespace: default storageClassName: standard
verify-1.29
Contrainte
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: VerifyDeprecatedAPI
metadata:
name: verify-1.29
spec:
match:
kinds:
- apiGroups:
- flowcontrol.apiserver.k8s.io
kinds:
- FlowSchema
- PriorityLevelConfiguration
parameters:
k8sVersion: 1.29
kvs:
- deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2
kinds:
- FlowSchema
- PriorityLevelConfiguration
targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
Autorisés
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3
kind: FlowSchema
metadata:
name: allowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
Non autorisé
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2
kind: FlowSchema
metadata:
name: disallowed-flowcontrol
namespace: default
spec:
matchingPrecedence: 1000
priorityLevelConfiguration:
name: exempt
rules:
- nonResourceRules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- '*'
subjects:
- group:
name: system:unauthenticated
kind: Group
Étape suivante
- En savoir plus sur Policy Controller
- Installer Policy Controller
- Utiliser des contraintes au lieu de règles PodSecurityPolicies
- Affichez la bibliothèque Open Source des modèles de contrainte dans le dépôt gatekeeper-library