ACK's cluster policy management feature provides four built-in rule libraries — Compliance, Infra, K8s-general, and PSP — each containing predefined security policies. These policies verify the security of requests to deploy or update pods.
Policy categories
| Category | Description |
|---|---|
| Compliance | Policies based on compliance standards such as Alibaba Cloud Kubernetes Security Hardening. |
| Infra | Policies that protect cloud infrastructure resources. |
| K8s-general | Policies that restrict and standardize configurations of sensitive resources in Container Service for Kubernetes (ACK) clusters. |
| PSP | Policies that replace pod security policies (PSPs) from open source Kubernetes, providing the same access control capabilities. |
Predefined security policies
The following table lists all 44 predefined security policies across the four categories.
| Category | Policy | Description | Severity |
|---|---|---|---|
| Compliance | ACKNoEnvVarSecrets |
Blocks use of secretKeyRef to reference Secrets in pod environment variables. |
Medium |
| Compliance | ACKPodsRequireSecurityContext |
Requires pods in specified namespaces to include a securityContext. |
Low |
| Compliance | ACKRestrictNamespaces |
Blocks deployment of specified resource types in specified namespaces. | Low |
| Compliance | ACKRestrictRoleBindings |
Restricts RoleBindings in specified namespaces to bind only specified roles or cluster roles. | High |
| Compliance | ACKNamespacesDeleteProtection |
Prevents deletion of specified namespaces. | Medium |
| Compliance | ACKServicesDeleteProtection |
Prevents deletion of Service instances in specified namespaces. | Medium |
| Infra | ACKBlockProcessNamespaceSharing |
Blocks pods in specified namespaces from using shareProcessNamespace. |
High |
| Infra | ACKEmptyDirHasSizeLimit |
Requires sizeLimit when mounting emptyDir volumes. |
Low |
| Infra | ACKLocalStorageRequireSafeToEvict |
Requires the cluster-autoscaler.kubernetes.io/safe-to-evict: "true" annotation on pods that mount hostPath or emptyDir volumes. |
Low |
| Infra | ACKOSSStorageLocationConstraint |
Controls which Object Storage Service (OSS) bucket regions can be mounted to pods in specified namespaces. | Low |
| Infra | ACKPVSizeConstraint |
Sets a maximum disk capacity for persistent volumes (PVs) in the cluster. | Medium |
| Infra | ACKPVCConstraint |
Restricts which namespaces can deploy persistent volume claims (PVCs) and sets a maximum PV disk capacity. | Medium |
| Infra | ACKBlockVolumeTypes |
Blocks pods in specified namespaces from using specified volume types. | Medium |
| K8s-general | ACKAllowedRepos |
Restricts pods in specified namespaces to pulling images from specified image repositories. | High |
| K8s-general | ACKBlockAutoinjectServiceEnv |
Requires enableServiceLinks: false on pods, preventing Service IP addresses from being injected into pod environment variables. |
Low |
| K8s-general | ACKBlockAutomountToken |
Requires automountServiceAccountToken: false on pods, preventing automatic service account token mounting. |
High |
| K8s-general | ACKBlockEphemeralContainer |
Blocks pods in specified namespaces from launching ephemeral containers. | Medium |
| K8s-general | ACKBlockLoadBalancer |
Blocks LoadBalancer Services from being deployed in specified namespaces. | High |
| K8s-general | ACKBlockNodePort |
Blocks NodePort Services from being deployed in specified namespaces. | High |
| K8s-general | ACKContainerLimits |
Requires resource limits on all containers in pods in specified namespaces. |
Low |
| K8s-general | ACKExternalIPs |
Restricts Services in specified namespaces to using only external IP addresses listed in the policy. | High |
| K8s-general | ACKImageDigests |
Requires pods in specified namespaces to use images with digests in the specified format. | Low |
| K8s-general | ACKRequiredLabels |
Requires pods in specified namespaces to have labels matching the policy. | Low |
| K8s-general | ACKRequiredProbes |
Requires pods in specified namespaces to have specified types of readiness probes and liveness probes. | Medium |
| K8s-general | ACKCheckNginxPath |
Blocks high-risk values in spec.rules[].http.paths[].path for Ingress resources. Enable for Ingress-nginx versions earlier than 1.2.1. |
High |
| K8s-general | ACKCheckNginxAnnotation |
Blocks high-risk values in metadata.annotations for Ingress resources. Enable for Ingress-nginx versions earlier than 1.2.1. |
High |
| K8s-general | ACKBlockInternetLoadBalancer |
Blocks creation of internet-facing LoadBalancer Services. | High |
| K8s-general | RatifyVerification |
Uses the Ratify component to verify image signatures or security metadata (such as a software bill of materials (SBOM)) for pods in specified namespaces. | High |
| PSP | ACKPSPAllowPrivilegeEscalationContainer |
Requires pods in specified namespaces to include the allowPrivilegeEscalation setting. |
Medium |
| PSP | ACKPSPAllowedUsers |
Requires pods in specified namespaces to include user, group, supplementalGroups, and fsGroup settings. |
Medium |
| PSP | ACKPSPAppArmor |
Requires pods in specified namespaces to include AppArmor settings. | Low |
| PSP | ACKPSPCapabilities |
Requires pods in specified namespaces to include Linux capabilities settings. | High |
| PSP | ACKPSPFSGroup |
Requires pods in specified namespaces to use fsGroup settings that comply with the policy. | Medium |
| PSP | ACKPSPFlexVolumes |
Restricts pods in specified namespaces to using only FlexVolume drivers listed in the policy. | Medium |
| PSP | ACKPSPForbiddenSysctls |
Blocks pods in specified namespaces from using specified sysctls. | High |
| PSP | ACKPSPHostFilesystem |
Enforces conditions on hostPath volumes mounted to pods in specified namespaces. | High |
| PSP | ACKPSPHostNamespace |
Blocks pods in specified namespaces from sharing host namespaces. | High |
| PSP | ACKPSPHostNetworkingPorts |
Controls whether pods in specified namespaces can use the host network and specified ports. | High |
| PSP | ACKPSPPrivilegedContainer |
Blocks pods in specified namespaces from running privileged containers. | High |
| PSP | ACKPSPProcMount |
Requires pods in specified namespaces to use the Proc Mount type specified in the policy. | Low |
| PSP | ACKPSPReadOnlyRootFilesystem |
Requires pods in specified namespaces to run with read-only root filesystems. | Medium |
| PSP | ACKPSPSELinuxV2 |
Restricts pods in specified namespaces to SELinux options listed in the policy. | Low |
| PSP | ACKPSPSeccomp |
Requires pods in specified namespaces to use specified seccomp profiles. | Low |
| PSP | ACKPSPVolumeTypes |
Restricts pods in specified namespaces to mounting only volumes of specified types. | Medium |
Compliance
ACKNoEnvVarSecrets
Blocks use of secretKeyRef to reference Secrets in pod environment variables.
Severity: Medium
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
name: no-env-var-secrets
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed — secrets mounted as a volume:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: test-gatekeeper
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-usernameDisallowed — secrets referenced via secretKeyRef in environment variables:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: NeverACKPodsRequireSecurityContext
Requires pods in specified namespaces to include a securityContext.
Severity: Low
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
name: pods-require-security-context
annotations:
description: "Requires that Pods must have a `securityContext` defined."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed — pod-level securityContext present:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: test-gatekeeper
spec:
securityContext:
runAsNonRoot: false
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed — securityContext only on a container, not the pod:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test2
- image: test
name: test
resources: {}
securityContext:
runAsNonRoot: falseACKRestrictNamespaces
Blocks deployment of specified resource types in specified namespaces.
Severity: Low
Parameters:
| Parameter | Type | Description |
|---|---|---|
restrictedNamespaces |
array | Namespaces in which the matched resource types cannot be deployed. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
name: restrict-default-namespace
annotations:
description: "Restricts resources from using the restricted namespace."
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Pod']
parameters:
restrictedNamespaces:
- "test-gatekeeper"Allowed — pod in a non-restricted namespace:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed — pod in the restricted namespace:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
restartPolicy: NeverACKRestrictRoleBindings
Restricts RoleBindings in specified namespaces to bind only specified roles or cluster roles.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
restrictedRole |
object | The cluster role or role that cannot be bound. |
allowedSubjects |
array | Subjects permitted to receive the binding. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings
annotations:
description: "Restricts use of sensitive role in specific rolebinding."
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["RoleBinding"]
parameters:
restrictedRole:
apiGroup: "rbac.authorization.k8s.io"
kind: "ClusterRole"
name: "cluster-admin"
allowedSubjects:
- apiGroup: "rbac.authorization.k8s.io"
kind: "Group"
name: "system:masters"Allowed — binding uses an allowed subject:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: good-2
namespace: test-gatekeeper
subjects:
- kind: Group
name: 'system:masters'
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioDisallowed — binding uses a subject not in allowedSubjects:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bad-1
namespace: test-gatekeeper
subjects:
- kind: ServiceAccount
name: policy-template-controller
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
Prevents deletion of specified namespaces.
Severity: Medium
This policy requires Gatekeeper 3.10.0.130-g0e79597d-aliyun or later. For information about Gatekeeper versions, see Gatekeeper.
Parameters:
| Parameter | Type | Description |
|---|---|---|
protectionNamespaces |
array | Names of namespaces that cannot be deleted. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
name: namespace-delete-protection
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Namespace']
parameters:
protectionNamespaces:
- test-gatekeeperAllowed — namespace not in the protection list:
apiVersion: v1
kind: Namespace
metadata:
name: will-deleteDisallowed — namespace in the protection list:
apiVersion: v1
kind: Namespace
metadata:
name: test-gatekeeperACKServicesDeleteProtection
Prevents deletion of Service instances in specified namespaces.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
protectionServices |
array | Names of Service instances that cannot be deleted. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
name: service-delete-protection
annotations:
description: "Protect to delete specific service."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ['']
kinds: ['Service']
namespaces: ["test-gatekeeper"]
parameters:
protectionServices:
- test-svcAllowed — Service not in the protection list:
apiVersion: v1
kind: Service
metadata:
name: good
namespace: test-gatekeeperDisallowed — Service in the protection list:
apiVersion: v1
kind: Service
metadata:
name: test-svcInfra
ACKBlockProcessNamespaceSharing
Blocks pods in specified namespaces from using shareProcessNamespace.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
metadata:
name: block-share-process-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed — no shareProcessNamespace set:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test-3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed — shareProcessNamespace: true set on the pod:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
shareProcessNamespace: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKEmptyDirHasSizeLimit
Requires sizeLimit when mounting emptyDir volumes.
Severity: Low
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-sizelimit
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed — emptyDir volume has a sizeLimit:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir:
sizeLimit: "10Mi"Disallowed — emptyDir volume has no sizeLimit:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKLocalStorageRequireSafeToEvict
Requires the cluster-autoscaler.kubernetes.io/safe-to-evict: "true" annotation on pods in specified namespaces. By default, Cluster Autoscaler does not evict pods that mount hostPath or emptyDir volumes. Adding this annotation allows Cluster Autoscaler to evict those pods during scaling.
Severity: Low
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed — pod has the safe-to-evict annotation:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
annotations:
'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /data
type: DirectoryDisallowed — pod mounts a volume but lacks the annotation:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKOSSStorageLocationConstraint
Controls which OSS bucket regions can be mounted to pods in specified namespaces.
Severity: Low
Parameters:
| Parameter | Type | Description |
|---|---|---|
mode |
string | allowlist (default) enables allowlist mode; any other value enables blocklist mode. |
regions |
array | Region IDs to include in the allowlist or blocklist. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
name: restrict-oss-location
annotations:
description: "Restricts location of oss storage in cluster."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolume", "Pod"]
namespaces:
- "test-gatekeeper"
parameters:
mode: "allowlist"
regions:
- "cn-beijing"Allowed — OSS bucket is in an allowed region (cn-beijing):
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi-good
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed — OSS bucket is in a region not in the allowlist (cn-hangzhou):
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVSizeConstraint
Sets a maximum disk capacity for persistent volumes (PVs) in the cluster.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
maxSize |
string | Maximum disk capacity for PVs. Default: 50Gi. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
name: limit-pv-size
annotations:
description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolume"]
parameters:
maxSize: "50Gi"Allowed — PV requests 25 GiB, within the 50 GiB limit:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 25Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed — PV requests 500 GiB, exceeding the limit:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi-bad
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 500Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVCConstraint
Restricts which namespaces can deploy persistent volume claims (PVCs) and sets a maximum PV disk capacity.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
maxSize |
string | Maximum disk capacity for PVs. Default: 50Gi. |
allowNamespaces |
array | Namespaces in which PVCs can be deployed. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
name: limit-pvc-size-and-ns
annotations:
description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolumeClaim"]
parameters:
maxSize: "50Gi"
allowNamespaces:
- "test-gatekeeper"Allowed — PVC in an allowed namespace, within the size limit:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20GiDisallowed — PVC exceeds the size limit, or is in a namespace not in allowNamespaces:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-namespace-pvc
namespace: test-gatekeeper-bad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20GiACKBlockVolumeTypes
Blocks pods in specified namespaces from using specified volume types.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
volumes |
array | Volume types that pods are not allowed to use. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
name: block-volume-types
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]
parameters:
volumes:
- "gitRepo"Allowed — pod uses an emptyDir volume (not blocked):
apiVersion: v1
kind: Pod
metadata:
name: use-empty-dir
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: emptydir-volume
emptyDir: {}Disallowed — pod uses a gitRepo volume (blocked):
apiVersion: v1
kind: Pod
metadata:
name: use-git-repo
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: git-volume
gitRepo:
repository: "git@***:***/my-git-repository.git"
revision: "22f1d8406d464b0c08***"K8s-general
ACKAllowedRepos
Restricts pods in specified namespaces to pulling images from specified image repositories.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
repos |
array | Image repositories from which pods are allowed to pull images. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
name: allowed-repos
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
repos:
- "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
- "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed — images pulled from allowed repositories:
apiVersion: v1
kind: Pod
metadata:
name: pod-01
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-container-1
initContainers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-containerDisallowed — images pulled from a repository not in the allowlist:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container-3ACKBlockAutoinjectServiceEnv
Requires enableServiceLinks: false on pods in specified namespaces, preventing Service IP addresses from being injected into pod environment variables.
Severity: Low
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
name: block-auto-inject-service-env
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — enableServiceLinks: false set:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
enableServiceLinks: false
containers:
- image: openpolicyagent/test-webserver:1.0
name: test-containerDisallowed — enableServiceLinks not set:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockAutomountToken
Requires automountServiceAccountToken: false on pods in specified namespaces, preventing automatic service account token mounting.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
name: block-auto-mount-service-account-token
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — automountServiceAccountToken: false set:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
automountServiceAccountToken: false
containers:
- image: openpolicyagent/test-webserver:v1.0
name: test-containerDisallowed — automountServiceAccountToken not set to false:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockEphemeralContainer
Blocks pods in specified namespaces from launching ephemeral containers.
Severity: Medium
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
name: block-ephemeral-container
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — no ephemeral containers:
apiVersion: v1
kind: Pod
metadata:
name: good-1
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redisDisallowed — pod includes ephemeral containers:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
ephemeralContainers:
- name: test
image: testACKBlockLoadBalancer
Blocks LoadBalancer Services from being deployed in specified namespaces.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
restrictedNamespaces |
array | Namespaces in which LoadBalancer Services cannot be deployed. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed — Service without LoadBalancer type:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed — Service of type LoadBalancer:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKBlockNodePort
Blocks NodePort Services from being deployed in specified namespaces.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed — Service without NodePort type:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed — Service of type NodePort:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: NodePort
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKContainerLimits
Requires resource limits on all containers in pods in specified namespaces.
Severity: Low
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Allowed — container has resource limits set:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Mi"
cpu: "500m"Disallowed — container limits exceed the policy maximums:
apiVersion: v1
kind: Pod
metadata:
name: pod-2
namespace: non-test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Gi"
cpu: "2000m"ACKExternalIPs
Restricts Services in specified namespaces to using only external IP addresses listed in the policy.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedIPs |
array | External IP addresses that Services are permitted to use. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"
parameters:
allowedIPs:
- "192.168.0.5"Allowed — Service has no external IP:
apiVersion: v1
kind: Service
metadata:
name: my-service-3
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed — Service uses an external IP not in allowedIPs:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
externalIPs:
- 80.11.XX.XXACKImageDigests
Requires pods in specified namespaces to use images with digests in the specified format.
Severity: Low
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — image reference includes a digest:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
name: test-containerDisallowed — image reference has no digest:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2ACKRequiredLabels
Requires pods in specified namespaces to have labels matching the policy.
Severity: Low
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedRegex |
string | Required label values expressed as a regular expression. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
name: must-have-label-test
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
labels:
- key: test
allowedRegex: "^test.*$"Allowed — pod has a label matching the required regex:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: test
namespace: test-gatekeeper
labels:
'test': 'test_233'
spec:
containers:
- name: mycontainer
image: redisDisallowed — label value does not match the required regex:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: bad2
namespace: test-gatekeeper
labels:
'test': '233'
spec:
containers:
- name: mycontainer
image: redisACKRequiredProbes
Requires pods in specified namespaces to have specified types of readiness probes and liveness probes.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
probes |
array | Probe types required. Valid values: readinessProbe, livenessProbe. |
probeTypes |
array | Probe implementation types required. Valid values: tcpSocket, httpGet, exec. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
probes: ["readinessProbe", "livenessProbe"]
probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed — container has both readiness and liveness probes:
apiVersion: v1
kind: Pod
metadata:
name: p4
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busybox
readinessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5Disallowed — container has no probes:
apiVersion: v1
kind: Pod
metadata:
name: p1
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busyboxACKCheckNginxPath
Blocks high-risk values in the spec.rules[].http.paths[].path field of Ingress resources. Enable this policy for Ingress-nginx versions earlier than 1.2.1.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
name: block-nginx-path
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed — paths contain safe values:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-paths
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed — path contains a high-risk value:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bad-path-secrets
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /var/run/secrets
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80ACKCheckNginxAnnotation
Blocks high-risk values in the metadata.annotations field of Ingress resources. Enable this policy for Ingress-nginx versions earlier than 1.2.1.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
name: block-nginx-annotation
spec:
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed — annotations contain safe values:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-annotations
namespace: test-gatekeeper
annotations:
nginx.org/good: "value"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed — annotation contains a high-risk value:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: var-run-secrets
namespace: test-gatekeeper
annotations:
nginx.org/bad: "/var/run/secrets"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80ACKBlockInternetLoadBalancer
Blocks creation of internet-facing LoadBalancer Services.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
name: block-internet-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces: ["test-gatekeeper"]Allowed — LoadBalancer Service uses intranet address type:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: non-test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancerDisallowed — LoadBalancer Service uses internet address type:
apiVersion: v1
kind: Service
metadata:
name: bad-service-2
namespace: test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376RatifyVerification
Uses the Ratify component to verify image signatures or security metadata — such as a software bill of materials (SBOM) — for pods deployed in specified namespaces. Install the Ratify component from the Marketplace page in your cluster before enabling this policy.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
name: ratify-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["default"]Allowed — image has a valid signature:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/signed # Image with a valid signature
name: test-containerDisallowed — image has no valid signature:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # Image without a valid signature
name: test-containerPSP
The PSP category provides the same access control capabilities as Kubernetes pod security policies (PSPs), serving as a drop-in alternative.
ACKPSPAllowPrivilegeEscalationContainer
Requires pods in specified namespaces to include the allowPrivilegeEscalation setting.
Severity: Medium
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — allowPrivilegeEscalation: false set on all containers:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: test
name: test2
securityContext:
allowPrivilegeEscalation: falseDisallowed — allowPrivilegeEscalation not set:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAllowedUsers
Requires pods in specified namespaces to include user, group, supplementalGroups, and fsGroup settings.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
runAsUser |
object | User configuration following Kubernetes PSP semantics. See Pod Security Policies. |
runAsGroup |
object | Group configuration following Kubernetes PSP semantics. See Pod Security Policies. |
supplementalGroups |
object | Supplemental groups configuration following Kubernetes PSP semantics. See Pod Security Policies. |
fsGroup |
object | fsGroup configuration following Kubernetes PSP semantics. See Pod Security Policies. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
runAsUser:
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200Allowed — all user/group settings are within the allowed ranges:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good2
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 150
supplementalGroups:
- 150
containers:
- image: test
name: test
securityContext:
runAsUser: 150
runAsGroup: 150Disallowed — user/group settings missing:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAppArmor
Requires pods in specified namespaces to include AppArmor settings.
Severity: Low
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedProfiles |
array | AppArmor profiles that pods are permitted to use. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfiles:
- runtime/defaultAllowed — AppArmor annotations present on all containers:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
annotations:
'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
containers:
- image: test
name: test
initContainers:
- image: test
name: test2Disallowed — no AppArmor annotations:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPCapabilities
Requires pods in specified namespaces to include Linux capabilities settings.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedCapabilities |
array | Linux capabilities that containers are permitted to add. |
requiredDropCapabilities |
array | Linux capabilities that containers must drop. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
name: psp-capabilities
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedCapabilities: ["CHOWN"]
requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed — only allowed capabilities added; required capabilities dropped:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-4
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
capabilities:
add:
- CHOWN
drop:
- "NET_ADMIN"
- "SYS_ADMIN"
- "NET_RAW"Disallowed — no capabilities configuration:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPFlexVolumes
Restricts pods in specified namespaces to using only FlexVolume drivers listed in the policy.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedFlexVolumes |
array | FlexVolume drivers that pods are permitted to use. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod", "PersistentVolume"]
namespaces:
- "test-gatekeeper"
parameters:
allowedFlexVolumes:
- driver: "alicloud/disk"
- driver: "alicloud/nas"
- driver: "alicloud/oss"
- driver: "alicloud/cpfs"Allowed — FlexVolume driver is in the allowlist:
apiVersion: v1
kind: Pod
metadata:
name: pv-nas
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/nas"Disallowed — FlexVolume driver is not in the allowlist:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss-flexvolume
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
Blocks pods in specified namespaces from using specified sysctls.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
forbiddenSysctls |
array | Sysctls that pods are not allowed to use. Use * to block all sysctls. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
forbiddenSysctls:
# - "*" # Use * to forbid all sysctls
- "kernel.*"Allowed — sysctl is not in the blocklist:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-2
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'net.ipv4.tcp_syncookies'
value: "65536"
containers:
- image: test
name: testDisallowed — sysctl matches the blocklist pattern:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'kernel.shm_rmid_forced'
value: '1024'
containers:
- image: test
name: testACKPSPFSGroup
Requires pods in specified namespaces to use fsGroup settings that comply with the policy.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
rule |
string | fsGroup rule. Valid values: MustRunAs, MayRunAs, RunAsAny. See Volumes and file systems. |
ranges |
object | Valid fsGroup ID range. Set min for the minimum value and max for the maximum value. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
rule: "MayRunAs" # "MustRunAs" or "RunAsAny"
ranges:
- min: 1
max: 1000Allowed — fsGroup within the allowed range:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 100
containers:
- image: test
name: testDisallowed — fsGroup of 0 is outside the allowed range:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: non-test-gatekeeper
spec:
securityContext:
fsGroup: 0
shareProcessNamespace: true
containers:
- image: test
name: testACKPSPHostFilesystem
Enforces conditions on hostPath volumes mounted to pods in specified namespaces.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedHostPaths |
object | hostPath volumes that pods are permitted to mount. |
readOnly |
boolean | Whether the volume must be mounted as read-only. |
pathPrefix |
string | Path prefix that the hostPath volume must match. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedHostPaths:
- readOnly: true
pathPrefix: "/foo"Allowed — hostPath volume uses an allowed prefix and is mounted read-only:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumeMounts:
- name: test-volume
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: test-volume
hostPath:
path: /fooDisallowed — hostPath volume uses a path not matching the allowed prefix:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /data
type: FileACKPSPHostNamespace
Blocks pods in specified namespaces from sharing host namespaces.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — pod does not share host namespaces:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed — pod shares the host PID namespace:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
hostPID: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKPSPHostNetworkingPorts
Controls whether pods in specified namespaces can use the host network and specified ports.
Severity: High
Parameters:
| Parameter | Type | Description |
|---|---|---|
hostNetwork |
boolean | Whether pods are permitted to use the host network. |
min |
integer | Lowest host port number permitted. |
max |
integer | Highest host port number permitted. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
hostNetwork: true
min: 80
max: 9000Allowed — host ports are within the allowed range:
apiVersion: v1
kind: Pod
metadata:
name: good-2
namespace: test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 80
containerPort: 80
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2
ports:
- hostPort: 8080
containerPort: 8080Disallowed — host port 22 is outside the allowed range:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 22
containerPort: 22ACKPSPPrivilegedContainer
Blocks pods in specified namespaces from running privileged containers.
Severity: High
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — no privileged mode set:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testDisallowed — container has privileged: true:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
privileged: true
dnsPolicy: ClusterFirst
restartPolicy: NeverACKPSPProcMount
Requires pods in specified namespaces to use the Proc Mount type specified in the policy.
Severity: Low
Parameters:
| Parameter | Type | Description |
|---|---|---|
procMount |
string | Required Proc Mount type. Default blocks mounting /proc; Unmasked permits it. See AllowedProcMountTypes. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
procMount: Default # Default or UnmaskedAllowed — procMount: Default matches the policy:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Default"Disallowed — procMount: Unmasked does not match the policy:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Unmasked"
initContainers:
- image: test
name: test2ACKPSPReadOnlyRootFilesystem
Requires pods in specified namespaces to run with read-only root filesystems.
Severity: Medium
Parameters: None
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed — readOnlyRootFilesystem: true set:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: trueDisallowed — readOnlyRootFilesystem: false:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad2
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: false
initContainers:
- image: test
name: test2ACKPSPSELinuxV2
Restricts pods in specified namespaces to SELinux options listed in the policy.
Severity: Low
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedSELinuxOptions |
object | SELinux options that pods are permitted to use. See SELinuxOptions v1 core. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_uAllowed — SELinux options match the allowlist:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: test
name: testDisallowed — SELinux level not in the allowlist:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seLinuxOptions:
level: "s0:c123,c455"ACKPSPSeccomp
Requires pods in specified namespaces to use specified seccomp profiles.
Severity: Low
Parameters:
| Parameter | Type | Description |
|---|---|---|
allowedProfileTypes |
array | Permitted seccomp profile types. |
allowedProfiles |
array | Permitted seccomp profile names. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfileTypes:
# - Unconfined
- RuntimeDefault
- Localhost
allowedProfiles:
- runtime/default
- docker/default
- localhost/profiles/audit.jsonAllowed — seccomp profile matches an allowed type and name:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
initContainers:
- image: test
name: test2
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.jsonDisallowed — no seccomp profile set:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPVolumeTypes
Restricts pods in specified namespaces to mounting only volumes of specified types.
Severity: Medium
Parameters:
| Parameter | Type | Description |
|---|---|---|
volumes |
array | Volume types that pods are permitted to use. Use * to allow all volume types. |
Example
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
volumes:
# - "*" # Use * to allow all volume types
- configMap
# - emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
# - hostPath # Required for allowedHostPaths
- flexVolume # Required for allowedFlexVolumesAllowed — pod uses a FlexVolume driver (in the allowed list):
apiVersion: v1
kind: Pod
metadata:
name: pv-oss
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/oss"Disallowed — pod uses a hostPath volume (not in the allowed list):
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /data