You can configure security policies for pods to ensure the security of deployment and update requests. The policy management feature in Container Service for Kubernetes (ACK) provides several built-in rule libraries: Compliance, Infra, K8s-general, PSP, and FinOps.
Rule introduction
The ACK container security policy rule library contains the following rule templates:
Compliance: Security rules based on compliance standards such as Alibaba Cloud K8s Hardening.
Infra: Rules to enhance the security of cloud infrastructure layer resources.
K8s-general: Rules to constrain and standardize the configuration of sensitive resources in a Kubernetes cluster and enhance the security of applications in the cluster.
PSP: Policies that replace Kubernetes Pod Security Policies (PSPs). These policies provide the same security constraint capabilities as the original PSPs in ACK policy management.
FinOps: Policy rules for cost control and optimization.
Policy rule library
ACK provides the following built-in policy rule libraries. The policy categories and their descriptions are provided below:
Category | Policy | Description | Severity |
Compliance |
| Restricts mounting Secrets to the environment variables of application pods using `secretKeyRef`. | medium |
| Requires all containers in a pod to have the | low | |
| Restricts resource deployment to specified namespaces in the cluster. | low | |
| Restricts role bindings in a specified namespace to use only Roles or ClusterRoles from a specified range. | high | |
| Prevents specified namespaces from being accidentally deleted. | medium | |
| Prevents Service instances in a namespace from being accidentally deleted. | medium | |
| Prevents persistent volumes (PVs) in a bound state from being deleted. | high | |
| Prevents nodes with custom tags from being deleted. | high | |
| Prevents various resources with custom tags, such as Services, Namespaces, and Ingresses, from being deleted. | high | |
| Prevents CoreDNS-related resources in the kube-system namespace from being deleted. | high | |
Infra |
| Restricts the use of shareProcessNamespace in applications deployed within a specified scope in the cluster. | high |
| Requires that volumes of the emptyDir type must specify a | low | |
| Requires that pods deployed within a specified scope in the cluster must have the | low | |
| Restricts deployments in specified namespaces to use only Alibaba Cloud OSS volumes in a specified region. | low | |
| Restricts the maximum disk capacity that can be requested for PV instances created in the cluster. | medium | |
| Restricts the namespaces where PersistentVolumeClaim (PVC) instances can be deployed and limits the maximum disk capacity that can be requested for PVC instances. | medium | |
| Restricts the volume mount types that are forbidden for pods deployed within a specified scope in the cluster. | medium | |
| Requires pods to have the Alibaba Cloud Service Mesh (ASM) Sidecar injected. | high | |
K8s-general |
| Restricts application pods deployed within a specified scope in the cluster from pulling images that are not on the whitelist. | high |
| Requires applications to be configured with | low | |
| Requires applications to set the | high | |
| Restricts the startup of ephemeral containers in application pods within a specified scope in the cluster. | medium | |
| Restricts the deployment of Services of the LoadBalancer type within a specified scope in the cluster. | high | |
| Restricts the use of Services of the NodePort type within a specified scope in the cluster. | high | |
| Requires application pods within a specified scope in the cluster to configure resource | low | |
| Restricts Service instances within a specified scope in the cluster from using externalIPs that are not on the whitelist. | high | |
| Restricts the deployment of images that do not conform to the digest format within a specified scope in the cluster. | low | |
| Restricts the deployment of applications that do not have specified labels within a specified scope in the cluster. | low | |
| Requires pods deployed within a specified scope in the cluster to have specified types of readinessProbe and livenessProbe configured. | medium | |
| Restricts the use of dangerous configurations in the | high | |
| Restricts the use of dangerous configurations in the | high | |
| Restricts the creation of public-facing LoadBalancer Services. | high | |
| After you install the Ratify component from the marketplace, you can verify security metadata, such as signatures or software bill of materials (SBOMs), for pod images deployed within a specified scope in the cluster. | high | |
PSP |
| Restricts pods deployed within a specified scope in the cluster from configuring the | medium |
| Restricts the startup | medium | |
| Restricts pods deployed within a specified scope in the cluster from configuring AppArmor. | low | |
| Restricts pods deployed within a specified scope in the cluster from configuring Linux Capabilities. | high | |
| Restricts pods deployed within a specified scope in the cluster from configuring fsGroup. | medium | |
| Restricts the FlexVolume driver configuration for pods deployed within a specified scope in the cluster. | medium | |
| Restricts the range of forbidden Sysctls for pods deployed within a specified scope in the cluster. | high | |
| Restricts the range of host directories that pods deployed within a specified scope in the cluster are allowed to mount. | high | |
| Restricts whether pods deployed within a specified scope in the cluster are allowed to share the host namespace. | high | |
| Restricts pods deployed within a specified scope in the cluster from using the host network and specified ports. | high | |
| Restricts the startup of privileged containers in pods deployed within a specified scope in the cluster. | high | |
| Restricts the Proc mount types that pods deployed within a specified scope in the cluster are allowed to use. | low | |
| Requires pods deployed within a specified scope in the cluster to use a read-only root file system. | medium | |
| Requires pods deployed within a specified scope in the cluster to use the SELinux configuration specified in the `allowedSELinuxOptions` parameter. | low | |
| Restricts pods deployed within a specified scope in the cluster to use specified Seccomp profiles. | low | |
| Restricts pods deployed within a specified scope in the cluster to use specified volume mount types. | medium | |
FinOps |
| Requires that certain application pods in the cluster must declare resource | low |
| Requires that the CPU and memory resource configurations of certain application pods in the cluster must be selected from preset options. | low | |
| Restricts the resource configurations of certain application pods in the cluster to be within a specified range. | low | |
| Requires that certain application pods in the cluster must have a specified | low | |
| Restricts the upper and lower limits of the number of application replicas. | low | |
| Enforces the reuse of existing Application Load Balancer (ALB) instances and prohibits the creation of new ALB resource instances through AlbConfig. | low |
Compliance
ACKNoEnvVarSecrets
Rule description: Prevents Secrets from being mounted to the environment variables of application pods using `secretKeyRef`.
Severity: Medium.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
name: no-env-var-secrets
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: test-gatekeeper
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-usernameDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: NeverACKPodsRequireSecurityContext
Rule description: Requires all containers in a pod to have the securitycontext field configured.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
name: pods-require-security-context
annotations:
description: "Requires that Pods must have a `securityContext` defined."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: test-gatekeeper
spec:
securityContext:
runAsNonRoot: false
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test2
- image: test
name: test
resources: {}
securityContext:
runAsNonRoot: falseACKRestrictNamespaces
Rule description: Restricts the deployment of resources to specified namespaces in the cluster.
Severity: Low.
Parameters:
Parameter | Type | Description |
restrictedNamespaces | array | A list of namespaces where resource deployment is prohibited. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
name: restrict-default-namespace
annotations:
description: "Restricts resources from using the restricted namespace."
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Pod']
parameters:
restrictedNamespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
restartPolicy: NeverACKRestrictRoleBindings
Rule description: Restricts a Rolebinding in a specified namespace to use only Roles or ClusterRoles from a specified range.
Severity: High.
Parameters:
Parameter | Type | Description |
restrictedRole | object | The restricted ClusterRole or Role. |
allowedSubjects | array | A whitelist of Subjects that are allowed to be attached. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings
annotations:
description: "Restricts use of sensitive role in specific rolebinding."
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["RoleBinding"]
parameters:
restrictedRole:
apiGroup: "rbac.authorization.k8s.io"
kind: "ClusterRole"
name: "cluster-admin"
allowedSubjects:
- apiGroup: "rbac.authorization.k8s.io"
kind: "Group"
name: "system:masters"Allowed:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: good-2
namespace: test-gatekeeper
subjects:
- kind: Group
name: 'system:masters'
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioDisallowed:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bad-1
namespace: test-gatekeeper
subjects:
- kind: ServiceAccount
name: policy-template-controller
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
Rule description: Prevents specified namespaces from being accidentally deleted. You can use the protectionNamespaces parameter to configure the names of the protected namespaces.
Prerequisites: The Gatekeeper component must be upgraded to v3.10.0.130-g0e79597d-aliyun or later. For more information, see Gatekeeper.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| array | A list of protected namespace names. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
name: namespace-delete-protection
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Namespace']
parameters:
protectionNamespaces:
- test-gatekeeperAllowed:
apiVersion: v1
kind: Namespace
metadata:
name: will-deleteDisallowed:
apiVersion: v1
kind: Namespace
metadata:
name: test-gatekeeperACKServicesDeleteProtection
Rule description: Prevents Service instances in a specified namespace from being accidentally deleted. You can use the protectionServices parameter to configure the names of the protected Service instances.
Severity: Medium.
Parameters:
Parameter | Type | Description |
protectionServices | array | A list of protected Service instance names in the specified namespace. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
name: service-delete-protection
annotations:
description: "Protect to delete specific service."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ['']
kinds: ['Service']
namespaces: ["test-gatekeeper"]
parameters:
protectionServices:
- test-svcAllowed:
apiVersion: v1
kind: Service
metadata:
name: good
namespace: test-gatekeeperRestrictions:
apiVersion: v1
kind: Service
metadata:
name: test-svcACKProtectBoundingPV
Rule description: Prevents the deletion of persistent volumes (PVs) bound to a PersistentVolumeClaim (PVC).
Severity: High.
This operation has no parameters.
Example:
Constraints:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectBoundingPV
metadata:
name: protect-pv-deletion
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeAllowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
status:
phase: ReleasedDisallowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
status:
phase: BoundACKBlockNodeDelete
This rule prevents nodes with custom tags from being deleted. You can define multiple key-value pairs. A node is protected if it matches any of these pairs.
The severity level is high.
Parameters
Parameter | Type | Description |
| array | Custom tags used to identify the nodes to be protected. |
| string | The key of the custom tag. |
| string | The value of the custom tag. |
Example:
Constraints:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodeDelete
metadata:
name: block-node-delete
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Node"]
parameters:
protectedLabels:
- labelName: policy.alibabacloud.vpc.com/node-delete-protection
labelValue: "true"
- labelName: policy.alibabacloud.com/node-delete-protection
labelValue: "true"Allowed:
apiVersion: v1
kind: Node
metadata:
name: cn-hangzhou-1Disallowed:
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-1
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-2
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.com/node-delete-protection: "true"
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-3ACKResourceDeletionProtection
Rule description: Prevents the deletion of resources that have custom tags. This rule applies to resource types such as Service, Namespace, Ingress, Deployment, StatefulSet, DaemonSet, Job, and CronJob. You can define multiple key-value pairs. A resource is protected if it matches at least one of these pairs.
Severity: High
Parameters:
Parameter | Type | Description |
| array | Custom tags used to identify the resources to be protected. |
| string | The key of the custom tag. |
| string | The value of the custom tag. |
Example:
Constraints:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKResourceDeletionProtection
metadata:
name: resource-deletion-protection
annotations:
description: "Protect resources from being accidentally deleted."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
- Namespace
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
- apiGroups:
- apps
kinds:
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- Job
- CronJob
parameters:
labels:
- labelName: policy.alibabacloud.com/delete-protection
labelValue: "true"Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80Disallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
labels:
policy.alibabacloud.com/delete-protection: "true"
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80ACKProtectCoreDNS
Rule description: This rule prevents the deletion of CoreDNS resources in the kube-system namespace, including the Deployment, Service, and ConfigMap.
Severity: High
Parameters
Parameter | Type | Description |
| int | Defines the desired minimum number of replicas for the CoreDNS Deployment. |
Example:
Constraints:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectCoreDNS
metadata:
name: coredns-protect-rule
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Deployment", "Service", "Scale", "ConfigMap" ]
scope: "Namespaced"
namespaces: ["kube-system"]
parameters:
min_replicas: 2Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 3
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresentDisallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresent
---
apiVersion: v1
data:
Corefile: ""
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: KubeDNS
name: kube-dns
namespace: kube-systemInfra
ACKBlockProcessNamespaceSharing
Rule description: Restricts the use of shareProcessNamespace in applications deployed within a specified scope in the cluster.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
metadata:
name: block-share-process-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test-3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
shareProcessNamespace: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKEmptyDirHasSizeLimit
Rule description: Requires that volumes of the emptyDir type specify a sizelimit.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-sizelimit
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir:
sizeLimit: "10Mi"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKLocalStorageRequireSafeToEvict
Rule description: Requires pods that are deployed within a specified scope in the cluster to have the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. Pods without this annotation are not deleted during cluster auto scaling.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
annotations:
'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /data
# this field is optional
type: DirectoryDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKOSSStorageLocationConstraint
Rule description: Restricts deployments in specified namespaces to use only Alibaba Cloud Object Storage Service (OSS) volumes in a specified region.
Severity: Low.
Parameters:
Parameter | Type | Description |
| string | Specifies whether to use whitelist mode. The default value |
| array | A list of specified Alibaba Cloud Region IDs. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
name: restrict-oss-location
annotations:
description: "Restricts location of oss storage in cluster."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolume", "Pod"]
namespaces:
- "test-gatekeeper"
parameters:
mode: "allowlist"
regions:
- "cn-beijing"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi-good
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVSizeConstraint
Rule description: Restricts the maximum disk capacity that can be requested for PV instances created in the cluster.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| string | The maximum disk capacity that can be requested for a PV instance. The default value is 50 GiB. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
name: limit-pv-size
annotations:
description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "PersistentVolume" ]
parameters:
maxSize: "50Gi"Allowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 25Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi-bad
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 500Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVCConstraint
Rule description: Restricts the namespaces where PVC instances can be deployed and limits the maximum disk capacity that can be requested for PVC instances.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| string | The maximum disk capacity that can be requested for a PV instance. The default value is 50 GiB. |
| array | A whitelist of namespaces where PVC instances can be deployed. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
name: limit-pvc-size-and-ns
annotations:
description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "PersistentVolumeClaim" ]
parameters:
maxSize: "50Gi"
allowNamespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20GiDisallowed:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-namespace-pvc
namespace: test-gatekeeper-bad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi ACKBlockVolumeTypes
Rule description: Prohibits pods deployed within a specified scope in the cluster from using specified volume mount types.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| array | A list of forbidden volume mount types. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
name: block-volume-types
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]
parameters:
volumes:
- "gitRepo"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: use-empty-dir
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: emptydir-volume
emptyDir: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: use-git-repo
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: git-volume
gitRepo:
repository: "git@***:***/my-git-repository.git"
revision: "22f1d8406d464b0c08***"ASMSidecarInjectionEnforced
Rule description: Requires pods to have the Alibaba Cloud Service Mesh (ASM) Sidecar injected.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ASMSidecarInjectionEnforced
metadata:
name: asm-sidecar-injectionen-forced
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
- name: istio-proxy
image: xxx/proxyv2:xxx
Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: testK8s-general
ACKAllowedRepos
Rule description: Prevents application pods that are deployed within a specified scope in the cluster from pulling images that are not on the whitelist.
Severity: High.
Parameters:
Parameter | Type | Description |
| array | A whitelist of allowed image repositories. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
name: allowed-repos
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
repos:
- "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
- "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-01
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-container-1
initContainers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container-3ACKBlockAutoinjectServiceEnv
Rule description: Requires applications to be configured with enableServiceLinks: false to prevent service IP addresses from being exposed in pod environment variables.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
name: block-auto-inject-service-env
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
enableServiceLinks: false
containers:
- image: openpolicyagent/test-webserver:1.0
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockAutomountToken
Rule description: Requires applications to set the automountServiceAccountToken: false field to prevent the automatic mounting of a serviceaccount.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
name: block-auto-mount-service-account-token
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
automountServiceAccountToken: false
containers:
- image: openpolicyagent/test-webserver:v1.0
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockEphemeralContainer
Rule description: Prevents ephemeral containers from starting in application pods within a specified scope in the cluster.
Severity: Medium.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
name: block-ephemeral-container
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: good-1
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redisDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
ephemeralContainers:
- name: test
image: testACKBlockLoadBalancer
Rule description: Restricts the deployment of Services of the LoadBalancer type within a specified scope in the cluster.
Severity: High.
Parameters:
Parameter | Type | Description |
restrictedNamespaces | array | A list of namespaces where resource deployment is prohibited. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKBlockNodePort
Rule description: Restricts the use of Services of the NodePort type within a specified scope in the cluster.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: NodePort
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKContainerLimits
Rule description: Requires application pods within a specified scope in the cluster to configure resource limits.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Mi"
cpu: "500m"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-2
namespace: non-test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Gi"
cpu: "2000m"ACKExternalIPs
Rule description: Prevents Service instances within a specified scope in the cluster from using externalIPs that are not on the whitelist.
Severity: High.
Parameters:
Parameter | Type | Description |
| array | A whitelist of |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"
parameters:
allowedIPs:
- "192.168.0.5"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-3
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
externalIPs:
- 80.11.XX.XXACKImageDigests
Rule description: Prevents the deployment of images that do not conform to the digest format within a specified scope in the cluster.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2ACKRequiredLabels
Rule description: Verifies whether a pod contains specific labels and ensures that the label values conform to a predefined format. This rule supports specifying a regular expression for each tag key to validate its value. You can also use the optional parameter to control whether the label validation is mandatory.
Severity: Low.
Parameters:
Parameter | Type | Description |
| string | A regular expression for the label whitelist. |
| string | The tag key to be validated. |
| bool | Specifies whether the pod is allowed to be missing this label.
|
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
name: must-have-label-test
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
labels:
- key: test
allowedRegex: "^test.*$"
- key: env
allowedRegex: "^(dev|prod)$"
optional: trueAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: test
namespace: test-gatekeeper
labels:
'test': 'test_233'
spec:
containers:
- name: mycontainer
image: redisDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: bad2
namespace: test-gatekeeper
labels:
'test': '233'
'env': 'invalid'
spec:
containers:
- name: mycontainer
image: redisACKRequiredProbes
Rule description: Requires pods deployed within a specified scope in the cluster to have readinessProbe and livenessProbe configured.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| array | The probes that must be configured in the pod. For example, readinessProbe and livenessProbe. |
| array | The probe types that must be configured in the pod. For example, tcpSocket, httpGet, and exec types. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
probes: ["readinessProbe", "livenessProbe"]
probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: p4
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busybox
readinessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: p1
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busyboxACKCheckNginxPath
Rule description: Restricts the use of dangerous configurations in the spec.rules[].http.paths[].path field of Ingress instances. This policy is recommended for ingress-nginx versions earlier than 1.2.1.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
name: block-nginx-path
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-paths
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bad-path-secrets
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /var/run/secrets
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80ACKCheckNginxAnnotation
Rule description: Restricts the use of dangerous configurations in the metadata.annotations field of Ingress instances. This policy is recommended for ingress-nginx versions earlier than 1.2.1.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
name: block-nginx-annotation
spec:
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-annotations
namespace: test-gatekeeper
annotations:
nginx.org/good: "value"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: var-run-secrets
namespace: test-gatekeeper
annotations:
nginx.org/bad: "/var/run/secrets"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80ACKBlockInternetLoadBalancer
Rule description: Prevents the creation of public-facing LoadBalancer Services.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
name: block-internet-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: non-test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancerDisallowed:
apiVersion: v1
kind: Service
metadata:
name: bad-service-2
namespace: test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376RatifyVerification
Rule description: After you install the Ratify component from the marketplace, you can verify security metadata, such as signatures or software bill of materials (SBOMs), for pod images deployed within a specified scope in the cluster.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
name: ratify-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["default"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/signed # Deploy an image with a valid signature.
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # Deploy an image that fails Ratify signature verification.
name: test-containerPSP
ACKPSPAllowedUsers
Rule description: Restricts the startup user, group, supplementalGroups, and fsGroup for pods deployed within a specified scope in the cluster.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| object | For more information about this parameter, see the User configuration in the original PSP rules. It supports rule types and the configuration of maximum and minimum UIDs. For more information, see Users and groups. |
| object | For more information about this parameter, see the Group configuration in the original PSP rules. It supports rule types and the configuration of maximum and minimum UIDs. For more information, see Users and groups. |
| object | For more information about this parameter, see the SupplementalGroups configuration in the original PSP rules. It supports rule types and the configuration of maximum and minimum UIDs. For more information, see Users and groups. |
| object | For more information about this parameter, see the fsGroup configuration in the original PSP rules. It supports rule types and the configuration of maximum and minimum UIDs. For more information, see Users and groups. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
runAsUser:
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good2
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 150
supplementalGroups:
- 150
containers:
- image: test
name: test
securityContext:
runAsUser: 150
runAsGroup: 150Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAllowPrivilegeEscalationContainer
Rule description: Prevents pods deployed within a specified scope in the cluster from configuring the allowPrivilegeEscalation parameter.
Severity: Medium.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: test
name: test2
securityContext:
allowPrivilegeEscalation: falseDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAppArmor
Rule description: Prevents pods deployed within a specified scope in the cluster from configuring AppArmor.
Severity: Low.
Parameters:
Parameter | Type | Description |
| array | The probes that must be configured in the pod. For example, readinessProbe and livenessProbe. |
| array | The probe types that must be configured in the pod. For example, tcpSocket, httpGet, and exec types. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfiles:
- runtime/defaultAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
annotations:
'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
containers:
- image: test
name: test
initContainers:
- image: test
name: test2Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPCapabilities
Rule description: Prevents pods deployed within a specified scope in the cluster from configuring Linux Capabilities.
Severity: High.
Parameters:
Parameter | Type | Description |
| array | A whitelist of allowed capabilities. |
| array | The capabilities that must be dropped. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
name: psp-capabilities
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedCapabilities: ["CHOWN"]
requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-4
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
capabilities:
add:
- CHOWN
drop:
- "NET_ADMIN"
- "SYS_ADMIN"
- "NET_RAW"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPFlexVolumes
Rule description: Restricts the FlexVolume driver configuration for pods deployed within a specified scope in the cluster.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| array | A list of allowed FlexVolume drivers. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod", "PersistentVolume"]
namespaces:
- "test-gatekeeper"
parameters:
allowedFlexVolumes: #[]
- driver: "alicloud/disk"
- driver: "alicloud/nas"
- driver: "alicloud/oss"
- driver: "alicloud/cpfs"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-nas
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/nas"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss-flexvolume
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
Rule description: Restricts the range of prohibited Sysctls for pods deployed within a specified scope in the cluster.
Severity: High.
Parameters:
Parameter | Type | Description |
| array | A list of forbidden sysctls in the pod. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- "kernel.*"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-2
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'net.ipv4.tcp_syncookies'
value: "65536"
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'kernel.shm_rmid_forced'
value: '1024'
containers:
- image: test
name: testACKPSPFSGroup
Rule description: Restricts the fsGroup configuration for pods deployed within a specified scope in the cluster.
Severity: Medium.
Parameters:
Parameter | Type | Description |
| string | For more information about this parameter, see the fsGroup configuration in the original PSP rules. Supported values: MustRunAs, MayRunAs, and RunAsAny. For more information, see Volumes and file systems. |
| object | Contains the following values:
|
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
ranges:
- min: 1
max: 1000Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 100
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: non-test-gatekeeper
spec:
securityContext:
fsGroup: 0
shareProcessNamespace: true
containers:
- image: test
name: testACKPSPHostFilesystem
Rule description: Restricts the range of host directories that pods deployed within a specified scope in the cluster are allowed to mount.
Severity: High.
Parameters:
Parameter | Type | Description |
| object | The host path whitelist configuration. |
| boolean | Specifies whether the path is read-only. |
| string | The path prefix. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedHostPaths:
- readOnly: true
pathPrefix: "/foo"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumeMounts:
- name: test-volume
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: test-volume
hostPath:
path: /fooDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /data
type: FileACKPSPHostNamespace
Rule description: Restricts whether pods that are deployed within a specified scope in the cluster can share the host namespace.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
hostPID: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKPSPHostNetworkingPorts
Rule description: Prevents pods deployed within a specified scope in the cluster from using the host network and specified ports.
Severity: High.
Parameters:
Parameter | Type | Description |
| boolean | Specifies whether pods are allowed to share the host network. |
| int | The minimum value for the hostPort. |
| int | The maximum value for the hostPort. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
hostNetwork: true
min: 80
max: 9000Allowed:
apiVersion: v1
kind: Pod
metadata:
name: good-2
namespace: test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 80
containerPort: 80
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2
ports:
- hostPort: 8080
containerPort: 8080Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 22
containerPort: 22ACKPSPPrivilegedContainer
Rule description: Prevents privileged containers from starting in pods deployed within a specified scope in the cluster.
Severity: High.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
privileged: true
dnsPolicy: ClusterFirst
restartPolicy: NeverACKPSPProcMount
Rule description: Restricts the proc mount types that pods deployed within a specified scope in the cluster can use.
Severity: High.
Parameters:
Parameter | Type | Description |
| string | The proc mount type. The following types are allowed:
For more information about parameter settings, see AllowedProcMountTypes. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
procMount: Default # Default or UnmaskedAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Default"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Unmasked"
initContainers:
- image: test
name: test2ACKPSPReadOnlyRootFilesystem
Rule description: Requires pods deployed within a specified scope in the cluster to use a read-only root file system.
Severity: Medium.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: trueDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad2
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: false
initContainers:
- image: test
name: test2ACKPSPSeccomp
Rule description: Restricts pods deployed within a specified scope in the cluster to use specified Seccomp profiles.
Severity: Low.
Parameters:
Parameter | Type | Description |
| array | A whitelist of allowed Seccomp profile types. |
| array | The allowed Seccomp profiles. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfileTypes:
# - Unconfined
- RuntimeDefault
- Localhost
allowedProfiles:
- runtime/default
- docker/default
- localhost/profiles/audit.jsonAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
initContainers:
- image: test
name: test2
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.jsonDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
echo-k8s-webhook-enabled: 'true'
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPSELinuxV2
Rule description: Requires pods deployed within a specified scope in the cluster to use the SELinux configuration specified in the allowedSELinuxOptions parameter.
Severity: Low.
Parameters:
Parameter | Type | Description |
| object | A whitelist of allowed SELinux configurations. For more information, see SELinuxOptions v1 core. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_uAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seLinuxOptions:
level: "s0:c123,c455"ACKPSPVolumeTypes
Rule description: Restricts pods deployed within a specified scope in the cluster to use specified volume mount types.
Severity: Low.
Parameters:
Parameter | Type | Description |
volumes | array | A list of allowed volume mount types. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
volumes:
# - "*" # * may be used to allow all volume types
- configMap
# - emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
# - hostPath #required for allowedHostPaths
- flexVolume #required for allowedFlexVolumesAllowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/oss"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /dataFinOps
ACKContainerRequests
Rule description: Requires that specified application pods in the cluster declare resource requests.
Severity: Low.
Parameters:
Parameter | Type | Description |
| string | The maximum value for container CPU |
| string | The maximum value for container memory |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerRequests
metadata:
name: container-must-have-requests
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
requests:
memory: "100Mi"
cpu: "500m"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-containerACKContainerResourcesWhitelist
Rule description: Requires that the CPU and memory resource configurations of specified application pods in the cluster are selected from preset options.
Severity: Low.
Parameters:
Parameter | Type | Description |
| array | A whitelist for container CPU |
| array | A whitelist for container CPU |
| array | A whitelist for container memory |
| array | A whitelist for container memory |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesWhitelist
metadata:
name: container-resources-whitelist
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaces:
- "test-gatekeeper"
parameters:
cpuRequests:
- "100m"
- "500m"
- "1"
cpuLimits:
- "2"
- "4000m"
memoryRequests:
- "256Mi"
- "512Mi"
memoryLimits:
- "1Gi"
- "2048Mi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1GiDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 10m
memory: 512Mi
limits:
cpu: "1"
memory: 1GiACKContainerResourcesRange
Rule description: Restricts the resource configurations of specified application pods in the cluster to a specified range.
Severity: Low.
Parameters:
Parameter | Type | Description |
| object | Contains the following values:
|
| object | Contains the following values:
|
| object | Contains the following values:
|
| object | Contains the following values:
|
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesRange
metadata:
name: container-resources-range
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaces:
- "test-gatekeeper"
parameters:
cpuRequests:
min: "100m"
max: "1"
cpuLimits:
min: "500m"
max: "2"
memoryRequests:
min: "256Mi"
max: "512Mi"
memoryLimits:
min: "1Gi"
max: "2048Mi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 2GiDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 10m
memory: 5Mi
limits:
cpu: "3"
memory: 128MiACKRequiredNodeSelector
Rule description: Requires that specified application pods in the cluster have a specified nodeSelector label configured.
Severity: Low.
Parameters:
Parameter | Type | Description |
| array | Contains the following values:
|
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredNodeSelector
metadata:
name: must-have-nodeselector
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
nodeSelector:
- key: "node.alibabacloud.com/nodepool-id"
allowedRegex: "^np.*$"
- key: "kubernetes.io/os"
allowedRegex: "^linux$"
Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
nodeSelector:
node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
kubernetes.io/os: linuxDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
nodeSelector:
node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
kubernetes.io/os: windowsACKWorkloadReplicasRange
Rule description: Restricts the upper and lower limits of the number of application replicas.
Severity: Low.
Parameters:
Parameter | Type | Description |
| int | The minimum number of replicas for the application. |
| int | The maximum number of replicas for the application. |
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKWorkloadReplicasRange
metadata:
name: replica-limiter
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Deployment", "StatefulSet", "ReplicaSet", "Scale"]
namespaces:
- "test-gatekeeper"
parameters:
minReplicas: 2
maxReplicas: 3Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"Disallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic-0
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic-1
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 4
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"ACKRestrictALBCreation
Rule description: Enforces the reuse of existing Application Load Balancer (ALB) instances and prohibits the creation of new ALB resource instances through AlbConfig.
Severity: Low.
Parameters: None.
Example:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictALBCreation
metadata:
name: restrict-alb-creation
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["alibabacloud.com"]
kinds: ["AlbConfig"]Allowed:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: reuse-alb
spec:
config:
id: 'abcdefghijklmnopqrstuvwxyz'
forceOverride: false
listenerForceOverride: falseDisallowed:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
name: alb
addressType: Internet
zoneMappings:
- vSwitchId: vsw-uf6ccg2a9g71hx8go**** # Replace with the ID of a vSwitch in a different zone within the cluster's VPC.
allocationId: eip-asdfas**** # Replace with the EIP ID. The default option is to automatically assign a public IP address.
- vSwitchId: vsw-uf6nun9tql5t8nh15**** # Replace with the ID of a vSwitch in a different zone within the cluster's VPC.
allocationId: eip-dpfmss**** # Replace with the EIP ID.
listeners:
- port: 80
protocol: HTTP