Enforce ACK Pod Security with Predefined Gatekeeper Policies - Container Service for Kubernetes

ACK's cluster policy management feature provides four built-in rule libraries — Compliance, Infra, K8s-general, and PSP — each containing predefined security policies. These policies verify the security of requests to deploy or update pods.

Policy categories

Category	Description
Compliance	Policies based on compliance standards such as Alibaba Cloud Kubernetes Security Hardening.
Infra	Policies that protect cloud infrastructure resources.
K8s-general	Policies that restrict and standardize configurations of sensitive resources in Container Service for Kubernetes (ACK) clusters.
PSP	Policies that replace pod security policies (PSPs) from open source Kubernetes, providing the same access control capabilities.

Predefined security policies

The following table lists all 44 predefined security policies across the four categories.

Category	Policy	Description	Severity
Compliance	`ACKNoEnvVarSecrets`	Blocks use of `secretKeyRef` to reference Secrets in pod environment variables.	Medium
Compliance	`ACKPodsRequireSecurityContext`	Requires pods in specified namespaces to include a `securityContext`.	Low
Compliance	`ACKRestrictNamespaces`	Blocks deployment of specified resource types in specified namespaces.	Low
Compliance	`ACKRestrictRoleBindings`	Restricts RoleBindings in specified namespaces to bind only specified roles or cluster roles.	High
Compliance	`ACKNamespacesDeleteProtection`	Prevents deletion of specified namespaces.	Medium
Compliance	`ACKServicesDeleteProtection`	Prevents deletion of Service instances in specified namespaces.	Medium
Infra	`ACKBlockProcessNamespaceSharing`	Blocks pods in specified namespaces from using `shareProcessNamespace`.	High
Infra	`ACKEmptyDirHasSizeLimit`	Requires `sizeLimit` when mounting emptyDir volumes.	Low
Infra	`ACKLocalStorageRequireSafeToEvict`	Requires the `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"` annotation on pods that mount hostPath or emptyDir volumes.	Low
Infra	`ACKOSSStorageLocationConstraint`	Controls which Object Storage Service (OSS) bucket regions can be mounted to pods in specified namespaces.	Low
Infra	`ACKPVSizeConstraint`	Sets a maximum disk capacity for persistent volumes (PVs) in the cluster.	Medium
Infra	`ACKPVCConstraint`	Restricts which namespaces can deploy persistent volume claims (PVCs) and sets a maximum PV disk capacity.	Medium
Infra	`ACKBlockVolumeTypes`	Blocks pods in specified namespaces from using specified volume types.	Medium
K8s-general	`ACKAllowedRepos`	Restricts pods in specified namespaces to pulling images from specified image repositories.	High
K8s-general	`ACKBlockAutoinjectServiceEnv`	Requires `enableServiceLinks: false` on pods, preventing Service IP addresses from being injected into pod environment variables.	Low
K8s-general	`ACKBlockAutomountToken`	Requires `automountServiceAccountToken: false` on pods, preventing automatic service account token mounting.	High
K8s-general	`ACKBlockEphemeralContainer`	Blocks pods in specified namespaces from launching ephemeral containers.	Medium
K8s-general	`ACKBlockLoadBalancer`	Blocks LoadBalancer Services from being deployed in specified namespaces.	High
K8s-general	`ACKBlockNodePort`	Blocks NodePort Services from being deployed in specified namespaces.	High
K8s-general	`ACKContainerLimits`	Requires resource `limits` on all containers in pods in specified namespaces.	Low
K8s-general	`ACKExternalIPs`	Restricts Services in specified namespaces to using only external IP addresses listed in the policy.	High
K8s-general	`ACKImageDigests`	Requires pods in specified namespaces to use images with digests in the specified format.	Low
K8s-general	`ACKRequiredLabels`	Requires pods in specified namespaces to have labels matching the policy.	Low
K8s-general	`ACKRequiredProbes`	Requires pods in specified namespaces to have specified types of readiness probes and liveness probes.	Medium
K8s-general	`ACKCheckNginxPath`	Blocks high-risk values in `spec.rules[].http.paths[].path` for Ingress resources. Enable for Ingress-nginx versions earlier than 1.2.1.	High
K8s-general	`ACKCheckNginxAnnotation`	Blocks high-risk values in `metadata.annotations` for Ingress resources. Enable for Ingress-nginx versions earlier than 1.2.1.	High
K8s-general	`ACKBlockInternetLoadBalancer`	Blocks creation of internet-facing LoadBalancer Services.	High
K8s-general	`RatifyVerification`	Uses the Ratify component to verify image signatures or security metadata (such as a software bill of materials (SBOM)) for pods in specified namespaces.	High
PSP	`ACKPSPAllowPrivilegeEscalationContainer`	Requires pods in specified namespaces to include the `allowPrivilegeEscalation` setting.	Medium
PSP	`ACKPSPAllowedUsers`	Requires pods in specified namespaces to include `user`, `group`, `supplementalGroups`, and `fsGroup` settings.	Medium
PSP	`ACKPSPAppArmor`	Requires pods in specified namespaces to include AppArmor settings.	Low
PSP	`ACKPSPCapabilities`	Requires pods in specified namespaces to include Linux capabilities settings.	High
PSP	`ACKPSPFSGroup`	Requires pods in specified namespaces to use fsGroup settings that comply with the policy.	Medium
PSP	`ACKPSPFlexVolumes`	Restricts pods in specified namespaces to using only FlexVolume drivers listed in the policy.	Medium
PSP	`ACKPSPForbiddenSysctls`	Blocks pods in specified namespaces from using specified sysctls.	High
PSP	`ACKPSPHostFilesystem`	Enforces conditions on hostPath volumes mounted to pods in specified namespaces.	High
PSP	`ACKPSPHostNamespace`	Blocks pods in specified namespaces from sharing host namespaces.	High
PSP	`ACKPSPHostNetworkingPorts`	Controls whether pods in specified namespaces can use the host network and specified ports.	High
PSP	`ACKPSPPrivilegedContainer`	Blocks pods in specified namespaces from running privileged containers.	High
PSP	`ACKPSPProcMount`	Requires pods in specified namespaces to use the Proc Mount type specified in the policy.	Low
PSP	`ACKPSPReadOnlyRootFilesystem`	Requires pods in specified namespaces to run with read-only root filesystems.	Medium
PSP	`ACKPSPSELinuxV2`	Restricts pods in specified namespaces to SELinux options listed in the policy.	Low
PSP	`ACKPSPSeccomp`	Requires pods in specified namespaces to use specified seccomp profiles.	Low
PSP	`ACKPSPVolumeTypes`	Restricts pods in specified namespaces to mounting only volumes of specified types.	Medium

Compliance

ACKNoEnvVarSecrets

Blocks use of secretKeyRef to reference Secrets in pod environment variables.

Severity: Medium

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
  name: no-env-var-secrets
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed — secrets mounted as a volume:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  namespace: test-gatekeeper
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username

Disallowed — secrets referenced via secretKeyRef in environment variables:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
  restartPolicy: Never

ACKPodsRequireSecurityContext

Requires pods in specified namespaces to include a securityContext.

Severity: Low

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
  name: pods-require-security-context
  annotations:
    description: "Requires that Pods must have a `securityContext` defined."
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed — pod-level securityContext present:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test
  namespace: test-gatekeeper
spec:
  securityContext:
    runAsNonRoot: false
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed — securityContext only on a container, not the pod:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: test
    name: test2
  - image: test
    name: test
    resources: {}
    securityContext:
      runAsNonRoot: false

ACKRestrictNamespaces

Blocks deployment of specified resource types in specified namespaces.

Severity: Low

Parameters:

Parameter	Type	Description
`restrictedNamespaces`	array	Namespaces in which the matched resource types cannot be deployed.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
  name: restrict-default-namespace
  annotations:
    description: "Restricts resources from using the restricted namespace."
spec:
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Pod']
  parameters:
    restrictedNamespaces:
      - "test-gatekeeper"

Allowed — pod in a non-restricted namespace:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed — pod in the restricted namespace:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis
  restartPolicy: Never

ACKRestrictRoleBindings

Restricts RoleBindings in specified namespaces to bind only specified roles or cluster roles.

Severity: High

Parameters:

Parameter	Type	Description
`restrictedRole`	object	The cluster role or role that cannot be bound.
`allowedSubjects`	array	Subjects permitted to receive the binding.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings
  annotations:
    description: "Restricts use of sensitive role in specific rolebinding."
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]
  parameters:
    restrictedRole:
      apiGroup: "rbac.authorization.k8s.io"
      kind: "ClusterRole"
      name: "cluster-admin"
    allowedSubjects:
      - apiGroup: "rbac.authorization.k8s.io"
        kind: "Group"
        name: "system:masters"

Allowed — binding uses an allowed subject:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: good-2
  namespace: test-gatekeeper
subjects:
  - kind: Group
    name: 'system:masters'
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Disallowed — binding uses a subject not in allowedSubjects:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bad-1
  namespace: test-gatekeeper
subjects:
  - kind: ServiceAccount
    name: policy-template-controller
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

ACKNamespacesDeleteProtection

Prevents deletion of specified namespaces.

Severity: Medium

This policy requires Gatekeeper 3.10.0.130-g0e79597d-aliyun or later. For information about Gatekeeper versions, see Gatekeeper.

Parameters:

Parameter	Type	Description
`protectionNamespaces`	array	Names of namespaces that cannot be deleted.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
  name: namespace-delete-protection
spec:
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Namespace']
  parameters:
    protectionNamespaces:
      - test-gatekeeper

Allowed — namespace not in the protection list:

apiVersion: v1
kind: Namespace
metadata:
  name: will-delete

Disallowed — namespace in the protection list:

apiVersion: v1
kind: Namespace
metadata:
  name: test-gatekeeper

ACKServicesDeleteProtection

Prevents deletion of Service instances in specified namespaces.

Severity: Medium

Parameters:

Parameter	Type	Description
`protectionServices`	array	Names of Service instances that cannot be deleted.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
  name: service-delete-protection
  annotations:
    description: "Protect to delete specific service."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Service']
    namespaces: ["test-gatekeeper"]
  parameters:
    protectionServices:
      - test-svc

Allowed — Service not in the protection list:

apiVersion: v1
kind: Service
metadata:
  name: good
  namespace: test-gatekeeper

Disallowed — Service in the protection list:

apiVersion: v1
kind: Service
metadata:
  name: test-svc

Infra

ACKBlockProcessNamespaceSharing

Blocks pods in specified namespaces from using shareProcessNamespace.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
metadata:
  name: block-share-process-namespace
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed — no shareProcessNamespace set:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test-3
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed — shareProcessNamespace: true set on the pod:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  shareProcessNamespace: true
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

ACKEmptyDirHasSizeLimit

Requires sizeLimit when mounting emptyDir volumes.

Severity: Low

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-sizelimit
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed — emptyDir volume has a sizeLimit:

apiVersion: v1
kind: Pod
metadata:
  name: test-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir:
      sizeLimit: "10Mi"

Disallowed — emptyDir volume has no sizeLimit:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

ACKLocalStorageRequireSafeToEvict

Requires the cluster-autoscaler.kubernetes.io/safe-to-evict: "true" annotation on pods in specified namespaces. By default, Cluster Autoscaler does not evict pods that mount hostPath or emptyDir volumes. Adding this annotation allows Cluster Autoscaler to evict those pods during scaling.

Severity: Low

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed — pod has the safe-to-evict annotation:

apiVersion: v1
kind: Pod
metadata:
  name: test-1
  namespace: test-gatekeeper
  annotations:
    'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: Directory

Disallowed — pod mounts a volume but lacks the annotation:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

ACKOSSStorageLocationConstraint

Controls which OSS bucket regions can be mounted to pods in specified namespaces.

Severity: Low

Parameters:

Parameter	Type	Description
`mode`	string	`allowlist` (default) enables allowlist mode; any other value enables blocklist mode.
`regions`	array	Region IDs to include in the allowlist or blocklist.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
  name: restrict-oss-location
  annotations:
    description: "Restricts location of oss storage in cluster."
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["PersistentVolume", "Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    mode: "allowlist"
    regions:
      - "cn-beijing"

Allowed — OSS bucket is in an allowed region (cn-beijing):

apiVersion: v1
kind: Pod
metadata:
  name: pod-oss-csi-good
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-beijing.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

Disallowed — OSS bucket is in a region not in the allowlist (cn-hangzhou):

apiVersion: v1
kind: Pod
metadata:
  name: pod-oss-csi
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: pv-oss
        nodePublishSecretRef:
          name: oss-secret
          namespace: default
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-hangzhou.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

ACKPVSizeConstraint

Sets a maximum disk capacity for persistent volumes (PVs) in the cluster.

Severity: Medium

Parameters:

Parameter	Type	Description
`maxSize`	string	Maximum disk capacity for PVs. Default: `50Gi`.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
  name: limit-pv-size
  annotations:
    description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["PersistentVolume"]
  parameters:
    maxSize: "50Gi"

Allowed — PV requests 25 GiB, within the 50 GiB limit:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-oss-csi
  labels:
    alicloud-pvname: pv-oss
spec:
  capacity:
    storage: 25Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: pv-oss
    nodePublishSecretRef:
      name: oss-secret
      namespace: default
    volumeAttributes:
      bucket: "oss"
      url: "oss-cn-beijing.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      path: "/"

Disallowed — PV requests 500 GiB, exceeding the limit:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-oss-csi-bad
  labels:
    alicloud-pvname: pv-oss
spec:
  capacity:
    storage: 500Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: pv-oss
    nodePublishSecretRef:
      name: oss-secret
      namespace: default
    volumeAttributes:
      bucket: "oss"
      url: "oss-cn-beijing.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      path: "/"

ACKPVCConstraint

Restricts which namespaces can deploy persistent volume claims (PVCs) and sets a maximum PV disk capacity.

Severity: Medium

Parameters:

Parameter	Type	Description
`maxSize`	string	Maximum disk capacity for PVs. Default: `50Gi`.
`allowNamespaces`	array	Namespaces in which PVCs can be deployed.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
  name: limit-pvc-size-and-ns
  annotations:
    description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["PersistentVolumeClaim"]
  parameters:
    maxSize: "50Gi"
    allowNamespaces:
      - "test-gatekeeper"

Allowed — PVC in an allowed namespace, within the size limit:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disk-pvc
  namespace: test-gatekeeper
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

Disallowed — PVC exceeds the size limit, or is in a namespace not in allowNamespaces:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: bad-disk-pvc
  namespace: test-gatekeeper
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: bad-namespace-pvc
  namespace: test-gatekeeper-bad
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

ACKBlockVolumeTypes

Blocks pods in specified namespaces from using specified volume types.

Severity: Medium

Parameters:

Parameter	Type	Description
`volumes`	array	Volume types that pods are not allowed to use.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
  name: block-volume-types
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]
  parameters:
    volumes:
      - "gitRepo"

Allowed — pod uses an emptyDir volume (not blocked):

apiVersion: v1
kind: Pod
metadata:
  name: use-empty-dir
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
  - name: emptydir-volume
    emptyDir: {}

Disallowed — pod uses a gitRepo volume (blocked):

apiVersion: v1
kind: Pod
metadata:
  name: use-git-repo
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
  - name: git-volume
    gitRepo:
      repository: "git@***:***/my-git-repository.git"
      revision: "22f1d8406d464b0c08***"

K8s-general

ACKAllowedRepos

Restricts pods in specified namespaces to pulling images from specified image repositories.

Severity: High

Parameters:

Parameter	Type	Description
`repos`	array	Image repositories from which pods are allowed to pull images.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
  name: allowed-repos
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    repos:
      - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
      - "registry.cn-hangzhou.aliyuncs.com/acs/"

Allowed — images pulled from allowed repositories:

apiVersion: v1
kind: Pod
metadata:
  name: pod-01
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
    name: test-container-1
  initContainers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
    name: test-container

Disallowed — images pulled from a repository not in the allowlist:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
  initContainers:
  - image: k8s.gcr.io/test-webserver
    name: test-container-3

ACKBlockAutoinjectServiceEnv

Requires enableServiceLinks: false on pods in specified namespaces, preventing Service IP addresses from being injected into pod environment variables.

Severity: Low

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
  name: block-auto-inject-service-env
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — enableServiceLinks: false set:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  enableServiceLinks: false
  containers:
  - image: openpolicyagent/test-webserver:1.0
    name: test-container

Disallowed — enableServiceLinks not set:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container

ACKBlockAutomountToken

Requires automountServiceAccountToken: false on pods in specified namespaces, preventing automatic service account token mounting.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
  name: block-auto-mount-service-account-token
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — automountServiceAccountToken: false set:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  automountServiceAccountToken: false
  containers:
  - image: openpolicyagent/test-webserver:v1.0
    name: test-container

Disallowed — automountServiceAccountToken not set to false:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container

ACKBlockEphemeralContainer

Blocks pods in specified namespaces from launching ephemeral containers.

Severity: Medium

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
  name: block-ephemeral-container
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — no ephemeral containers:

apiVersion: v1
kind: Pod
metadata:
  name: good-1
  namespace: test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis

Disallowed — pod includes ephemeral containers:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis
  ephemeralContainers:
    - name: test
      image: test

ACKBlockLoadBalancer

Blocks LoadBalancer Services from being deployed in specified namespaces.

Severity: High

Parameters:

Parameter	Type	Description
`restrictedNamespaces`	array	Namespaces in which LoadBalancer Services cannot be deployed.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
  name: block-load-balancer
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"

Allowed — Service without LoadBalancer type:

apiVersion: v1
kind: Service
metadata:
  name: my-service-1
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

Disallowed — Service of type LoadBalancer:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  type: LoadBalancer
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

ACKBlockNodePort

Blocks NodePort Services from being deployed in specified namespaces.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"

Allowed — Service without NodePort type:

apiVersion: v1
kind: Service
metadata:
  name: my-service-1
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

Disallowed — Service of type NodePort:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  type: NodePort
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

ACKContainerLimits

Requires resource limits on all containers in pods in specified namespaces.

Severity: Low

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    cpu: "1000m"
    memory: "1Gi"

Allowed — container has resource limits set:

apiVersion: v1
kind: Pod
metadata:
  name: pod-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver
    name: test-container
    resources:
      limits:
        memory: "100Mi"
        cpu: "500m"

Disallowed — container limits exceed the policy maximums:

apiVersion: v1
kind: Pod
metadata:
  name: pod-2
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver
    name: test-container
    resources:
      limits:
        memory: "100Gi"
        cpu: "2000m"

ACKExternalIPs

Restricts Services in specified namespaces to using only external IP addresses listed in the policy.

Severity: High

Parameters:

Parameter	Type	Description
`allowedIPs`	array	External IP addresses that Services are permitted to use.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedIPs:
      - "192.168.0.5"

Allowed — Service has no external IP:

apiVersion: v1
kind: Service
metadata:
  name: my-service-3
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

Disallowed — Service uses an external IP not in allowedIPs:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376
  externalIPs:
    - 80.11.XX.XX

ACKImageDigests

Requires pods in specified namespaces to use images with digests in the specified format.

Severity: Low

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — image reference includes a digest:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
    name: test-container

Disallowed — image reference has no digest:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
  initContainers:
  - image: k8s.gcr.io/test-webserver
    name: test-container2

ACKRequiredLabels

Requires pods in specified namespaces to have labels matching the policy.

Severity: Low

Parameters:

Parameter	Type	Description
`allowedRegex`	string	Required label values expressed as a regular expression.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
  name: must-have-label-test
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    labels:
      - key: test
        allowedRegex: "^test.*$"

Allowed — pod has a label matching the required regex:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: test
  namespace: test-gatekeeper
  labels:
    'test': 'test_233'
spec:
  containers:
  - name: mycontainer
    image: redis

Disallowed — label value does not match the required regex:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: bad2
  namespace: test-gatekeeper
  labels:
    'test': '233'
spec:
  containers:
  - name: mycontainer
    image: redis

ACKRequiredProbes

Requires pods in specified namespaces to have specified types of readiness probes and liveness probes.

Severity: Medium

Parameters:

Parameter	Type	Description
`probes`	array	Probe types required. Valid values: `readinessProbe`, `livenessProbe`.
`probeTypes`	array	Probe implementation types required. Valid values: `tcpSocket`, `httpGet`, `exec`.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    probes: ["readinessProbe", "livenessProbe"]
    probeTypes: ["tcpSocket", "httpGet", "exec"]

Allowed — container has both readiness and liveness probes:

apiVersion: v1
kind: Pod
metadata:
  name: p4
  namespace: test-gatekeeper
spec:
  containers:
  - name: liveness
    image: k8s.gcr.io/busybox
    readinessProbe:
      exec:
        command:
          - cat
          - /tmp/healthy
      initialDelaySeconds: 5
      periodSeconds: 5
    livenessProbe:
      exec:
        command:
          - cat
          - /tmp/healthy
      initialDelaySeconds: 5
      periodSeconds: 5

Disallowed — container has no probes:

apiVersion: v1
kind: Pod
metadata:
  name: p1
  namespace: test-gatekeeper
spec:
  containers:
  - name: liveness
    image: k8s.gcr.io/busybox

ACKCheckNginxPath

Blocks high-risk values in the spec.rules[].http.paths[].path field of Ingress resources. Enable this policy for Ingress-nginx versions earlier than 1.2.1.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
  name: block-nginx-path
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ["extensions", "networking.k8s.io"]
        kinds: ["Ingress"]
    namespaces:
      - "test-gatekeeper"

Allowed — paths contain safe values:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: good-paths
  namespace: test-gatekeeper
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

Disallowed — path contains a high-risk value:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bad-path-secrets
  namespace: test-gatekeeper
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /var/run/secrets
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80

ACKCheckNginxAnnotation

Blocks high-risk values in the metadata.annotations field of Ingress resources. Enable this policy for Ingress-nginx versions earlier than 1.2.1.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
  name: block-nginx-annotation
spec:
  match:
    kinds:
      - apiGroups: ["extensions", "networking.k8s.io"]
        kinds: ["Ingress"]
    namespaces:
      - "test-gatekeeper"

Allowed — annotations contain safe values:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: good-annotations
  namespace: test-gatekeeper
  annotations:
    nginx.org/good: "value"
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

Disallowed — annotation contains a high-risk value:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: var-run-secrets
  namespace: test-gatekeeper
  annotations:
    nginx.org/bad: "/var/run/secrets"
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

ACKBlockInternetLoadBalancer

Blocks creation of internet-facing LoadBalancer Services.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
  name: block-internet-load-balancer
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces: ["test-gatekeeper"]

Allowed — LoadBalancer Service uses intranet address type:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: non-test-gatekeeper
  annotations:
    'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

Disallowed — LoadBalancer Service uses internet address type:

apiVersion: v1
kind: Service
metadata:
  name: bad-service-2
  namespace: test-gatekeeper
  annotations:
    'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
  type: LoadBalancer
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

RatifyVerification

Uses the Ratify component to verify image signatures or security metadata — such as a software bill of materials (SBOM) — for pods deployed in specified namespaces. Install the Ratify component from the Marketplace page in your cluster before enabling this policy.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
  name: ratify-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["default"]

Allowed — image has a valid signature:

apiVersion: v1
kind: Pod
metadata:
  name: pod-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/signed   # Image with a valid signature
    name: test-container

Disallowed — image has no valid signature:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned   # Image without a valid signature
    name: test-container

PSP

The PSP category provides the same access control capabilities as Kubernetes pod security policies (PSPs), serving as a drop-in alternative.

ACKPSPAllowPrivilegeEscalationContainer

Requires pods in specified namespaces to include the allowPrivilegeEscalation setting.

Severity: Medium

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — allowPrivilegeEscalation: false set on all containers:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      allowPrivilegeEscalation: false
  initContainers:
    - image: test
      name: test2
      securityContext:
        allowPrivilegeEscalation: false

Disallowed — allowPrivilegeEscalation not set:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPAllowedUsers

Requires pods in specified namespaces to include user, group, supplementalGroups, and fsGroup settings.

Severity: Medium

Parameters:

Parameter	Type	Description
`runAsUser`	object	User configuration following Kubernetes PSP semantics. See Pod Security Policies.
`runAsGroup`	object	Group configuration following Kubernetes PSP semantics. See Pod Security Policies.
`supplementalGroups`	object	Supplemental groups configuration following Kubernetes PSP semantics. See Pod Security Policies.
`fsGroup`	object	fsGroup configuration following Kubernetes PSP semantics. See Pod Security Policies.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    runAsUser:
      rule: MustRunAs # MustRunAsNonRoot # RunAsAny
      ranges:
        - min: 100
          max: 200
    runAsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200
    supplementalGroups:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200
    fsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200

Allowed — all user/group settings are within the allowed ranges:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good2
  namespace: test-gatekeeper
spec:
  securityContext:
    fsGroup: 150
    supplementalGroups:
      - 150
  containers:
  - image: test
    name: test
    securityContext:
      runAsUser: 150
      runAsGroup: 150

Disallowed — user/group settings missing:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPAppArmor

Requires pods in specified namespaces to include AppArmor settings.

Severity: Low

Parameters:

Parameter	Type	Description
`allowedProfiles`	array	AppArmor profiles that pods are permitted to use.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedProfiles:
      - runtime/default

Allowed — AppArmor annotations present on all containers:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
  annotations:
    'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
    'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
  containers:
  - image: test
    name: test
  initContainers:
  - image: test
    name: test2

Disallowed — no AppArmor annotations:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPCapabilities

Requires pods in specified namespaces to include Linux capabilities settings.

Severity: High

Parameters:

Parameter	Type	Description
`allowedCapabilities`	array	Linux capabilities that containers are permitted to add.
`requiredDropCapabilities`	array	Linux capabilities that containers must drop.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
  name: psp-capabilities
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedCapabilities: ["CHOWN"]
    requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]

Allowed — only allowed capabilities added; required capabilities dropped:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good-4
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      capabilities:
        add:
          - CHOWN
        drop:
         - "NET_ADMIN"
         - "SYS_ADMIN"
         - "NET_RAW"

Disallowed — no capabilities configuration:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPFlexVolumes

Restricts pods in specified namespaces to using only FlexVolume drivers listed in the policy.

Severity: Medium

Parameters:

Parameter	Type	Description
`allowedFlexVolumes`	array	FlexVolume drivers that pods are permitted to use.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod", "PersistentVolume"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedFlexVolumes:
      - driver: "alicloud/disk"
      - driver: "alicloud/nas"
      - driver: "alicloud/oss"
      - driver: "alicloud/cpfs"

Allowed — FlexVolume driver is in the allowlist:

apiVersion: v1
kind: Pod
metadata:
  name: pv-nas
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/nas"

Disallowed — FlexVolume driver is not in the allowlist:

apiVersion: v1
kind: Pod
metadata:
  name: pv-oss-flexvolume
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/ossxx"

ACKPSPForbiddenSysctls

Blocks pods in specified namespaces from using specified sysctls.

Severity: High

Parameters:

Parameter	Type	Description
`forbiddenSysctls`	array	Sysctls that pods are not allowed to use. Use `*` to block all sysctls.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    forbiddenSysctls:
      # - "*" # Use * to forbid all sysctls
      - "kernel.*"

Allowed — sysctl is not in the blocklist:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good-2
  namespace: test-gatekeeper
spec:
  securityContext:
    sysctls:
      - name: 'net.ipv4.tcp_syncookies'
        value: "65536"
  containers:
  - image: test
    name: test

Disallowed — sysctl matches the blocklist pattern:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  securityContext:
    sysctls:
      - name: 'kernel.shm_rmid_forced'
        value: '1024'
  containers:
  - image: test
    name: test

ACKPSPFSGroup

Requires pods in specified namespaces to use fsGroup settings that comply with the policy.

Severity: Medium

Parameters:

Parameter	Type	Description
`rule`	string	fsGroup rule. Valid values: `MustRunAs`, `MayRunAs`, `RunAsAny`. See Volumes and file systems.
`ranges`	object	Valid fsGroup ID range. Set `min` for the minimum value and `max` for the maximum value.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    rule: "MayRunAs" # "MustRunAs" or "RunAsAny"
    ranges:
      - min: 1
        max: 1000

Allowed — fsGroup within the allowed range:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  securityContext:
    fsGroup: 100
  containers:
  - image: test
    name: test

Disallowed — fsGroup of 0 is outside the allowed range:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  securityContext:
    fsGroup: 0
  shareProcessNamespace: true
  containers:
  - image: test
    name: test

ACKPSPHostFilesystem

Enforces conditions on hostPath volumes mounted to pods in specified namespaces.

Severity: High

Parameters:

Parameter	Type	Description
`allowedHostPaths`	object	hostPath volumes that pods are permitted to mount.
`readOnly`	boolean	Whether the volume must be mounted as read-only.
`pathPrefix`	string	Path prefix that the hostPath volume must match.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedHostPaths:
      - readOnly: true
        pathPrefix: "/foo"

Allowed — hostPath volume uses an allowed prefix and is mounted read-only:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    volumeMounts:
      - name: test-volume
        mountPath: "/projected-volume"
        readOnly: true
  volumes:
  - name: test-volume
    hostPath:
      path: /foo

Disallowed — hostPath volume uses a path not matching the allowed prefix:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: File

ACKPSPHostNamespace

Blocks pods in specified namespaces from sharing host namespaces.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
  name: psp-host-namespace
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — pod does not share host namespaces:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed — pod shares the host PID namespace:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  hostPID: true
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

ACKPSPHostNetworkingPorts

Controls whether pods in specified namespaces can use the host network and specified ports.

Severity: High

Parameters:

Parameter	Type	Description
`hostNetwork`	boolean	Whether pods are permitted to use the host network.
`min`	integer	Lowest host port number permitted.
`max`	integer	Highest host port number permitted.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    hostNetwork: true
    min: 80
    max: 9000

Allowed — host ports are within the allowed range:

apiVersion: v1
kind: Pod
metadata:
  name: good-2
  namespace: test-gatekeeper
spec:
  hostNetwork: true
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    ports:
      - hostPort: 80
        containerPort: 80
  initContainers:
    - image: k8s.gcr.io/test-webserver
      name: test-container2
      ports:
        - hostPort: 8080
          containerPort: 8080

Disallowed — host port 22 is outside the allowed range:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  hostNetwork: true
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    ports:
      - hostPort: 22
        containerPort: 22

ACKPSPPrivilegedContainer

Blocks pods in specified namespaces from running privileged containers.

Severity: High

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
  name: psp-privileged-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — no privileged mode set:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

Disallowed — container has privileged: true:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      privileged: true
  dnsPolicy: ClusterFirst
  restartPolicy: Never

ACKPSPProcMount

Requires pods in specified namespaces to use the Proc Mount type specified in the policy.

Severity: Low

Parameters:

Parameter	Type	Description
`procMount`	string	Required Proc Mount type. `Default` blocks mounting `/proc`; `Unmasked` permits it. See AllowedProcMountTypes.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    procMount: Default  # Default or Unmasked

Allowed — procMount: Default matches the policy:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      procMount: "Default"

Disallowed — procMount: Unmasked does not match the policy:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad3
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      procMount: "Unmasked"
  initContainers:
  - image: test
    name: test2

ACKPSPReadOnlyRootFilesystem

Requires pods in specified namespaces to run with read-only root filesystems.

Severity: Medium

Parameters: None

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed — readOnlyRootFilesystem: true set:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      readOnlyRootFilesystem: true

Disallowed — readOnlyRootFilesystem: false:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad2
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      readOnlyRootFilesystem: false
  initContainers:
  - image: test
    name: test2

ACKPSPSELinuxV2

Restricts pods in specified namespaces to SELinux options listed in the policy.

Severity: Low

Parameters:

Parameter	Type	Description
`allowedSELinuxOptions`	object	SELinux options that pods are permitted to use. See SELinuxOptions v1 core.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedSELinuxOptions:
      - level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

Allowed — SELinux options match the allowlist:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  securityContext:
    seLinuxOptions:
      level: "s0:c123,c456"
  containers:
  - image: test
    name: test

Disallowed — SELinux level not in the allowlist:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      seLinuxOptions:
        level: "s0:c123,c455"

ACKPSPSeccomp

Requires pods in specified namespaces to use specified seccomp profiles.

Severity: Low

Parameters:

Parameter	Type	Description
`allowedProfileTypes`	array	Permitted seccomp profile types.
`allowedProfiles`	array	Permitted seccomp profile names.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedProfileTypes:
      # - Unconfined
      - RuntimeDefault
      - Localhost
    allowedProfiles:
      - runtime/default
      - docker/default
      - localhost/profiles/audit.json

Allowed — seccomp profile matches an allowed type and name:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/audit.json
  initContainers:
  - image: test
    name: test2
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/audit.json

Disallowed — no seccomp profile set:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPVolumeTypes

Restricts pods in specified namespaces to mounting only volumes of specified types.

Severity: Medium

Parameters:

Parameter	Type	Description
`volumes`	array	Volume types that pods are permitted to use. Use `*` to allow all volume types.

Example

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    volumes:
      # - "*" # Use * to allow all volume types
      - configMap
      # - emptyDir
      - projected
      - secret
      - downwardAPI
      - persistentVolumeClaim
      # - hostPath # Required for allowedHostPaths
      - flexVolume # Required for allowedFlexVolumes

Allowed — pod uses a FlexVolume driver (in the allowed list):

apiVersion: v1
kind: Pod
metadata:
  name: pv-oss
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/oss"

Disallowed — pod uses a hostPath volume (not in the allowed list):

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
  volumes:
  - name: test-volume
    hostPath:
      path: /data