The policy governance feature of Container Service for Kubernetes (ACK) allows you to use various predefined security policies. This topic describes the predefined security policies provided by ACK.
Background information
ACK provides the following types of predefined security policies:
- CIS-K8s: Security policies of this type are customized to meet the standards of the Center for Internet Security (CIS) Kubernetes benchmarks.
- Infra: Security policies of this type are used to guarantee and enhance the security of cloud infrastructure resources.
- K8s-general: Security policies of this type are used to limit and normalize the configuration of sensitive resources in ACK clusters and enhance the security of applications in ACK clusters.
- PSP: Security policies of this type can be used as an alternative to pod security policies (PSPs) of open source Kubernetes and provide the same access control capabilities.
Predefined security policies
The following table describes the predefined security policies of the policy governance feature.
| Category | Policy | Description | Severity |
|---|---|---|---|
| CIS-K8s | ACKNoEnvVarSecrets | The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables. | medium |
ACKPodsRequireSecurityContext | Pods in the specified namespaces must be configured with the securityContext parameter. | low | |
ACKRestrictNamespaces | Resources of the specified types cannot be deployed in the specified namespaces. | low | |
ACKRestrictRoleBindings | RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles. | high | |
| Infra | ACKBlockProcessNamespaceSharing | Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter. | high |
ACKEmptyDirHasSizeLimit | The sizelimit parameter must be configured when you mount emptyDir volumes. | low | |
ACKLocalStorageRequireSafeToEvict | Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. By default, autoscaler does not evict pods that are mounted with hostPath volumes or emptyDir volumes during automatic scaling activities. To enable autoscaler to evict these pods, you must add this annotation to the configurations of the pods. | low | |
ACKOSSStorageLocationConstraint | Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces. | low | |
| K8s-general | ACKAllowedRepos | Pods in the specified namespaces can pull images only from the specified image repositories. | high |
ACKBlockAutoinjectServiceEnv | Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables. | low | |
ACKBlockAutomountToken | Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted. | high | |
ACKBlockEphemeralContainer | Pods in the specified namespaces cannot launch ephemeral containers. | medium | |
ACKBlockLoadBalancer | LoadBalancer Services cannot be deployed in the specified namespaces. | high | |
ACKBlockNodePort | NodePort Services cannot be deployed in the specified namespaces. | high | |
ACKContainerLimits | Pods in the specified namespaces must be configured with resource limits. | low | |
ACKExternalIPs | Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content. | high | |
ACKImageDigests | Pods in the specified namespaces must be deployed from images whose digests comply with the specified format. | low | |
ACKRequiredLabels | Pods in the specified namespaces must have labels that comply with the policy content. | low | |
ACKRequiredProbes | Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes. | medium | |
ACKCheckNginxPath | The spec.rules[].http.paths[].path parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1. | high | |
ACKCheckNginxAnnotation | The metadata.annotations parameter in the Ingress configuration cannot contain risky settings. We recommend that you enable this policy for ingress-nginx versions earlier than 1.2.1. | high | |
| PSP | ACKPSPAllowPrivilegeEscalationContainer | Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter. | medium |
ACKPSPAllowedUsers | Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings. | medium | |
ACKPSPAppArmor | Pods in the specified namespaces must be configured with AppArmor settings. | low | |
ACKPSPCapabilities | Pods in the specified namespaces must be configured with Linux Capabilities settings. | high | |
ACKPSPFSGroup | Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content. | medium | |
ACKPSPFlexVolumes | Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content. | medium | |
ACKPSPForbiddenSysctls | Pods in the specified namespaces cannot use the specified sysctls. | high | |
ACKPSPHostFilesystem | hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions. | high | |
ACKPSPHostNamespace | Pods in the specified namespaces cannot share the host namespaces. | high | |
ACKPSPHostNetworkingPorts | Specifies whether pods in the specified namespaces can use the host network and specified ports. | high | |
ACKPSPPrivilegedContainer | Pods in the specified namespaces cannot run privileged containers. | high | |
ACKPSPProcMount | Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content. | low | |
ACKPSPReadOnlyRootFilesystem | Pods in the specified namespaces must run with read-only root file systems. | medium | |
ACKPSPSELinuxV2 | Pods in the specified namespaces cannot be configured with SELinux options that are not specified by the allowedSELinuxOptions parameter. | low | |
ACKPSPSeccomp | Pods in the specified namespaces must be configured with the specified seccomp profiles. | low | |
ACKPSPVolumeTypes | Only volumes of the specified types can be mounted to pods in the specified namespace. | medium |
CIS-K8s
ACKNoEnvVarSecrets
Policy description: The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.
Severity: medium
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKNoEnvVarSecrets metadata: name: no-env-var-secrets spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:apiVersion: v1 kind: Pod metadata: name: mypod namespace: test-gatekeeper spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" volumes: - name: foo secret: secretName: mysecret items: - key: username path: my-group/my-usernameDisallowed:apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: NeverACKPodsRequireSecurityContext
Policy description: Pods in the specified namespaces must be configured with the
securityContextparameter.Severity: low
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPodsRequireSecurityContext metadata: name: pods-require-security-context annotations: # This constraint is not certified by CIS. description: "Requires that Pods must have a `securityContext` defined." spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: test-gatekeeper spec: securityContext: runAsNonRoot: false containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: non-test-gatekeeper spec: containers: - image: test name: test2 - image: test name: test resources: {} securityContext: runAsNonRoot: falseACKRestrictNamespaces
Policy description: Resources of the specified types cannot be deployed in the specified namespaces.
Severity: low
Parameter descriptionParameter Type Description restrictedNamespaces array Specifies the namespaces that cannot be used to deploy resources. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictNamespaces metadata: name: restrict-default-namespace annotations: # This constraint is not certified by CIS . description: "Restricts resources from using the restricted namespace." spec: match: kinds: - apiGroups: [''] kinds: ['Pod'] parameters: restrictedNamespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test namespace: non-test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - name: mycontainer image: redis restartPolicy: NeverACKRestrictRoleBindings
Policy description: Rolebindings in the specified namespaces can be used to assign only the specified Roles or ClusterRoles.
Severity: high
Parameter descriptionParameter Type Description restrictedRole object Specifies the ClusterRoles or Roles that are not allowed to assign. allowedSubjects array Specifies the subjects that can be mounted. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings annotations: # This constraint is not certified by CIS. description: "Restricts use of sensitive role in specific rolebinding." spec: match: kinds: - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["RoleBinding"] parameters: restrictedRole: apiGroup: "rbac.authorization.k8s.io" kind: "ClusterRole" name: "cluster-admin" allowedSubjects: - apiGroup: "rbac.authorization.k8s.io" kind: "Group" name: "system:masters"Allowed:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: good-2 namespace: test-gatekeeper subjects: - kind: Group name: 'system:masters' roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioDisallowed:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: bad-1 namespace: test-gatekeeper subjects: - kind: ServiceAccount name: policy-template-controller roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
Infra
ACKBlockProcessNamespaceSharing
Policy description: Pods in the specified namespaces cannot be configured with the
shareProcessNamespaceparameter.Severity: high
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockProcessNamespaceSharing metadata: name: block-share-process-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: test-3 namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: shareProcessNamespace: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKEmptyDirHasSizeLimit
Policy description: The
sizelimitparameter must be configured when you mount emptyDir volumes.Severity: low
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKEmptyDirHasSizeLimit metadata: name: empty-dir-has-sizelimit spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: sizeLimit: "10Mi"Disallowed:
apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKLocalStorageRequireSafeToEvict
Policy description: Pods in the specified namespaces must be configured with the
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"annotation. Pods that are not configured with this annotation are not deleted during scaling activities.Severity: low
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["test-gatekeeper"]Allowed:apiVersion: v1 kind: Pod metadata: name: test-1 namespace: test-gatekeeper annotations: 'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true' spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume volumes: - name: test-volume hostPath: # directory location on host path: /data # this field is optional type: DirectoryDisallowed:apiVersion: v1 kind: Pod metadata: name: bad namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /cache name: cache-volume volumes: - name: cache-volume emptyDir: {}ACKOSSStorageLocationConstraint
Policy description: Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces.
Severity: low
Parameter descriptionParameter Type Description mode string Specifies whether to enable whitelist mode. Default value: allowlist, which indicates that the whitelist mode is enabled. Other values indicate that the blacklist mode is enabled.regions array The specified region IDs. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKOSSStorageLocationConstraint metadata: name: restrict-oss-location annotations: description: "Restricts location of oss storage in cluster." spec: match: kinds: - apiGroups: [""] kinds: ["PersistentVolume", "Pod"] namespaces: - "test-gatekeeper" parameters: mode: "allowlist" regions: - "cn-beijing"Allowed:apiVersion: v1 kind: Pod metadata: name: pod-oss-csi-good namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeAttributes: bucket: "oss" url: "oss-cn-beijing.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"Disallowed:apiVersion: v1 kind: Pod metadata: name: pod-oss-csi namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test csi: driver: ossplugin.csi.alibabacloud.com volumeHandle: pv-oss nodePublishSecretRef: name: oss-secret namespace: default volumeAttributes: bucket: "oss" url: "oss-cn-hangzhou.aliyuncs.com" otherOpts: "-o max_stat_cache_size=0 -o allow_other" path: "/"
K8s-general
ACKAllowedRepos
Policy description: Pods in the specified namespaces can pull images only from the specified image repositories.
Severity: high
Parameter descriptionParameter Type Description repos array Specifies image repositories from which pods can pull images. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKAllowedRepos metadata: name: allowed-repos spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: repos: - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/" - "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed:apiVersion: v1 kind: Pod metadata: name: pod-01 namespace: test-gatekeeper spec: containers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-container-1 initContainers: - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver name: test-containerDisallowed:apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container-3ACKBlockAutoinjectServiceEnv
Policy description: Pods in the specified namespaces must be configured with
enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables.Severity: low
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutoinjectServiceEnv metadata: name: block-auto-inject-service-env spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: enableServiceLinks: false containers: - image: openpolicyagent/test-webserver:1.0 name: test-containerDisallowed:apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockAutomountToken
Policy description: Pods in the specified namespaces must be configured with
automountServiceAccountToken: false, which specifies thatservice accountsare not automatically mounted.Severity: high
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockAutomountToken metadata: name: block-auto-mount-service-account-token spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: automountServiceAccountToken: false containers: - image: openpolicyagent/test-webserver:v1.0 name: test-containerDisallowed:apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-containerACKBlockEphemeralContainer
Policy description: Pods in the specified namespaces cannot launch ephemeral containers.
Severity: medium
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockEphemeralContainer metadata: name: block-ephemeral-container spec: enforcementAction: deny match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: name: good-1 namespace: test-gatekeeper spec: containers: - name: mycontainer image: redisDisallowed:apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: containers: - name: mycontainer image: redis ephemeralContainers: - name: test image: testACKBlockLoadBalancer
Policy description: LoadBalancer Services cannot be deployed in the specified namespaces.
Severity: high
Parameter descriptionParameter Type Description restrictedNamespaces array Specifies the namespaces that cannot be used to deploy resources. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: LoadBalancer selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKBlockNodePort
Policy description: NodePort Services cannot be deployed in the specified namespaces.
Severity: low
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Service metadata: name: my-service-1 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: type: NodePort selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376ACKContainerLimits
Policy description: Pods in the specified namespaces must be configured with resource
limits.Severity: low
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: cpu: "1000m" memory: "1Gi"Allowed:apiVersion: v1 kind: Pod metadata: name: pod-1 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Mi" cpu: "500m"Disallowed:apiVersion: v1 kind: Pod metadata: name: pod-2 namespace: non-test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver name: test-container resources: limits: memory: "100Gi" cpu: "2000m"ACKExternalIPs
Policy description: Services in the specified namespaces cannot use
external IPsthat are not specified in the policy content.Severity: high
Parameter descriptionParameter Type Description allowedIPs array Specifies external IPsthat can be used.Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: [""] kinds: ["Service"] namespaces: - "test-gatekeeper" parameters: allowedIPs: - "192.168.0.5"Allowed:apiVersion: v1 kind: Service metadata: name: my-service-3 namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376Disallowed:apiVersion: v1 kind: Service metadata: name: my-service namespace: test-gatekeeper spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 externalIPs: - 80.11.12.10ACKImageDigests
Policy description: Pods in the specified namespaces must be deployed from images whose
digestscomply with the specified format.Severity: low
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: name: pod-0 namespace: test-gatekeeper spec: containers: - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b name: test-containerDisallowed:apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: test-gatekeeper spec: containers: - image: k8s.gcr.io/test-webserver name: test-container initContainers: - image: k8s.gcr.io/test-webserver name: test-container2ACKRequiredLabels
Policy description: Pods in the specified namespaces must have
labelsthat are specified by theallowedRegexparameter.Severity: low
Parameter descriptionParameter Type Description allowedRegex string Specifies the labels in regular expressions. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredLabels metadata: name: must-have-label-test spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: # message: '' labels: - key: test # value allowedRegex: "^test.*$"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: test namespace: test-gatekeeper labels: 'test': 'test_233' spec: containers: - name: mycontainer image: redisDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null name: bad2 namespace: test-gatekeeper labels: 'test': '233' spec: containers: - name: mycontainer image: redisACKRequiredProbes
Policy description: Pods in the specified namespaces must be configured with the specified types of
readiness probesandliveness probes.Severity: medium
Parameter descriptionParameter Type Description probes array Specifies the probes that must be configured for a pod. Example: readinessProbe and livenessProbe. probeTypes array Specifies the types of probes that must be configured for a pod. Example: tcpSocket, httpGet, and exec. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: probes: ["readinessProbe", "livenessProbe"] probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed:apiVersion: v1 kind: Pod metadata: name: p4 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busybox readinessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5Disallowed:apiVersion: v1 kind: Pod metadata: name: p1 namespace: test-gatekeeper spec: containers: - name: liveness image: k8s.gcr.io/busyboxACKCheckNginxPath
This policy prevents you from using high-risk configurations in the
spec.rules[].http.paths[].pathfield of Ingresses. We recommend that you enable the policy for Ingress-nginx whose version is earlier than 1.2.1.Severity: high
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxPath metadata: name: block-nginx-path spec: enforcementAction: deny match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-paths namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: bad-path-secrets namespace: test-gatekeeper spec: rules: - host: cafe.example.com http: paths: - path: /var/run/secrets pathType: Prefix backend: service: name: tea-svc port: number: 80ACKCheckNginxAnnotation
This policy prevents you from using high-risk configurations in the metadata.annotations field of Ingresses. We recommend that you enable the policy for Ingress-nginx whose version is earlier than 1.2.1.
Severity: high
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKCheckNginxAnnotation metadata: name: block-nginx-annotation spec: match: kinds: - apiGroups: ["extensions", "networking.k8s.io"] kinds: ["Ingress"] namespaces: - "test-gatekeeper"Allowed:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: good-annotations namespace: test-gatekeeper annotations: nginx.org/good: "value" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80Disallowed:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: var-run-secrets namespace: test-gatekeeper annotations: nginx.org/bad: "/var/run/secrets" spec: rules: - host: cafe.example.com http: paths: - path: /tea pathType: Prefix backend: service: name: tea-svc port: number: 80 - path: /coffee pathType: Prefix backend: service: name: coffee-svc port: number: 80
PSP
ACKPSPAllowedUsers
Policy description: Pods in the specified namespaces must be configured with the
user,group,supplementalGroups, andfsGroupsettings.Severity: medium
Parameter descriptionParameter Type Description runAsUser object For more information about the parameter, see the configurations of User, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups. runAsGroup object For more information about the parameter, see the configurations of Group, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups. supplementalGroups object For more information about the parameter, see the configurations of SupplementalGroups, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups. fsGroup object For more information about the parameter, see the configurations of fsGroup, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: runAsUser: rule: MustRunAs # MustRunAsNonRoot # RunAsAny ranges: - min: 100 max: 200 runAsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 supplementalGroups: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 fsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good2 namespace: test-gatekeeper spec: securityContext: fsGroup: 150 supplementalGroups: - 150 containers: - image: test name: test securityContext: runAsUser: 150 runAsGroup: 150Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAllowPrivilegeEscalationContainer
Policy description: Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.
Severity: medium
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: allowPrivilegeEscalation: false initContainers: - image: test name: test2 securityContext: allowPrivilegeEscalation: falseDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPAppArmor
Policy description: Pods in the specified namespaces must be configured with the AppArmor settings.
Severity: low
Parameter descriptionParameter Type Description probes array Specifies the probes that must be configured for a pod. Example: readinessProbe and livenessProbe. probeTypes array Specifies the types of probes that must be configured for a pod. Example: tcpSocket, httpGet, and exec. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfiles: - runtime/defaultAllowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper annotations: 'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default' 'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default' spec: containers: - image: test name: test initContainers: - image: test name: test2Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPCapabilities
Policy description: Pods in the specified namespaces must be configured with the Linux Capabilities settings.
Severity: high
Parameter descriptionParameter Type Description allowedCapabilities array Specifies the capabilities that can be configured for a pod. requiredDropCapabilities array Specifies the capabilities that cannot be configured for a pod. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPCapabilities metadata: name: psp-capabilities spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedCapabilities: ["CHOWN"] requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-4 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: capabilities: add: - CHOWN drop: - "NET_ADMIN" - "SYS_ADMIN" - "NET_RAW"Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPFlexVolumes
Policy description: Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.
Severity: medium
Parameter descriptionParameter Type Description allowedFlexVolumes array Specifies the FlexVolume drivers that can be used by a pod. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: [""] kinds: ["Pod", "PersistentVolume"] namespaces: - "test-gatekeeper" parameters: allowedFlexVolumes: #[] - driver: "alicloud/disk" - driver: "alicloud/nas" - driver: "alicloud/oss" - driver: "alicloud/cpfs"Allowed:apiVersion: v1 kind: Pod metadata: name: pv-nas namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/nas"Disallowed:apiVersion: v1 kind: Pod metadata: name: pv-oss-flexvolume namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
Policy description: Pods in the specified namespaces cannot use the specified sysctls.
Severity: high
Parameter descriptionParameter Type Description forbiddenSysctls array Specifies the sysctls that cannot be used by a pod. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: forbiddenSysctls: # - "*" # * may be used to forbid all sysctls - "kernel.*"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good-2 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'net.ipv4.tcp_syncookies' value: "65536" containers: - image: test name: testDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: test-gatekeeper spec: securityContext: sysctls: - name: 'kernel.shm_rmid_forced' value: '1024' containers: - image: test name: testACKPSPFSGroup
Policy description: Pods in the specified namespaces must be configured with the fsGroup settings that comply with the policy content.
Severity: medium
Parameter descriptionParameter Type Description rule string For more information about the parameter, see the configurations of fsGroup in the PSP of Kubernetes.The MustRunAs, MayRunAs, and RunAsAny parameters are supported. For more information, see Volumes and file systems. ranges object Valid values: - min: the minimum value of fsGroup ID.
- max: the maximum value of fsGroup ID.
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" ranges: - min: 1 max: 1000Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: fsGroup: 100 containers: - image: test name: testDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: non-test-gatekeeper spec: securityContext: fsGroup: 0 shareProcessNamespace: true containers: - image: test name: testACKPSPHostFilesystem
Policy description: hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.
Severity: high
Parameter descriptionParameter Type Description allowedHostPaths object Specifies the hostPath volumes that can be mounted to a pod. readOnly boolean Specifies whether the volumes are read-only. pathPrefix string Specifies the prefixes of the volumes. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedHostPaths: - readOnly: true pathPrefix: "/foo"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test volumeMounts: - name: test-volume mountPath: "/projected-volume" readOnly: true volumes: - name: test-volume hostPath: path: /fooDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data type: FileACKPSPHostNamespace
Policy description: Pods in the specified namespaces cannot share the host namespaces.
Severity: high
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNamespace metadata: name: psp-host-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: hostPID: true containers: - image: test name: test resources: {} dnsPolicy: ClusterFirst restartPolicy: Never status: {}ACKPSPHostNetworkingPorts
Policy description: Specifies whether pods in the specified namespaces can use the host network and specified ports.
Severity: high
Parameter descriptionParameter Type Description hostNetwork boolean Specifies whether pods can use the host network. min int Specifies the lowest host port number. max int Specifies the highest host port number. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPHostNetworkingPorts metadata: name: psp-host-network-ports spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: hostNetwork: true min: 80 max: 9000Allowed:apiVersion: v1 kind: Pod metadata: name: good-2 namespace: test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 80 containerPort: 80 initContainers: - image: k8s.gcr.io/test-webserver name: test-container2 ports: - hostPort: 8080 containerPort: 8080Disallowed:apiVersion: v1 kind: Pod metadata: name: bad-1 namespace: non-test-gatekeeper spec: hostNetwork: true containers: - image: k8s.gcr.io/test-webserver name: test-container ports: - hostPort: 22 containerPort: 22ACKPSPPrivilegedContainer
Policy description: Pods in the specified namespaces cannot run privileged containers.
Severity: high
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPPrivilegedContainer metadata: name: psp-privileged-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: testDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: privileged: true dnsPolicy: ClusterFirst restartPolicy: NeverACKPSPProcMount
Policy description: Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.
Severity: high
Parameter descriptionParameter Type Description procMount string Specifies the Proc Mount type. Valid values: - Default: The /proc directory cannot be mounted.
- Unmasked: The /proc directory can be mounted.
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: procMount: Default # Default or UnmaskedAllowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Default"Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad3 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: procMount: "Unmasked" initContainers: - image: test name: test2ACKPSPReadOnlyRootFilesystem
Policy description: Pods in the specified namespaces must run with read-only root file systems.
Severity: medium
Parameter description: None
Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper"Allowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good1 namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: trueDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad2 namespace: non-test-gatekeeper spec: containers: - image: test name: test securityContext: readOnlyRootFilesystem: false initContainers: - image: test name: test2ACKPSPSeccomp
Policy description: Pods in the specified namespaces must be configured with the specified seccomp profiles.
Severity: low
Parameter descriptionParameter Type Description allowedProfileTypes array Specifies the type of seccomp profiles that are allowed. allowedProfiles array Specifies the seccomp profiles that are allowed. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedProfileTypes: # - Unconfined - RuntimeDefault - Localhost allowedProfiles: - runtime/default - docker/default - localhost/profiles/audit.jsonAllowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.json initContainers: - image: test name: test2 securityContext: seccompProfile: type: Localhost localhostProfile: profiles/audit.jsonDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test echo-k8s-webhook-enabled: 'true' name: bad namespace: test-gatekeeper spec: containers: - image: test name: testACKPSPSELinuxV2
Policy description: Pods in the specified namespaces cannot be configured with the SELinux options that are not specified by the allowedSELinuxOptions parameter.
Severity: low
Parameter descriptionParameter Type Description allowedSELinuxOptions object Specifies SELinux options that can be configured for a pod. For more information, see SELinuxOptions v1 core. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_uAllowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: good namespace: test-gatekeeper spec: securityContext: seLinuxOptions: level: "s0:c123,c456" containers: - image: test name: testDisallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad namespace: test-gatekeeper spec: containers: - image: test name: test securityContext: seLinuxOptions: level: "s0:c123,c455"ACKPSPVolumeTypes
Policy description: Only volumes of the specified types can be mounted to pods in the specified namespace.
Severity: low
Parameter descriptionParameter Type Description volumes object Specifies the types of volumes that are allowed to mount. Examples:
Constraint:apiVersion: constraints.gatekeeper.sh/v1beta1 kind: ACKPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "test-gatekeeper" parameters: volumes: # - "*" # * may be used to allow all volume types - configMap # - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim # - hostPath #required for allowedHostPaths - flexVolume #required for allowedFlexVolumesAllowed:apiVersion: v1 kind: Pod metadata: name: pv-oss namespace: test-gatekeeper spec: containers: - name: test image: test volumes: - name: test flexVolume: driver: "alicloud/oss"Disallowed:apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: test name: bad-1 namespace: non-test-gatekeeper spec: containers: - image: test name: test volumes: - name: test-volume hostPath: path: /data