The policy governance feature of Container Service for Kubernetes (ACK) allows you to use various predefined security policies. This topic describes the predefined security policies provided by ACK.

Background information

ACK provides the following types of predefined security policies:
  • CIS-K8s: Security policies of this type are customized to meet the standards of the Center for Internet Security (CIS) Kubernetes benchmarks.
  • Infra: Security policies of this type are used to guarantee and enhance the security of cloud infrastructure resources.
  • K8s-general: Security policies of this type are used to limit and normalize the configuration of sensitive resources in ACK clusters and enhance the security of applications in ACK clusters.
  • PSP: Security policies of this type can be used as an alternative to pod security policies (PSPs) of open source Kubernetes and provide the same access control capabilities.

Predefined security policies

The following table describes the predefined security policies of the policy governance feature.

Category Policy Description Severity
CIS-K8s ACKNoEnvVarSecrets The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables. medium
ACKPodsRequireSecurityContext Pods in the specified namespaces must be configured with the securityContext parameter. low
ACKRestrictNamespaces Resources of the specified types cannot be deployed in the specified namespaces. low
ACKRestrictRoleBindings RoleBindings in the specified namespaces can be used to bind only the specified Roles or ClusterRoles. high
Infra ACKBlockProcessNamespaceSharing Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter. high
ACKEmptyDirHasSizeLimit The sizelimit parameter must be configured when you mount emptyDir volumes. low
ACKLocalStorageRequireSafeToEvict Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. Pods that are not configured with this annotation are not deleted during scaling activities. low
ACKOSSStorageLocationConstraint Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces. low
K8s-general ACKAllowedRepos Pods in the specified namespaces can pull images only from the specified image repositories. high
ACKBlockAutoinjectServiceEnv Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables. low
ACKBlockAutomountToken Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted. high
ACKBlockEphemeralContainer Pods in the specified namespaces cannot launch ephemeral containers. medium
ACKBlockLoadBalancer LoadBalancer Services cannot be deployed in the specified namespaces. high
ACKBlockNodePort NodePort Services cannot be deployed in the specified namespaces. high
ACKContainerLimits Pods in the specified namespaces must be configured with resource limits. low
ACKExternalIPs Services in the specified namespaces cannot use external IP addresses that are not specified in the policy content. high
ACKImageDigests Pods in the specified namespaces must be deployed from images whose digests comply with the specified format. low
ACKRequiredLabels Pods in the specified namespaces must have labels that comply with the policy content. low
ACKRequiredProbes Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes. medium
PSP ACKPSPAllowPrivilegeEscalationContainer Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter. medium
ACKPSPAllowedUsers Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings. medium
ACKPSPAppArmor Pods in the specified namespaces must be configured with AppArmor settings. low
ACKPSPCapabilities Pods in the specified namespaces must be configured with Linux Capabilities settings. high
ACKPSPFSGroup Pods in the specified namespaces must be configured with fsGroup settings that comply with the policy content. medium
ACKPSPFlexVolumes Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content. medium
ACKPSPForbiddenSysctls Pods in the specified namespaces cannot use the specified sysctls. high
ACKPSPHostFilesystem hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions. high
ACKPSPHostNamespace Pods in the specified namespaces cannot share the host namespaces. high
ACKPSPHostNetworkingPorts Specifies whether pods in the specified namespaces can use the host network and specified ports. high
ACKPSPPrivilegedContainer Pods in the specified namespaces cannot run privileged containers. high
ACKPSPProcMount Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content. low
ACKPSPReadOnlyRootFilesystem Pods in the specified namespaces must run with read-only root file systems. medium
ACKPSPSELinuxV2 Pods in the specified namespaces cannot be configured with SELinux options that are not specified by the allowedSELinuxOptions parameter. low
ACKPSPSeccomp Pods in the specified namespaces must be configured with the specified seccomp profiles. low
ACKPSPVolumeTypes Only volumes of the specified types can be mounted to pods in the specified namespace. medium

CIS-K8s

  • ACKNoEnvVarSecrets

    Policy description: The secretKeyRef parameter cannot be used to reference Secrets when you specify pod environment variables.

    Severity: medium

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKNoEnvVarSecrets
    metadata:
      name: no-env-var-secrets
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: mypod
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mypod
        image: redis
        volumeMounts:
        - name: foo
          mountPath: "/etc/foo"
      volumes:
      - name: foo
        secret:
          secretName: mysecret
          items:
          - key: username
            path: my-group/my-username
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
        env:
          - name: SECRET_USERNAME
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: username
          - name: SECRET_PASSWORD
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: password
      restartPolicy: Never
  • ACKPodsRequireSecurityContext

    Policy description: Pods in the specified namespaces must be configured with the securityContext parameter.

    Severity: low

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPodsRequireSecurityContext
    metadata:
      name: pods-require-security-context
      annotations:
        # This constraint is not certified by CIS.
        description: "Requires that Pods must have a `securityContext` defined."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: test-gatekeeper
    spec:
      securityContext:
        runAsNonRoot: false
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test2
      - image: test
        name: test
        resources: {}
        securityContext:
          runAsNonRoot: false
  • ACKRestrictNamespaces

    Policy description: Resources of the specified types cannot be deployed in the specified namespaces.

    Severity: low

    Parameter description
    Parameter Type Description
    restrictedNamespaces array Specifies the namespaces that cannot be used to deploy resources.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictNamespaces
    metadata:
      name: restrict-default-namespace
      annotations:
        # This constraint is not certified by CIS .
        description: "Restricts resources from using the restricted namespace."
    spec:
      match:
        kinds:
          - apiGroups: ['']
            kinds: ['Pod']
      parameters:
        restrictedNamespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      restartPolicy: Never
  • ACKRestrictRoleBindings

    Policy description: Rolebindings in the specified namespaces can be used to assign only the specified Roles or ClusterRoles.

    Severity: high

    Parameter description
    Parameter Type Description
    restrictedRole object Specifies the ClusterRoles or Roles that are not allowed to assign.
    allowedSubjects array Specifies the subjects that can be mounted.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictRoleBindings
    metadata:
      name: restrict-clusteradmin-rolebindings
      annotations:
        # This constraint is not certified by CIS.
        description: "Restricts use of sensitive role in specific rolebinding."
    spec:
      match:
        kinds:
          - apiGroups: ["rbac.authorization.k8s.io"]
            kinds: ["RoleBinding"]
      parameters:
        restrictedRole:
          apiGroup: "rbac.authorization.k8s.io"
          kind: "ClusterRole"
          name: "cluster-admin"
        allowedSubjects:
          - apiGroup: "rbac.authorization.k8s.io"
            kind: "Group"
            name: "system:masters"
    Allowed:
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: good-2
      namespace: test-gatekeeper
    subjects:
      - kind: Group
        name: 'system:masters'
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
    Disallowed:
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    subjects:
      - kind: ServiceAccount
        name: policy-template-controller
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io

Infra

  • ACKBlockProcessNamespaceSharing

    Policy description: Pods in the specified namespaces cannot be configured with the shareProcessNamespace parameter.

    Severity: high

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockProcessNamespaceSharing
    metadata:
      name: block-share-process-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test-3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKEmptyDirHasSizeLimit

    Policy description: The sizelimit parameter must be configured when you mount emptyDir volumes.

    Severity: low

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKEmptyDirHasSizeLimit
    metadata:
      name: empty-dir-has-sizelimit
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir:
          sizeLimit: "10Mi"
  • ACKLocalStorageRequireSafeToEvict

    Policy description: Pods in the specified namespaces must be configured with the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. Pods that are not configured with this annotation are not deleted during scaling activities.

    Severity: low

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKLocalStorageRequireSafeToEvict
    metadata:
      name: local-storage-require-safe-to-evict
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
      annotations:
        'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /data
          # this field is optional
          type: Directory
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKOSSStorageLocationConstraint

    Policy description: Specifies whether Object Storage Service (OSS) buckets in the specified regions can be mounted to pods in the specified namespaces.

    Severity: low

    Parameter description
    Parameter Type Description
    mode string Specifies whether to enable whitelist mode. Default value: allowlist, which indicates that the whitelist mode is enabled. Other values indicate that the blacklist mode is enabled.
    regions array The specified region IDs.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKOSSStorageLocationConstraint
    metadata:
      name: restrict-oss-location
      annotations:
        description: "Restricts location of oss storage in cluster."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["PersistentVolume", "Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        mode: "allowlist"
        regions:
          - "cn-beijing"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi-good
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-beijing.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeHandle: pv-oss
            nodePublishSecretRef:
              name: oss-secret
              namespace: default
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-hangzhou.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"

K8s-general

  • ACKAllowedRepos

    Policy description: Pods in the specified namespaces can pull images only from the specified image repositories.

    Severity: high

    Parameter description
    Parameter Type Description
    repos array Specifies image repositories from which pods can pull images.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKAllowedRepos
    metadata:
      name: allowed-repos
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        repos:
          - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
          - "registry.cn-hangzhou.aliyuncs.com/acs/"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-01
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container-1
      initContainers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container-3
  • ACKBlockAutoinjectServiceEnv

    Policy description: Pods in the specified namespaces must be configured with enableServiceLinks: false, which specifies that Service IP addresses are not injected to pod environment variables.

    Severity: low

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutoinjectServiceEnv
    metadata:
      name: block-auto-inject-service-env
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      enableServiceLinks: false
      containers:
      - image: openpolicyagent/test-webserver:1.0
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockAutomountToken

    Policy description: Pods in the specified namespaces must be configured with automountServiceAccountToken: false, which specifies that service accounts are not automatically mounted.

    Severity: high

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutomountToken
    metadata:
      name: block-auto-mount-service-account-token
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      automountServiceAccountToken: false
      containers:
      - image: openpolicyagent/test-webserver:v1.0
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockEphemeralContainer

    Policy description: Pods in the specified namespaces cannot launch ephemeral containers.

    Severity: medium

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockEphemeralContainer
    metadata:
      name: block-ephemeral-container
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: good-1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      ephemeralContainers:
        - name: test
          image: test
  • ACKBlockLoadBalancer

    Policy description: LoadBalancer Services cannot be deployed in the specified namespaces.

    Severity: high

    Parameter description
    Parameter Type Description
    restrictedNamespaces array Specifies the namespaces that cannot be used to deploy resources.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockLoadBalancer
    metadata:
      name: block-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
    Disallowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKBlockNodePort

    Policy description: NodePort Services cannot be deployed in the specified namespaces.

    Severity: low

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockNodePort
    metadata:
      name: block-node-port
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
    Disallowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: NodePort
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKContainerLimits

    Policy description: Pods in the specified namespaces must be configured with resource limits.

    Severity: low

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKContainerLimits
    metadata:
      name: container-must-have-limits
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        cpu: "1000m"
        memory: "1Gi"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Mi"
            cpu: "500m"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Gi"
            cpu: "2000m"
  • ACKExternalIPs

    Policy description: Services in the specified namespaces cannot use external IPs that are not specified in the policy content.

    Severity: high

    Parameter description
    Parameter Type Description
    allowedIPs array Specifies external IPs that can be used.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKExternalIPs
    metadata:
      name: external-ips
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedIPs:
          - "192.168.0.5"
    Allowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-3
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
    Disallowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      externalIPs:
        - 80.11.12.10
  • ACKImageDigests

    Policy description: Pods in the specified namespaces must be deployed from images whose digests comply with the specified format.

    Severity: low

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKImageDigests
    metadata:
      name: container-image-must-have-digest
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container2
  • ACKRequiredLabels

    Policy description: Pods in the specified namespaces must have labels that are specified by the allowedRegex parameter.

    Severity: low

    Parameter description
    Parameter Type Description
    allowedRegex string Specifies the labels in regular expressions.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredLabels
    metadata:
      name: must-have-label-test
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
    #            message: ''
        labels:
          - key: test
            # value
            allowedRegex: "^test.*$"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: test
      namespace: test-gatekeeper
      labels:
        'test': 'test_233'
    spec:
      containers:
      - name: mycontainer
        image: redis
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: bad2
      namespace: test-gatekeeper
      labels:
        'test': '233'
    spec:
      containers:
      - name: mycontainer
        image: redis
  • ACKRequiredProbes

    Policy description: Pods in the specified namespaces must be configured with the specified types of readiness probes and liveness probes.

    Severity: medium

    Parameter description
    Parameter Type Description
    probes array Specifies the probes that must be configured for a pod. Example: readinessProbe and livenessProbe.
    probeTypes array Specifies the types of probes that must be configured for a pod. Example: tcpSocket, httpGet, and exec.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredProbes
    metadata:
      name: must-have-probes
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        probes: ["readinessProbe", "livenessProbe"]
        probeTypes: ["tcpSocket", "httpGet", "exec"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: p4
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
        readinessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5
        livenessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: p1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox

PSP

  • ACKPSPAllowedUsers

    Policy description: Pods in the specified namespaces must be configured with the user, group, supplementalGroups, and fsGroup settings.

    Severity: medium

    Parameter description
    Parameter Type Description
    runAsUser object For more information about the parameter, see the configurations of User, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups.
    runAsGroup object For more information about the parameter, see the configurations of Group, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups.
    supplementalGroups object For more information about the parameter, see the configurations of SupplementalGroups, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups.
    fsGroup object For more information about the parameter, see the configurations of fsGroup, supported rule types, and the maximum and minimum values of UIDs in the PSP of Kubernetes. For more information, see Users and groups.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowedUsers
    metadata:
      name: psp-pods-allowed-user-ranges
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        runAsUser:
          rule: MustRunAs # MustRunAsNonRoot # RunAsAny
          ranges:
            - min: 100
              max: 200
        runAsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        supplementalGroups:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        fsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good2
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 150
        supplementalGroups:
          - 150
      containers:
      - image: test
        name: test
        securityContext:
          runAsUser: 150
          runAsGroup: 150
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAllowPrivilegeEscalationContainer

    Policy description: Pods in the specified namespaces must be configured with the allowPrivilegeEscalation parameter.

    Severity: medium

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowPrivilegeEscalationContainer
    metadata:
      name: psp-allow-privilege-escalation-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          allowPrivilegeEscalation: false
      initContainers:
        - image: test
          name: test2
          securityContext:
            allowPrivilegeEscalation: false
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAppArmor

    Policy description: Pods in the specified namespaces must be configured with the AppArmor settings.

    Severity: low

    Parameter description
    Parameter Type Description
    probes array Specifies the probes that must be configured for a pod. Example: readinessProbe and livenessProbe.
    probeTypes array Specifies the types of probes that must be configured for a pod. Example: tcpSocket, httpGet, and exec.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAppArmor
    metadata:
      name: psp-apparmor
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfiles:
          - runtime/default
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
      annotations:
        'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
        'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
    spec:
      containers:
      - image: test
        name: test
      initContainers:
      - image: test
        name: test2
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPCapabilities

    Policy description: Pods in the specified namespaces must be configured with the Linux Capabilities settings.

    Severity: high

    Parameter description
    Parameter Type Description
    allowedCapabilities array Specifies the capabilities that can be configured for a pod.
    requiredDropCapabilities array Specifies the capabilities that cannot be configured for a pod.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPCapabilities
    metadata:
      name: psp-capabilities
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedCapabilities: ["CHOWN"]
        requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-4
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          capabilities:
            add:
              - CHOWN
            drop:
             - "NET_ADMIN"
             - "SYS_ADMIN"
             - "NET_RAW"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPFlexVolumes

    Policy description: Pods in the specified namespaces cannot use FlexVolume drivers that are not specified in the policy content.

    Severity: medium

    Parameter description
    Parameter Type Description
    allowedFlexVolumes array Specifies the FlexVolume drivers that can be used by a pod.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFlexVolumes
    metadata:
      name: psp-flexvolume-drivers
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod", "PersistentVolume"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedFlexVolumes: #[]
          - driver: "alicloud/disk"
          - driver: "alicloud/nas"
          - driver: "alicloud/oss"
          - driver: "alicloud/cpfs"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-nas
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/nas"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss-flexvolume
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/ossxx"
  • ACKPSPForbiddenSysctls

    Policy description: Pods in the specified namespaces cannot use the specified sysctls.

    Severity: high

    Parameter description
    Parameter Type Description
    forbiddenSysctls array Specifies the sysctls that cannot be used by a pod.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPForbiddenSysctls
    metadata:
      name: psp-forbidden-sysctls
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        forbiddenSysctls:
          # - "*" # * may be used to forbid all sysctls
          - "kernel.*"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-2
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'net.ipv4.tcp_syncookies'
            value: "65536"
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'kernel.shm_rmid_forced'
            value: '1024'
      containers:
      - image: test
        name: test
  • ACKPSPFSGroup

    Policy description: Pods in the specified namespaces must be configured with the fsGroup settings that comply with the policy content.

    Severity: medium

    Parameter description
    Parameter Type Description
    rule string For more information about the parameter, see the configurations of fsGroup in the PSP of Kubernetes.The MustRunAs, MayRunAs, and RunAsAny parameters are supported. For more information, see Volumes and file systems.
    ranges object Valid values:
    • min: the minimum value of fsGroup ID.
    • max: the maximum value of fsGroup ID.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFSGroup
    metadata:
      name: psp-fsgroup
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
        ranges:
          - min: 1
            max: 1000
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 100
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      securityContext:
        fsGroup: 0
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
  • ACKPSPHostFilesystem

    Policy description: hostPath volumes that are mounted to pods in the specified namespaces must meet the specified conditions.

    Severity: high

    Parameter description
    Parameter Type Description
    allowedHostPaths object Specifies the hostPath volumes that can be mounted to a pod.
    readOnly boolean Specifies whether the volumes are read-only.
    pathPrefix string Specifies the prefixes of the volumes.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostFilesystem
    metadata:
      name: psp-host-filesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedHostPaths:
          - readOnly: true
            pathPrefix: "/foo"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        volumeMounts:
          - name: test-volume
            mountPath: "/projected-volume"
            readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          path: /foo
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data
          type: File
  • ACKPSPHostNamespace

    Policy description: Pods in the specified namespaces cannot share the host namespaces.

    Severity: high

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNamespace
    metadata:
      name: psp-host-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      hostPID: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKPSPHostNetworkingPorts

    Policy description: Specifies whether pods in the specified namespaces can use the host network and specified ports.

    Severity: high

    Parameter description
    Parameter Type Description
    hostNetwork boolean Specifies whether pods can use the host network.
    min int Specifies the lowest host port number.
    max int Specifies the highest host port number.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNetworkingPorts
    metadata:
      name: psp-host-network-ports
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        hostNetwork: true
        min: 80
        max: 9000
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: good-2
      namespace: test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 80
            containerPort: 80
      initContainers:
        - image: k8s.gcr.io/test-webserver
          name: test-container2
          ports:
            - hostPort: 8080
              containerPort: 8080
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 22
            containerPort: 22
  • ACKPSPPrivilegedContainer

    Policy description: Pods in the specified namespaces cannot run privileged containers.

    Severity: high

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPPrivilegedContainer
    metadata:
      name: psp-privileged-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          privileged: true
      dnsPolicy: ClusterFirst
      restartPolicy: Never
  • ACKPSPProcMount

    Policy description: Pods in the specified namespaces must be configured with the Proc Mount type that is specified in the policy content.

    Severity: high

    Parameter description
    Parameter Type Description
    procMount string Specifies the Proc Mount type. Valid values:
    • Default: The /proc directory cannot be mounted.
    • Unmasked: The /proc directory can be mounted.
    For more information, see AllowedProcMountTypes.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPProcMount
    metadata:
      name: psp-proc-mount
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        procMount: Default  # Default or Unmasked
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Default"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Unmasked"
      initContainers:
      - image: test
        name: test2
  • ACKPSPReadOnlyRootFilesystem

    Policy description: Pods in the specified namespaces must run with read-only root file systems.

    Severity: medium

    Parameter description: N/A

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPReadOnlyRootFilesystem
    metadata:
      name: psp-readonlyrootfilesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: true
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: false
      initContainers:
      - image: test
        name: test2
  • ACKPSPSeccomp

    Policy description: Pods in the specified namespaces must be configured with the specified seccomp profiles.

    Severity: low

    Parameter description
    Parameter Type Description
    allowedProfileTypes array Specifies the type of seccomp profiles that are allowed.
    allowedProfiles array Specifies the seccomp profiles that are allowed.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSeccomp
    metadata:
      name: psp-seccomp
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfileTypes:
          # - Unconfined
          - RuntimeDefault
          - Localhost
        allowedProfiles:
          - runtime/default
          - docker/default
          - localhost/profiles/audit.json
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json
      initContainers:
      - image: test
        name: test2
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
        echo-k8s-webhook-enabled: 'true'
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPSELinuxV2

    Policy description: Pods in the specified namespaces cannot be configured with the SELinux options that are not specified by the allowedSELinuxOptions parameter.

    Severity: low

    Parameter description
    Parameter Type Description
    allowedSELinuxOptions object Specifies SELinux options that can be configured for a pod. For more information, see SELinuxOptions v1 core.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSELinuxV2
    metadata:
      name: psp-selinux-v2
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedSELinuxOptions:
          - level: s0:c123,c456
            role: object_r
            type: svirt_sandbox_file_t
            user: system_u
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        seLinuxOptions:
          level: "s0:c123,c456"
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seLinuxOptions:
            level: "s0:c123,c455"
  • ACKPSPVolumeTypes

    Policy description: Only volumes of the specified types can be mounted to pods in the specified namespace.

    Severity: low

    Parameter description
    Parameter Type Description
    volumes object Specifies the types of volumes that are allowed to mount.

    Examples:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPVolumeTypes
    metadata:
      name: psp-volume-types
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        volumes:
          # - "*" # * may be used to allow all volume types
          - configMap
          # - emptyDir
          - projected
          - secret
          - downwardAPI
          - persistentVolumeClaim
          # - hostPath #required for allowedHostPaths
          - flexVolume #required for allowedFlexVolumes
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/oss"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data