Container security policy rule library based on the Gatekeeper admission controller - Container Service for Kubernetes

You can configure security policies for pods to verify the security of deployment and update requests. The policy management feature for ACK clusters provides several built-in rule libraries, including Compliance, Infra, K8s-general, PSP, and FinOps.

Rule introduction

The ACK container security policy rule library contains the following rule templates:

Compliance: Security rules customized based on compliance standards, such as Alibaba Cloud K8s Reinforcement.
Infra: Rules that enhance and protect the security of cloud infrastructure resources.
K8s-general: Rules that constrain and standardize the configuration of sensitive resources in a Kubernetes cluster to enhance application security.
PSP: Policies that replace Kubernetes Pod Security Policies (PSPs). These policies provide security constraints equivalent to those offered by the original PSP feature in ACK policy management.
FinOps: Control and optimization policy rules for cost governance processes.

Policy rule library

Container Service for Kubernetes (ACK) provides the following built-in policy rule libraries. The policy categories and their descriptions are as follows:

Category	Policy	Description	Severity
Compliance	`ACKNoEnvVarSecrets`	Restricts mounting secrets as environment variables in application pods using `secretKeyRef`.	medium
	`ACKPodsRequireSecurityContext`	Requires all containers in a pod to have the `securityContext` field configured.	low
	`ACKRestrictNamespaces`	Restricts resource deployment to specified namespaces in the cluster.	low
	`ACKRestrictRoleBindings`	Restricts role bindings in a specified namespace to use only roles or cluster roles from a specified range.	high
	`ACKNamespacesDeleteProtection`	Prevents specified namespaces from being accidentally deleted.	medium
	`ACKServicesDeleteProtection`	Prevents Service instances in a namespace from being accidentally deleted.	medium
	`ACKProtectBoundingPV`	Prevents the deletion of persistent volumes (PVs) that are in a bound state.	high
	`ACKBlockNodeDelete`	Prevents the deletion of nodes that have custom tags.	high
	`ACKResourceDeletionProtection`	Prevents the deletion of various resources (including Service, Namespace, and Ingress) that have custom tags.	high
	`ACKProtectCoreDNS`	Prevents the deletion of CoreDNS-related resources in the kube-system namespace.	high
	ACKBlockCrdDeletion	Prevents the deletion of CustomResourceDefinitions (CRDs) that still have associated custom resources (CRs).	medium
Infra	`ACKBlockProcessNamespaceSharing`	Restricts the use of shareProcessNamespace in applications deployed within a specified scope in the cluster.	high
	`ACKEmptyDirHasSizeLimit`	Requires volumes of the `emptyDir` type to specify a `sizelimit`.	low
	`ACKLocalStorageRequireSafeToEvict`	Requires pods deployed within a specified scope in the cluster to have the `"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"` annotation. By default, the `autoscaler` does not evict pods that use HostPath or EmptyDir volumes during cluster autoscaling. To allow the eviction of these pods, you must add this annotation to the pods.	low
	`ACKOSSStorageLocationConstraint`	Restricts deployments in specified namespaces to use only Alibaba Cloud OSS persistent volumes (PVs) from a specified region.	low
	`ACKPVSizeConstraint`	Limits the maximum disk capacity that can be requested for PV instances created in the cluster.	medium
	`ACKPVCConstraint`	Restricts the deployment of persistent volume claim (PVC) instances to a whitelist of namespaces and limits the maximum disk capacity that can be requested for PVC instances.	medium
	`ACKBlockVolumeTypes`	Specifies the volume mount types that are prohibited for Pods deployed in a specific scope of the cluster.	medium
	`ASMSidecarInjectionEnforced`	Requires pods to have the ASM sidecar injected.	high
K8s-general	`ACKAllowedRepos`	Restricts application pods deployed within a specified scope in the cluster from pulling images that are not on the whitelist.	high
	`ACKBlockAutoinjectServiceEnv`	Requires applications to be configured with `enableServiceLinks: false` to prevent service IPs from being exposed in pod environment variables.	low
	`ACKBlockAutomountToken`	Requires applications to have the `automountServiceAccountToken: false` field set to prevent the automatic mount of a `serviceaccount`.	high
	`ACKBlockEphemeralContainer`	Restricts the startup of ephemeral containers in application pods within a specified scope in the cluster.	medium
	`ACKBlockLoadBalancer`	Restricts the deployment of services of the LoadBalancer type within a specified scope in the cluster.	high
	`ACKBlockNodePort`	Restricts the use of services of the NodePort type within a specified scope in the cluster.	high
	`ACKContainerLimits`	Requires application pods within a specified scope in the cluster to have resource `limits` configured.	low
	`ACKExternalIPs`	Restricts Service instances within a specified scope in the cluster from using externalIPs that are not on the whitelist.	high
	`ACKImageDigests`	Restricts the deployment of images that do not use the digest format within a specified scope in the cluster.	low
	`ACKRequiredLabels`	Restricts the deployment of applications that do not have specified standard labels within a specified scope in the cluster.	low
	`ACKRequiredProbes`	Requires pods deployed within a specified scope in the cluster to be configured with specified types of readinessProbes and livenessProbes.	medium
	`ACKCheckNginxPath`	Restricts dangerous configurations in the `spec.rules[].http.paths[].path` field of Ingress instances. Enable this policy for Ingress-nginx versions earlier than 1.2.1.	high
	`ACKCheckNginxAnnotation`	Restricts dangerous configurations in the `metadata.annotations` field of Ingress instances. Enable this policy for Ingress-nginx versions earlier than 1.2.1.	high
	`ACKBlockInternetLoadBalancer`	Restricts the creation of public-facing LoadBalancer services.	high
	`RatifyVerification`	After installing the Ratify component from the marketplace, verify security metadata, such as signatures or a bill of materials (BOM), in pod images deployed within a specified scope in the cluster.	high
PSP	`ACKPSPAllowPrivilegeEscalationContainer`	Restricts the configuration of the `allowPrivilegeEscalation` parameter for pods deployed within a specified scope in the cluster.	medium
	`ACKPSPAllowedUsers`	Restricts the startup `user`, `group`, `supplementalGroups`, and `fsGroup` for pods deployed within a specified scope in the cluster.	medium
	`ACKPSPAppArmor`	Restricts the AppArmor configuration for pods deployed within a specified scope in the cluster.	low
	`ACKPSPCapabilities`	Restricts the Linux Capabilities configuration for pods deployed within a specified scope in the cluster.	high
	`ACKPSPFSGroup`	Restricts the fsGroup configuration for pods deployed within a specified scope in the cluster.	medium
	`ACKPSPFlexVolumes`	Restricts the FlexVolume driver configuration for pods deployed within a specified scope in the cluster.	medium
	`ACKPSPForbiddenSysctls`	Restricts the range of forbidden sysctls for pods deployed within a specified scope in the cluster.	high
	`ACKPSPHostFilesystem`	Restricts the range of host directories that pods deployed within a specified scope in the cluster are allowed to mount.	high
	`ACKPSPHostNamespace`	Restricts whether pods deployed within a specified scope in the cluster are allowed to share host namespaces.	high
	`ACKPSPHostNetworkingPorts`	Restricts the use of the host network and specified ports by pods deployed within a specified scope in the cluster.	high
	`ACKPSPPrivilegedContainer`	Restricts the startup of privileged containers in pods deployed within a specified scope in the cluster.	high
	`ACKPSPProcMount`	Restricts the proc mount types allowed for pods deployed within a specified scope in the cluster.	low
	`ACKPSPReadOnlyRootFilesystem`	Requires pods deployed within a specified scope in the cluster to use a read-only root file system.	medium
	`ACKPSPSELinuxV2`	Requires pods deployed within a specified scope in the cluster to use the SELinux configuration specified in the `allowedSELinuxOptions` parameter.	low
	`ACKPSPSeccomp`	Restricts pods deployed within a specified scope in the cluster to use specified Seccomp profiles.	low
	`ACKPSPVolumeTypes`	Restricts pods deployed within a specified scope in the cluster to use specified volume mount types.	medium
FinOps	`ACKContainerRequests`	Requires that certain application pods in the cluster must declare resource `requests`.	low
	`ACKContainerResourcesWhitelist`	Requires that the CPU and memory resource configurations of certain application pods in the cluster must be selected from a predefined list of options.	low
	`ACKContainerResourcesRange`	Restricts the resource configurations of certain application pods in the cluster to be within a specified range.	low
	`ACKRequiredNodeSelector`	Requires that certain application pods in the cluster must have a specified `nodeSelector` tag configured.	low
	`ACKWorkloadReplicasRange`	Restricts the number of application replicas to a specified minimum and maximum.	low
	`ACKRestrictALBCreation`	Enforces the reuse of existing ALB instances and prohibits the creation of new ALB resource instances through AlbConfig.	low

Compliance

ACKNoEnvVarSecrets

Rule description: Restricts mounting secrets as environment variables in application pods using `secretKeyRef`.

Severity: medium.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
  name: no-env-var-secrets
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  namespace: test-gatekeeper
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis
    env:
      - name: SECRET_USERNAME
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: username
      - name: SECRET_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password
  restartPolicy: Never

ACKPodsRequireSecurityContext

Rule description: Requires all containers in a pod to have the securityContext field configured.

Severity: low.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
  name: pods-require-security-context
  annotations:
    description: "Requires that Pods must have a `securityContext` defined."
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test
  namespace: test-gatekeeper
spec:
  securityContext:
    runAsNonRoot: false
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test2
  - image: test
    name: test
    resources: {}
    securityContext:
      runAsNonRoot: false

ACKRestrictNamespaces

Rule description: Restricts resource deployment to specified namespaces within the cluster.

Severity: low.

Parameters:

Parameter Name	Type	Description
restrictedNamespaces	array	Prohibits the deployment of resources to the targets specified in this parameter.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
  name: restrict-default-namespace
  annotations:
    description: "Restricts resources from using the restricted namespace."
spec:
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Pod']
  parameters:
    restrictedNamespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis
  restartPolicy: Never

ACKRestrictRoleBindings

Description: Restricts a RoleBinding in a specified namespace to a specific set of Roles or ClusterRoles.

Severity: high.

Parameters:

Parameter Name	Parameter type	Description
restrictedRole	object	The restricted ClusterRole or Role.
allowedSubjects	array	A whitelist of subjects that can be attached.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings
  annotations:
    description: "Restricts use of sensitive role in specific rolebinding."
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]
  parameters:
    restrictedRole:
      apiGroup: "rbac.authorization.k8s.io"
      kind: "ClusterRole"
      name: "cluster-admin"
    allowedSubjects:
      - apiGroup: "rbac.authorization.k8s.io"
        kind: "Group"
        name: "system:masters"

Allowed:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: good-2
  namespace: test-gatekeeper
subjects:
  - kind: Group
    name: 'system:masters'
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Disallowed:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bad-1
  namespace: test-gatekeeper
subjects:
  - kind: ServiceAccount
    name: policy-template-controller
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

ACKNamespacesDeleteProtection

Rule description: Prevents the accidental deletion of specified namespaces. You can use the protectionNamespaces parameter to configure the names of the protected namespaces.

Prerequisite: The gatekeeper component must be v3.10.0.130-g0e79597d-aliyun or later. For more information about gatekeeper component versions, see Gatekeeper.

Severity: medium.

Parameters:

Parameter	Parameter type	Description
`protectionNamespaces`	array	A list of protected namespace names.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
  name: namespace-delete-protection
spec:
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Namespace']
  parameters:
    protectionNamespaces:
      - test-gatekeeper

Allowed:

apiVersion: v1
kind: Namespace
metadata:
  name: will-delete

Disallowed:

apiVersion: v1
kind: Namespace
metadata:
  name: test-gatekeeper

ACKServicesDeleteProtection

Rule description: Prevents the accidental deletion of Service instances in a specified namespace. You can use the protectionServices parameter to configure the names of the protected Service instances.

Severity: medium.

Parameters:

Parameter name	Parameter type	Description
protectionServices	array	A list of protected Service instance names in the specified namespace.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
  name: service-delete-protection
  annotations:
    description: "Protect to delete specific service."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Service']
    namespaces: ["test-gatekeeper"]
  parameters:
    protectionServices:
      - test-svc

Allowed:

apiVersion: v1
kind: Service
metadata:
  name: good
  namespace: test-gatekeeper

Disallowed:

apiVersion: v1
kind: Service
metadata:
  name: test-svc

ACKProtectBoundingPV

Rule description: Prevents the deletion of persistent volumes (PVs) that are bound to a persistent volume claim (PVC) in the cluster.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectBoundingPV
metadata:
  name: protect-pv-deletion
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - PersistentVolume

Allowed:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: test-pv-bound-should-be-blocked
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 1Gi
  persistentVolumeReclaimPolicy: Retain
  storageClassName: manual-sc
  hostPath:
    path: /tmp/data
    type: DirectoryOrCreate
status:
  phase: Released

Disallowed:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: test-pv-bound-should-be-blocked
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 1Gi
  persistentVolumeReclaimPolicy: Retain
  storageClassName: manual-sc
  hostPath:
    path: /tmp/data
    type: DirectoryOrCreate
status:
  phase: Bound

ACKBlockNodeDelete

Rule description: Prevents the deletion of nodes that have custom tags in the cluster. You can define multiple key-value pairs. A node is protected if it matches any of the specified key-value pairs.

Severity: high.

Parameters:

Parameter Name	Parameter type	Description
`protectedLabels`	array	Custom tags used to identify protected nodes.
`protectedLabels.labelName`	string	The key of the custom tag.
`protectedLabels.labelValue`	string	The value of the custom tag.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodeDelete
metadata:
  name: block-node-delete
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ["*"]
        kinds: ["Node"]
  parameters:
    protectedLabels:
    - labelName: policy.alibabacloud.vpc.com/node-delete-protection
      labelValue: "true"
    - labelName: policy.alibabacloud.com/node-delete-protection
      labelValue: "true"

Allowed:

apiVersion: v1
kind: Node
metadata:
  name: cn-hangzhou-1

Disallowed:

apiVersion: v1
kind: Node
metadata:
  labels:
    policy.alibabacloud.vpc.com/node-delete-protection: "true"
  name: cn-hangzhou-1
---
apiVersion: v1
kind: Node
metadata:
  labels:
    policy.alibabacloud.vpc.com/node-delete-protection: "true"
  name: cn-hangzhou-2
---
apiVersion: v1
kind: Node
metadata:
  labels:
    policy.alibabacloud.com/node-delete-protection: "true"
    policy.alibabacloud.vpc.com/node-delete-protection: "true"
  name: cn-hangzhou-3

ACKResourceDeletionProtection

Rule description: Prevents the deletion of resources that have custom tags in the cluster. This rule supports resource types such as Service, Namespace, Ingress, Deployment, StatefulSet, DaemonSet, Job, and CronJob. You can define multiple key-value pairs. A resource is protected if it matches any of the specified key-value pairs.

Severity: high.

Parameters:

Parameter Name	Parameter type	Description
`labels`	array	Custom tags used to identify protected nodes.
`labels.labelName`	string	The key of the custom tag.
`labels.labelValue`	string	The value of the custom tag.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKResourceDeletionProtection
metadata:
  name: resource-deletion-protection
  annotations:
    description: "Protect resources from being accidentally deleted."
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Service
      - Namespace
    - apiGroups:
      - extensions
      - networking.k8s.io
      kinds:
      - Ingress
    - apiGroups:
      - apps
      kinds:
      - Deployment
      - StatefulSet
      - DaemonSet
    - apiGroups:
      - batch
      kinds:
      - Job
      - CronJob
  parameters:
    labels:
    - labelName: policy.alibabacloud.com/delete-protection
      labelValue: "true"

Allowed:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment
  namespace: test-gatekeeper
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      containers:
        - name: nginx
          image: nginx:latest
          ports:
            - containerPort: 80

Disallowed:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment
  namespace: test-gatekeeper
  labels:
    policy.alibabacloud.com/delete-protection: "true"
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test-app
  template:
    metadata:
      labels:
        app: test-app
    spec:
      containers:
        - name: nginx
          image: nginx:latest
          ports:
            - containerPort: 80

ACKProtectCoreDNS

Rule description: Prevents the deletion of CoreDNS-related resources in the kube-system namespace, including the associated Deployment, Service, and ConfigMap.

Severity: high.

Parameters:

Parameter Name	Parameter type	Description
`min_replicas`	int	Defines the desired minimum number of replicas for the CoreDNS Deployment.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectCoreDNS
metadata:
  name: coredns-protect-rule
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ["*"]
        kinds: ["Deployment", "Service", "Scale", "ConfigMap" ]
    scope: "Namespaced"
    namespaces: ["kube-system"]
  parameters:
    min_replicas: 2

Allowed:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
spec:
  replicas: 3
  selector:
    matchLabels:
      k8s-app: kube-dns
  template:
    metadata:
      labels:
        k8s-app: kube-dns
    spec:
      containers:
        - name: coredns
          image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
          imagePullPolicy: IfNotPresent

Disallowed:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: kube-dns
  template:
    metadata:
      labels:
        k8s-app: kube-dns
    spec:
      containers:
        - name: coredns
          image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
          imagePullPolicy: IfNotPresent
---
apiVersion: v1
data:
  Corefile: ""
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: kube-dns
    kubernetes.io/cluster-service: "true"
    kubernetes.io/name: KubeDNS
  name: kube-dns
  namespace: kube-system

ACKBlockCrdDeletion

Rule description: Prevents the deletion of CustomResourceDefinitions (CRDs) that still have associated custom resources (CRs).

Severity: medium.

Parameters: None.

Example and usage: Before you deploy the policy, you must first install and configure ack-policy-external-provider. Then, you can deploy the policy to protect CRDs.

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockCrdDeletion
metadata:
  name: block-crd-deletion
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - '*'
      kinds:
      - CustomResourceDefinition

Infra

ACKBlockProcessNamespaceSharing

Rule description: Restricts the use of shareProcessNamespace in applications deployed within a specified scope in the cluster.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
metadata:
  name: block-share-process-namespace
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test-3
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  shareProcessNamespace: true
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

ACKEmptyDirHasSizeLimit

Rule description: Requires `emptyDir` volumes to specify a sizeLimit.

Severity: low.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-sizelimit
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: test-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir:
      sizeLimit: "10Mi"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

ACKLocalStorageRequireSafeToEvict

Rule description: Requires pods deployed within a specified scope in the cluster to have the "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" annotation. During autoscaling, the cluster autoscaler does not delete pods that do not have this annotation.

Severity: low.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: test-1
  namespace: test-gatekeeper
  annotations:
    'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      # directory location on host
      path: /data
      # this field is optional
      type: Directory

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

ACKOSSStorageLocationConstraint

Rule description: Restricts deployments in specified namespaces to use only Alibaba Cloud Object Storage Service (OSS) persistent volumes (PVs) from a specified region.

Severity: low.

Parameters:

Parameter Name	Parameter type	Description
`mode`	string	Specifies whether to use a whitelist. The default value `allowlist` indicates the whitelist mode. Other values indicate the blacklist mode.
`regions`	array	A list of specified Alibaba Cloud region IDs.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
  name: restrict-oss-location
  annotations:
    description: "Restricts location of oss storage in cluster."
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["PersistentVolume", "Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    mode: "allowlist"
    regions:
      - "cn-beijing"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-oss-csi-good
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-beijing.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-oss-csi
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: nginx:latest
  volumes:
    - name: test
      csi:
        driver: ossplugin.csi.alibabacloud.com
        nodePublishSecretRef:
          name: oss-secret
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-hangzhou.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

ACKPVSizeConstraint

Rule description: Limits the maximum disk capacity that can be requested for PV instances created in the cluster.

Severity: medium.

Parameters:

Parameter name	Parameter type	Description
`maxSize`	string	The maximum disk capacity that can be requested for a PV instance. The default value is 50 GiB.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
  name: limit-pv-size
  annotations:
    description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [ "" ]
        kinds: [ "PersistentVolume" ]
  parameters:
    maxSize: "50Gi"

Allowed:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-oss-csi
  labels:
    alicloud-pvname: pv-oss
spec:
  capacity:
    storage: 25Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: pv-oss
    nodePublishSecretRef:
      name: oss-secret
      namespace: default
    volumeAttributes:
      bucket: "oss"
      url: "oss-cn-beijing.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      path: "/"

Disallowed:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-oss-csi-bad
  labels:
    alicloud-pvname: pv-oss
spec:
  capacity:
    storage: 500Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: pv-oss
    nodePublishSecretRef:
      name: oss-secret
      namespace: default
    volumeAttributes:
      bucket: "oss"
      url: "oss-cn-beijing.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      path: "/"

ACKPVCConstraint

Rule description: Restricts the deployment of persistent volume claim (PVC) instances to a whitelist of namespaces and limits the maximum disk capacity that can be requested for PVC instances.

Severity: medium

Parameters:

Parameter	Parameter type	Description
`maxSize`	string	The maximum disk capacity that can be requested for a PV instance. The default value is 50 GiB.
`allowNamespaces`	array	A whitelist of namespaces where PVC instances can be deployed.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
  name: limit-pvc-size-and-ns
  annotations:
    description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [ "" ]
        kinds: [ "PersistentVolumeClaim" ]
  parameters:
    maxSize: "50Gi"
    allowNamespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disk-pvc
  namespace: test-gatekeeper
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

Disallowed:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: bad-disk-pvc
  namespace: test-gatekeeper
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: bad-namespace-pvc
  namespace: test-gatekeeper-bad
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

ACKBlockVolumeTypes

Rule description: Prohibits specified volume mount types for pods that are deployed within a specified scope in the cluster.

Severity: medium

Parameters:

Parameter Name	Type	Description
`volumes`	array	A list of prohibited volume mount types.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
  name: block-volume-types
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]
  parameters:
     volumes:
       - "gitRepo"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: use-empty-dir
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
  - name: emptydir-volume
    emptyDir: {}

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: use-git-repo
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
  - name: git-volume
    gitRepo:
      repository: "git@***:***/my-git-repository.git"
      revision: "22f1d8406d464b0c08***"

ASMSidecarInjectionEnforced

Rule description: Requires pods to have the Alibaba Cloud Service Mesh (ASM) sidecar injected.

Severity: high

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ASMSidecarInjectionEnforced
metadata:
  name: asm-sidecar-injectionen-forced
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: sidecar-injection
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
    - name: istio-proxy
      image: xxx/proxyv2:xxx

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: sidecar-injection
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test

K8s-general

ACKAllowedRepos

Rule description: Requires application pods that are deployed within a specified scope in the cluster to pull images only from whitelisted repositories.

Severity: high.

Parameters:

Parameter Name	Type	Description
`repos`	array	A whitelist of allowed image repositories.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
  name: allowed-repos
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    repos:
      - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
      - "registry.cn-hangzhou.aliyuncs.com/acs/"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-01
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
    name: test-container-1
  initContainers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
    name: test-container

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
  initContainers:
  - image: k8s.gcr.io/test-webserver
    name: test-container-3

ACKBlockAutoinjectServiceEnv

Rule description: Requires applications to be configured with enableServiceLinks: false to prevent service IP addresses from being exposed as pod environment variables.

Severity: low.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
  name: block-auto-inject-service-env
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  enableServiceLinks: false
  containers:
  - image: openpolicyagent/test-webserver:1.0
    name: test-container

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container

ACKBlockAutomountToken

Rule description: Requires applications to have the automountServiceAccountToken: false field set to prevent the automatic mount of a ServiceAccount token.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
  name: block-auto-mount-service-account-token
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  automountServiceAccountToken: false
  containers:
  - image: openpolicyagent/test-webserver:v1.0
    name: test-container

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container

ACKBlockEphemeralContainer

Rule description: Prevents ephemeral containers from starting in application pods within a specified scope in the cluster.

Severity: medium.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
  name: block-ephemeral-container
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: hello-pod
  namespace: test-gatekeeper
spec:
  containers:
  - name: hello-pod
    image: redis

Disallowed:

Start an ephemeral container based on an existing pod.

kubectl debug -it hello-pod -n test-gatekeeper --image=test --target=hello-pod

Expected output:

Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [block-ephemeral-container-w5c6n] Creating ephemeral containers is disallowed, pod: hello-pod

ACKBlockLoadBalancer

Rule description: Prevents the deployment of services of the LoadBalancer type within a specified scope in the cluster.

Severity: high.

Parameters:

Parameter name	Parameter type	Description
restrictedNamespaces	array	Denies the deployment of resources specified in this parameter.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
  name: block-load-balancer
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Service
metadata:
  name: my-service-1
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

Disallowed:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  type: LoadBalancer
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

ACKBlockNodePort

Rule description: Prevents the use of services of the NodePort type within a specified scope in the cluster.

Severity: low.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Service
metadata:
  name: my-service-1
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

Disallowed:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  type: NodePort
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

ACKContainerLimits

Rule description: Requires application pods within a specified scope in the cluster to have resource limits configured.

Severity: low.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    cpu: "1000m"
    memory: "1Gi"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver
    name: test-container
    resources:
      limits:
        memory: "100Mi"
        cpu: "500m"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-2
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver
    name: test-container
    resources:
      limits:
        memory: "100Gi"
        cpu: "2000m"

ACKExternalIPs

Rule description: Requires Service instances within a specified scope in the cluster to use only externalIPs from a whitelist.

Severity: high.

Parameters:

Parameter Name	Parameter type	Description
`allowedIPs`	array	A whitelist of `externalIPs`.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedIPs:
      - "192.168.0.5"

Allowed:

apiVersion: v1
kind: Service
metadata:
  name: my-service-3
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

Disallowed:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376
  externalIPs:
    - 80.11.XX.XX

ACKImageDigests

Rule description: Requires images deployed within a specified scope in the cluster to use the digest format.

Severity: low.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
    name: test-container

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
  initContainers:
  - image: k8s.gcr.io/test-webserver
    name: test-container2

ACKRequiredLabels

Rule description: Verifies that a pod contains specific labels and ensures that the label values match a predefined format. You can specify a regular expression for each label key to validate its value. You can also use the optional parameter to control whether the label validation is mandatory.

Severity: low.

Parameters:

Parameter Name	Type	Description
`allowedRegex`	string	The regular expression for the label whitelist.
`key`	string	The tag key to validate.
`optional`	bool	Specifies whether the pod is allowed to lack this tag. `true`: The pod is allowed to lack the tag. The tag is validated only when it exists. If the tag exists, its value must pass the regular expression validation. `false`: The pod is not allowed to lack the tag. The tag must exist and pass the validation.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
  name: must-have-label-test
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    labels:
      - key: test
        allowedRegex: "^test.*$"
      - key: env
        allowedRegex: "^(dev|prod)$"
        optional: true

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: test
  namespace: test-gatekeeper
  labels:
    'test': 'test_233'
spec:
  containers:
  - name: mycontainer
    image: redis

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: bad2
  namespace: test-gatekeeper
  labels:
    'test': '233'
    'env': 'invalid'
spec:
  containers:
  - name: mycontainer
    image: redis

ACKRequiredProbes

Rule description: Requires pods that are deployed within a specified scope in the cluster to be configured with specified types of readinessProbe and livenessProbe.

Severity: medium.

Parameters:

Parameter Name	Parameter Type	Description
`probes`	array	The probes that must be configured in the pod. For example, readinessProbe and livenessProbe.
`probeTypes`	array	The probe types that must be configured in the pod. For example, tcpSocket, httpGet, and exec.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    probes: ["readinessProbe", "livenessProbe"]
    probeTypes: ["tcpSocket", "httpGet", "exec"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: p4
  namespace: test-gatekeeper
spec:
  containers:
  - name: liveness
    image: k8s.gcr.io/busybox
    readinessProbe:
      exec:
        command:
          - cat
          - /tmp/healthy
      initialDelaySeconds: 5
      periodSeconds: 5
    livenessProbe:
      exec:
        command:
          - cat
          - /tmp/healthy
      initialDelaySeconds: 5
      periodSeconds: 5

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: p1
  namespace: test-gatekeeper
spec:
  containers:
  - name: liveness
    image: k8s.gcr.io/busybox

ACKCheckNginxPath

Prevents dangerous configurations in the spec.rules[].http.paths[].path field of Ingress instances. You should enable this policy for Ingress-nginx versions earlier than 1.2.1.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
  name: block-nginx-path
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ["extensions", "networking.k8s.io"]
        kinds: ["Ingress"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: good-paths
  namespace: test-gatekeeper
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

Disallowed:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bad-path-secrets
  namespace: test-gatekeeper
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /var/run/secrets
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80

ACKCheckNginxAnnotation

Prevents dangerous configurations in the metadata.annotations field of Ingress instances. You should enable this policy for Ingress-nginx versions earlier than 1.2.1.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
  name: block-nginx-annotation
spec:
  match:
    kinds:
      - apiGroups: ["extensions", "networking.k8s.io"]
        kinds: ["Ingress"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: good-annotations
  namespace: test-gatekeeper
  annotations:
    nginx.org/good: "value"
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

Disallowed:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: var-run-secrets
  namespace: test-gatekeeper
  annotations:
    nginx.org/bad: "/var/run/secrets"
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

ACKBlockInternetLoadBalancer

Rule description: Prevents the creation of Internet-facing LoadBalancer services.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
  name: block-internet-load-balancer
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces: ["test-gatekeeper"]

Allowed:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: non-test-gatekeeper
  annotations:
    'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

Disallowed:

apiVersion: v1
kind: Service
metadata:
  name: bad-service-2
  namespace: test-gatekeeper
  annotations:
    'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
  type: LoadBalancer
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

RatifyVerification

Rule description: After you install the Ratify component from the marketplace in your cluster, you can use this policy to verify security metadata, such as signatures or a bill of materials (BOM), for pod images that are deployed within a specified scope.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
  name: ratify-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["default"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/signed   # Deploy an image with a valid signature.
    name: test-container

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned   # Deploy an invalid image that fails the Ratify signature verification.
    name: test-container

PSP

ACKPSPAllowedUsers

Rule description: Restricts the startup user, group, supplementalGroups, and fsGroup for pods that are deployed within a specified scope in the cluster.

Severity: medium.

Parameters:

Parameter	Parameter type	Description
`runAsUser`	object	For a detailed description of this parameter, see the User configuration in the original PSP rule. It supports configuring the rule type and the maximum and minimum UIDs. For more information, see Users and groups.
`runAsGroup`	object	For a detailed description of this parameter, see the Group configuration in the original PSP rule. It supports configuring the rule type and the maximum and minimum UIDs. For more information, see Users and groups.
`supplementalGroups`	object	For a detailed description of this parameter, see the SupplementalGroups configuration in the original PSP rule. It supports configuring the rule type and the maximum and minimum UIDs. For more information, see Users and groups.
`fsGroup`	object	For a detailed description of this parameter, see the fsGroup configuration in the original PSP rule. It supports configuring the rule type and the maximum and minimum UIDs. For more information, see Users and groups.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    runAsUser:
      rule: MustRunAs # MustRunAsNonRoot # RunAsAny
      ranges:
        - min: 100
          max: 200
    runAsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200
    supplementalGroups:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200
    fsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good2
  namespace: test-gatekeeper
spec:
  securityContext:
    fsGroup: 150
    supplementalGroups:
      - 150
  containers:
  - image: test
    name: test
    securityContext:
      runAsUser: 150
      runAsGroup: 150

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPAllowPrivilegeEscalationContainer

Rule description: Restricts the configuration of the allowPrivilegeEscalation parameter for pods that are deployed within a specified scope in the cluster.

Severity: medium.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      allowPrivilegeEscalation: false
  initContainers:
    - image: test
      name: test2
      securityContext:
        allowPrivilegeEscalation: false

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPAppArmor

Rule description: Restricts the AppArmor configuration for pods that are deployed within a specified scope in the cluster.

Severity: low.

Parameters:

Parameter name	Parameter type	Description
`probes`	array	The probes that must be configured in the pod. For example, readinessProbe and livenessProbe.
`probeTypes`	array	The probe types that must be configured in the pod. For example, tcpSocket, httpGet, and exec.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedProfiles:
      - runtime/default

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
  annotations:
    'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
    'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
  containers:
  - image: test
    name: test
  initContainers:
  - image: test
    name: test2

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPCapabilities

Rule description: Restricts the Linux Capabilities configuration for pods that are deployed within a specified scope in the cluster.

Severity: high.

Parameters:

Parameter Name	Parameter type	Description
`allowedCapabilities`	array	A whitelist of allowed capabilities.
`requiredDropCapabilities`	array	The capabilities that must be dropped.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
  name: psp-capabilities
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedCapabilities: ["CHOWN"]
    requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good-4
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      capabilities:
        add:
          - CHOWN
        drop:
         - "NET_ADMIN"
         - "SYS_ADMIN"
         - "NET_RAW"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPFlexVolumes

Rule description: Restricts the FlexVolume driver configuration for pods that are deployed within a specified scope in the cluster.

Severity: medium.

Parameters:

Parameter name	Parameter type	Description
`allowedFlexVolumes`	array	A list of allowed FlexVolume drivers.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod", "PersistentVolume"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedFlexVolumes: #[]
      - driver: "alicloud/disk"
      - driver: "alicloud/nas"
      - driver: "alicloud/oss"
      - driver: "alicloud/cpfs"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pv-nas
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/nas"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: pv-oss-flexvolume
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/ossxx"

ACKPSPForbiddenSysctls

Rule description: Restricts the range of forbidden sysctls for pods that are deployed within a specified scope in the cluster.

Severity: high.

Parameters:

Parameter Name	Parameter type	Description
`forbiddenSysctls`	array	A list of forbidden sysctls in the pod.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    forbiddenSysctls:
      # - "*" # * may be used to forbid all sysctls
      - "kernel.*"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good-2
  namespace: test-gatekeeper
spec:
  securityContext:
    sysctls:
      - name: 'net.ipv4.tcp_syncookies'
        value: "65536"
  containers:
  - image: test
    name: test

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  securityContext:
    sysctls:
      - name: 'kernel.shm_rmid_forced'
        value: '1024'
  containers:
  - image: test
    name: test

ACKPSPFSGroup

Rule description: Restricts the fsGroup configuration for pods that are deployed within a specified scope in the cluster.

Severity: medium.

Parameters:

Parameter Name

Parameter Type

Description

rule

string

For a detailed description of this parameter, see the fsGroup configuration in the original PSP rule. Supported values are MustRunAs, MayRunAs, and RunAsAny. For more information, see Volumes and file systems.

ranges

object

Contains the following values:

min: The minimum value of the fsGroup ID.
max: The maximum value of the fsGroup ID.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
    ranges:
      - min: 1
        max: 1000

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  securityContext:
    fsGroup: 100
  containers:
  - image: test
    name: test

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  securityContext:
    fsGroup: 0
  shareProcessNamespace: true
  containers:
  - image: test
    name: test

ACKPSPHostFilesystem

Rule description: Restricts the range of host directories that can be mounted by pods deployed within a specified scope in the cluster.

Severity: high.

Parameters:

Parameter name	Parameter type	Description
`allowedHostPaths`	object	The host path whitelist configuration.
`readOnly`	boolean	Specifies whether the path is read-only.
`pathPrefix`	string	The path prefix.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedHostPaths:
      - readOnly: true
        pathPrefix: "/foo"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    volumeMounts:
      - name: test-volume
        mountPath: "/projected-volume"
        readOnly: true
  volumes:
  - name: test-volume
    hostPath:
      path: /foo

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: File

ACKPSPHostNamespace

Rule description: Restricts whether pods that are deployed within a specified scope in the cluster are allowed to share host namespaces.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
  name: psp-host-namespace
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  hostPID: true
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

ACKPSPHostNetworkingPorts

Rule description: Restricts the use of the host network and specified ports by pods that are deployed within a specified scope in the cluster.

Severity: high.

Parameters:

Parameter Name	Type	Description
`hostNetwork`	boolean	Specifies whether pods are allowed to share the host network.
`min`	int	The minimum value of the hostPort.
`max`	int	The maximum value of the hostPort.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    hostNetwork: true
    min: 80
    max: 9000

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: good-2
  namespace: test-gatekeeper
spec:
  hostNetwork: true
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    ports:
      - hostPort: 80
        containerPort: 80
  initContainers:
    - image: k8s.gcr.io/test-webserver
      name: test-container2
      ports:
        - hostPort: 8080
          containerPort: 8080

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  hostNetwork: true
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    ports:
      - hostPort: 22
        containerPort: 22

ACKPSPPrivilegedContainer

Rule description: Prevents the startup of privileged containers in pods that are deployed within a specified scope in the cluster.

Severity: high.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
  name: psp-privileged-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      privileged: true
  dnsPolicy: ClusterFirst
  restartPolicy: Never

ACKPSPProcMount

Rule description: Restricts the proc mount types that are allowed for pods deployed within a specified scope in the cluster.

Severity: high.

Parameters:

Parameter Name

Type

Description

procMount

string

The proc mount type. The following types are allowed:

Default: Masks the /proc directory by default.
Unmasked: Does not mask /proc.

For more information about parameter settings, see AllowedProcMountTypes.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    procMount: Default  # Default or Unmasked

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      procMount: "Default"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad3
  namespace: test-gatekeeper
spec:
  hostUsers: false
  containers:
  - image: test
    name: test
    securityContext:
      procMount: "Unmasked"
  initContainers:
  - image: test
    name: test2

ACKPSPReadOnlyRootFilesystem

Rule description: Requires pods deployed within a specified scope in the cluster to use a read-only root file system.

Severity: medium.

Parameters: None.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      readOnlyRootFilesystem: true

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad2
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      readOnlyRootFilesystem: false
  initContainers:
  - image: test
    name: test2

ACKPSPSeccomp

Rule description: Restricts pods that are deployed within a specified scope in the cluster to use specified Seccomp profiles.

Importance: Low

Parameters:

Parameter Name	Parameter type	Metric descriptions
`allowedProfileTypes`	array	A whitelist of allowed Seccomp profile types.
`allowedProfiles`	array	The allowed Seccomp profiles.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedProfileTypes:
      # - Unconfined
      - RuntimeDefault
      - Localhost
    allowedProfiles:
      - runtime/default
      - docker/default
      - localhost/profiles/audit.json

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/audit.json
  initContainers:
  - image: test
    name: test2
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/audit.json

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
    echo-k8s-webhook-enabled: 'true'
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

ACKPSPSELinuxV2

Rule description: Requires pods that are deployed within a specified scope in the cluster to use the SELinux configuration specified in the allowedSELinuxOptions parameter.

Severity: low.

Parameters:

Parameter name	Parameter type	Description
`allowedSELinuxOptions`	object	A whitelist of allowed SELinux configurations. For more information, see SELinuxOptions v1 core.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedSELinuxOptions:
      - level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

Allowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  securityContext:
    seLinuxOptions:
      level: "s0:c123,c456"
  containers:
  - image: test
    name: test

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      seLinuxOptions:
        level: "s0:c123,c455"

ACKPSPVolumeTypes

Rule description: Restricts pods that are deployed within a specified scope in the cluster to use specified volume mount types.

Severity: low.

Parameters:

Parameter Name	Type	Description
volumes	array	A list of allowed volume mount types.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    volumes:
      # - "*" # * may be used to allow all volume types
      - configMap
      # - emptyDir
      - projected
      - secret
      - downwardAPI
      - persistentVolumeClaim
      # - hostPath #required for allowedHostPaths
      - flexVolume #required for allowedFlexVolumes

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pv-oss
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/oss"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
  volumes:
  - name: test-volume
    hostPath:
      path: /data

FinOps

ACKContainerRequests

Rule description: Requires that specified application pods in the cluster declare resource requests.

Severity: low.

Parameters:

Parameter	Parameter type	Description
`cpu`	string	The maximum value for container CPU `requests`.
`memory`	string	The maximum value for container memory `requests`.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerRequests
metadata:
  name: container-must-have-requests
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    cpu: "1000m"
    memory: "1Gi"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver
    name: test-container
    resources:
      requests:
        memory: "100Mi"
        cpu: "500m"

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver
    name: test-container

ACKContainerResourcesWhitelist

Rule description: Requires that the CPU and memory resource configurations of specified application pods in the cluster are selected from a predefined list of options.

Severity: low.

Parameters:

Parameter	Parameter Type	Description
`cpuRequests`	array	A whitelist of CPU `requests` for the container. An empty array `[]` indicates that all values are allowed.
`cpuLimits`	array	A whitelist of CPU `limits` for the container. An empty array `[]` indicates that all values are allowed.
`memoryRequests`	array	A whitelist of memory `requests` for the container. An empty array `[]` indicates that all values are allowed.
`memoryLimits`	array	A whitelist of memory `limits` for the container. An empty array `[]` indicates that all values are allowed.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesWhitelist
metadata:
  name: container-resources-whitelist
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [ "" ]
        kinds: [ "Pod" ]
    namespaces:
      - "test-gatekeeper"
  parameters:
    cpuRequests:
      - "100m"
      - "500m"
      - "1"
    cpuLimits:
      - "2"
      - "4000m"
    memoryRequests:
      - "256Mi"
      - "512Mi"
    memoryLimits:
      - "1Gi"
      - "2048Mi"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
    - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
      name: test-container
      resources:
        requests:
          cpu: 100m
          memory: 512Mi
        limits:
          cpu: "2"
          memory: 1Gi

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
    - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
      name: test-container
      resources:
        requests:
          cpu: 10m
          memory: 512Mi
        limits:
          cpu: "1"
          memory: 1Gi

ACKContainerResourcesRange

Rule description: Restricts the resource configurations of specified application pods in the cluster to a specified range.

Severity: low.

Parameters:

Parameter name	Parameter Type	Description
`cpuRequests`	object	Contains the following values: `min`: The minimum value for container CPU `requests`. `max`: The maximum value for container CPU `requests`.
`cpuLimits`	object	Contains the following values: `min`: The minimum value for container CPU `limits`. `max`: The maximum value for container CPU `limits`.
`memoryRequests`	object	Contains the following values: `min`: The minimum value for container memory `requests`. `max`: The maximum value for container memory `requests`.
`memoryLimits`	object	Contains the following values: `min`: The minimum value for container memory `limits`. `max`: The maximum value for container memory `limits`.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesRange
metadata:
  name: container-resources-range
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [ "" ]
        kinds: [ "Pod" ]
    namespaces:
      - "test-gatekeeper"
  parameters:
    cpuRequests:
      min: "100m"
      max: "1"
    cpuLimits:
      min: "500m"
      max: "2"
    memoryRequests:
      min: "256Mi"
      max: "512Mi"
    memoryLimits:
      min: "1Gi"
      max: "2048Mi"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
    - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
      name: test-container
      resources:
        requests:
          cpu: 100m
          memory: 512Mi
        limits:
          cpu: "2"
          memory: 2Gi

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
    - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
      name: test-container
      resources:
        requests:
          cpu: 10m
          memory: 5Mi
        limits:
          cpu: "3"
          memory: 128Mi

ACKRequiredNodeSelector

Rule description: Requires that specified application pods in the cluster have a nodeSelector label configured.

Severity: low.

Parameters:

Parameter Name

Parameter type

Description

nodeSelector

array

Contains the following values:

key: The specified label key.
allowedRegex: The regular expression for the label value.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredNodeSelector
metadata:
  name: must-have-nodeselector
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    nodeSelector:
      - key: "node.alibabacloud.com/nodepool-id"
        allowedRegex: "^np.*$"
      - key: "kubernetes.io/os"
        allowedRegex: "^linux$"

Allowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
    - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
      name: test-container
      resources:
        requests:
          cpu: 100m
          memory: 512Mi
        limits:
          cpu: "2"
          memory: 1Gi
  nodeSelector:
    node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
    kubernetes.io/os: linux

Disallowed:

apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
    - image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
      name: test-container
      resources:
        requests:
          cpu: 100m
          memory: 512Mi
        limits:
          cpu: "2"
          memory: 1Gi
  nodeSelector:
    node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
    kubernetes.io/os: windows

ACKWorkloadReplicasRange

Rule description: Restricts the number of application replicas to a specified range.

Severity: low.

Parameters:

Parameter	Parameter type	Description
`minReplicas`	int	The minimum number of replicas for the application.
`maxReplicas`	int	The maximum number of replicas for the application.

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKWorkloadReplicasRange
metadata:
  name: replica-limiter
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ["*"]
        kinds: ["Deployment", "StatefulSet", "ReplicaSet", "Scale"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    minReplicas: 2
    maxReplicas: 3

Allowed:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-basic
  namespace: test-gatekeeper
  labels:
    app: nginx
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
          ports:
            - containerPort: 80
          resources:
            limits:
              cpu: "500m"

Disallowed:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-basic-0
  namespace: test-gatekeeper
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
          ports:
            - containerPort: 80
          resources:
            limits:
              cpu: "500m"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment-basic-1
  namespace: test-gatekeeper
  labels:
    app: nginx
spec:
  replicas: 4
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
          ports:
            - containerPort: 80
          resources:
            limits:
              cpu: "500m"

ACKRestrictALBCreation

Rule description: Enforces the reuse of existing Application Load Balancer (ALB) instances and prohibits the creation of new ALB instances through AlbConfig.

Severity: low.

Parameters: None

Examples:

Constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictALBCreation
metadata:
  name: restrict-alb-creation
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ["alibabacloud.com"]
        kinds: ["AlbConfig"]

Allowed:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: reuse-alb
spec:
  config:
    id: 'abcdefghijklmnopqrstuvwxyz'
    forceOverride: false
    listenerForceOverride: false

Disallowed:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    name: alb
    addressType: Internet
    zoneMappings:               
    - vSwitchId: vsw-uf6ccg2a9g71hx8go****  # Replace with the vSwitch IDs of at least two vSwitches in different zones within the VPC where the cluster resides.
      allocationId: eip-asdfas****          # Replace with the EIP ID. The default option is to automatically assign a public IP address.
    - vSwitchId: vsw-uf6nun9tql5t8nh15****  # Replace with the vSwitch IDs of at least two vSwitches in different zones within the VPC where the cluster resides.
      allocationId: eip-dpfmss****          # Replace with the EIP ID.
  listeners:
    - port: 80
      protocol: HTTP