All Products
Search

This Product

    Container Service for Kubernetes:Ikhtisar pustaka aturan kebijakan keamanan kontainer

    Document Center

    Container Service for Kubernetes:Ikhtisar pustaka aturan kebijakan keamanan kontainer

    Last Updated:Jun 24, 2026

    Memvalidasi permintaan penerapan dan pembaruan Pod terhadap 54 kebijakan Gatekeeper yang telah ditentukan dalam lima kategori bawaan: Compliance, Infra, K8s-general, PSP, dan FinOps.

    Kategori kebijakan

    Category Description
    Compliance Kebijakan berdasarkan standar compliance seperti Alibaba Cloud Kubernetes Security Hardening.
    Infra Kebijakan yang melindungi sumber daya infrastruktur cloud.
    K8s-general Kebijakan yang membatasi dan menstandarkan konfigurasi resource sensitif di kluster ACK serta meningkatkan keamanan aplikasi dalam kluster.
    PSP Kebijakan yang menggantikan pod security policies (PSPs) Kubernetes dan memberikan batasan keamanan yang setara dengan manajemen kebijakan ACK lama.

    Kebijakan keamanan yang telah ditentukan

    Lima kategori tersebut mencakup 54 kebijakan yang telah ditentukan.

    Category Policy Description Severity
    Compliance ACKNoEnvVarSecrets Memblokir penggunaan secretKeyRef untuk mereferensikan Secrets dalam variabel lingkungan pod. Medium
    Compliance ACKPodsRequireSecurityContext Mengharuskan pod di namespace tertentu menyertakan securityContext. Low
    Compliance ACKRestrictNamespaces Memblokir penerapan jenis resource tertentu di namespace tertentu. Low
    Compliance ACKRestrictRoleBindings Membatasi RoleBindings di namespace tertentu hanya dapat mengikat role atau cluster role tertentu. High
    Compliance ACKNamespacesDeleteProtection Mencegah penghapusan namespace tertentu. Medium
    Compliance ACKServicesDeleteProtection Mencegah penghapusan instans Service di namespace tertentu. Medium
    Infra ACKBlockProcessNamespaceSharing Memblokir pod di namespace tertentu dari menggunakan shareProcessNamespace. High
    Infra ACKEmptyDirHasSizeLimit Mengharuskan sizeLimit saat memasang volume emptyDir. Low
    Infra ACKLocalStorageRequireSafeToEvict Mengharuskan anotasi cluster-autoscaler.kubernetes.io/safe-to-evict: "true" pada pod yang memasang volume hostPath atau emptyDir. Low
    Infra ACKOSSStorageLocationConstraint Mengontrol wilayah bucket OSS mana yang dapat dipasang ke pod di namespace tertentu. Low
    Infra ACKPVSizeConstraint Menetapkan kapasitas disk maksimum untuk persistent volumes (PVs) di kluster. Medium
    Infra ACKPVCConstraint Membatasi namespace mana yang dapat menerapkan persistent volume claims (PVCs) dan menetapkan kapasitas disk PV maksimum. Medium
    Infra ACKBlockVolumeTypes Memblokir pod di namespace tertentu dari menggunakan jenis volume tertentu. Medium
    K8s-general ACKAllowedRepos Membatasi pod di namespace tertentu hanya dapat menarik gambar dari repositori gambar tertentu. High
    K8s-general ACKBlockAutoinjectServiceEnv Mengharuskan enableServiceLinks: false pada pod, mencegah alamat IP Service disuntikkan ke variabel lingkungan pod. Low
    K8s-general ACKBlockAutomountToken Mengharuskan automountServiceAccountToken: false pada pod, mencegah pemasangan token akun layanan secara otomatis. High
    K8s-general ACKBlockEphemeralContainer Memblokir pod di namespace tertentu dari meluncurkan kontainer ephemeral. Medium
    K8s-general ACKBlockLoadBalancer Memblokir penerapan Service LoadBalancer di namespace tertentu. High
    K8s-general ACKBlockNodePort Memblokir penerapan Service NodePort di namespace tertentu. High
    K8s-general ACKContainerLimits Mengharuskan limits resource pada semua kontainer dalam pod di namespace tertentu. Low
    K8s-general ACKExternalIPs Membatasi Service di namespace tertentu hanya dapat menggunakan alamat IP eksternal yang tercantum dalam kebijakan. High
    K8s-general ACKImageDigests Mengharuskan pod di namespace tertentu menggunakan gambar dengan digest dalam format yang ditentukan. Low
    K8s-general ACKRequiredLabels Mengharuskan pod di namespace tertentu memiliki label yang sesuai dengan kebijakan. Low
    K8s-general ACKRequiredProbes Mengharuskan pod di namespace tertentu memiliki jenis Pemeriksaan kesiapan dan Pemeriksaan kelangsungan hidup tertentu. Medium
    K8s-general ACKCheckNginxPath Memblokir nilai berisiko tinggi dalam spec.rules[].http.paths[].path untuk resource Ingress. Aktifkan untuk versi Ingress-nginx sebelum 1.2.1. High
    K8s-general ACKCheckNginxAnnotation Memblokir nilai berisiko tinggi dalam metadata.annotations untuk resource Ingress. Aktifkan untuk versi Ingress-nginx sebelum 1.2.1. High
    K8s-general ACKBlockInternetLoadBalancer Memblokir pembuatan Service LoadBalancer yang menghadap internet. High
    K8s-general RatifyVerification Menggunakan Ratify untuk memverifikasi tanda tangan gambar atau metadata keamanan (seperti software bill of materials (SBOM)) untuk pod di namespace tertentu. High
    PSP ACKPSPAllowPrivilegeEscalationContainer Mengharuskan pod di namespace tertentu menyertakan pengaturan allowPrivilegeEscalation. Medium
    PSP ACKPSPAllowedUsers Mengharuskan pod di namespace tertentu menyertakan pengaturan user, group, supplementalGroups, dan fsGroup. Medium
    PSP ACKPSPAppArmor Mengharuskan pod di namespace tertentu menyertakan pengaturan AppArmor. Low
    PSP ACKPSPCapabilities Mengharuskan pod di namespace tertentu menyertakan pengaturan capabilities Linux. High
    PSP ACKPSPFSGroup Mengharuskan pod di namespace tertentu menggunakan pengaturan fsGroup yang sesuai dengan kebijakan. Medium
    PSP ACKPSPFlexVolumes Membatasi pod di namespace tertentu hanya dapat menggunakan driver FlexVolume yang tercantum dalam kebijakan. Medium
    PSP ACKPSPForbiddenSysctls Memblokir pod di namespace tertentu dari menggunakan sysctls tertentu. High
    PSP ACKPSPHostFilesystem Memberlakukan kondisi pada volume hostPath yang dipasang ke pod di namespace tertentu. High
    PSP ACKPSPHostNamespace Memblokir pod di namespace tertentu dari berbagi namespace host. High
    PSP ACKPSPHostNetworkingPorts Mengontrol apakah pod di namespace tertentu dapat menggunakan jaringan host dan port tertentu. High
    PSP ACKPSPPrivilegedContainer Memblokir pod di namespace tertentu dari menjalankan kontainer istimewa. High
    PSP ACKPSPProcMount Mengharuskan pod di namespace tertentu menggunakan jenis Proc Mount yang ditentukan dalam kebijakan. Low
    PSP ACKPSPReadOnlyRootFilesystem Mengharuskan pod di namespace tertentu berjalan dengan sistem file root read-only. Medium
    PSP ACKPSPSELinuxV2 Membatasi pod di namespace tertentu hanya dapat menggunakan opsi SELinux yang tercantum dalam kebijakan. Low
    PSP ACKPSPSeccomp Mengharuskan pod di namespace tertentu menggunakan profil seccomp tertentu. Low
    PSP ACKPSPVolumeTypes Membatasi pod di namespace tertentu hanya dapat memasang volume jenis tertentu. Medium

    Compliance

    ACKNoEnvVarSecrets

    Memblokir penggunaan secretKeyRef untuk mereferensikan Secrets dalam variabel lingkungan Pod.

    Severity: Medium

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
  name: no-env-var-secrets
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

    Allowed — secrets dipasang sebagai volume:

    apiVersion: v1
kind: Pod
metadata:
  name: mypod
  namespace: test-gatekeeper
spec:
  containers:
  - name: mypod
    image: redis
    volumeMounts:
    - name: foo
      mountPath: "/etc/foo"
  volumes:
  - name: foo
    secret:
      secretName: mysecret
      items:
      - key: username
        path: my-group/my-username

    Disallowed — secrets direferensikan melalui secretKeyRef dalam variabel lingkungan:

    apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

    ACKPodsRequireSecurityContext

    Mengharuskan Pod di namespace tertentu menyertakan securityContext.

    Severity: Low

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
  name: pods-require-security-context
  annotations:
    description: "Requires that Pods must have a `securityContext` defined."
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

    Allowed — securityContext tingkat Pod tersedia:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test
  namespace: test-gatekeeper
spec:
  securityContext:
    runAsNonRoot: false
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

    Disallowed — securityContext hanya pada kontainer, bukan pada Pod:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

    ACKRestrictNamespaces

    Memblokir penerapan jenis resource tertentu di namespace tertentu.

    Severity: Low

    Parameters:

    Parameter Type Description
    restrictedNamespaces array Namespace tempat jenis resource yang cocok tidak dapat diterapkan.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
  name: restrict-default-namespace
  annotations:
    description: "Restricts resources from using the restricted namespace."
spec:
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Pod']
  parameters:
    restrictedNamespaces:
      - "test-gatekeeper"

    Allowed — Pod di namespace yang tidak dibatasi:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

    Disallowed — Pod di namespace yang dibatasi:

    apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis
  restartPolicy: Never

    ACKRestrictRoleBindings

    Membatasi RoleBindings di namespace tertentu hanya dapat mengikat role atau cluster role tertentu.

    Severity: High

    Parameters:

    Parameter Type Description
    restrictedRole object Cluster role atau role yang tidak dapat diikat.
    allowedSubjects array Subjek yang diizinkan menerima ikatan.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
  name: restrict-clusteradmin-rolebindings
  annotations:
    description: "Restricts use of sensitive role in specific rolebinding."
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]
  parameters:
    restrictedRole:
      apiGroup: "rbac.authorization.k8s.io"
      kind: "ClusterRole"
      name: "cluster-admin"
    allowedSubjects:
      - apiGroup: "rbac.authorization.k8s.io"
        kind: "Group"
        name: "system:masters"

    Allowed — ikatan menggunakan subjek yang diizinkan:

    kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: good-2
  namespace: test-gatekeeper
subjects:
  - kind: Group
    name: 'system:masters'
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

    Disallowed — ikatan menggunakan subjek yang tidak ada dalam allowedSubjects:

    kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bad-1
  namespace: test-gatekeeper
subjects:
  - kind: ServiceAccount
    name: policy-template-controller
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

    ACKNamespacesDeleteProtection

    Mencegah penghapusan namespace tertentu.

    Severity: Medium

    Mengharuskan Gatekeeper 3.10.0.130-g0e79597d-aliyun atau yang lebih baru.

    Parameters:

    Parameter Type Description
    protectionNamespaces array Nama namespace yang tidak dapat dihapus.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
  name: namespace-delete-protection
spec:
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Namespace']
  parameters:
    protectionNamespaces:
      - test-gatekeeper

    Allowed — namespace tidak ada dalam daftar perlindungan:

    apiVersion: v1
kind: Namespace
metadata:
  name: will-delete

    Disallowed — namespace ada dalam daftar perlindungan:

    apiVersion: v1
kind: Namespace
metadata:
  name: test-gatekeeper

    ACKServicesDeleteProtection

    Mencegah penghapusan instans Service di namespace tertentu.

    Severity: Medium

    Parameters:

    Parameter Type Description
    protectionServices array Nama instans Service yang tidak dapat dihapus.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
  name: service-delete-protection
  annotations:
    description: "Protect to delete specific service."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ['']
        kinds: ['Service']
    namespaces: ["test-gatekeeper"]
  parameters:
    protectionServices:
      - test-svc

    Allowed — Service tidak ada dalam daftar perlindungan:

    apiVersion: v1
kind: Service
metadata:
  name: good
  namespace: test-gatekeeper

    Disallowed — Service ada dalam daftar perlindungan:

    apiVersion: v1
kind: Service
metadata:
  name: test-svc

    Infra

    ACKBlockProcessNamespaceSharing

    Memblokir Pod di namespace tertentu dari menggunakan shareProcessNamespace.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
metadata:
  name: block-share-process-namespace
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

    Allowed — tidak ada pengaturan shareProcessNamespace:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: test-3
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

    Disallowed — shareProcessNamespace: true diatur pada Pod:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  shareProcessNamespace: true
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

    ACKEmptyDirHasSizeLimit

    Mengharuskan sizeLimit saat memasang volume emptyDir.

    Severity: Low

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
  name: empty-dir-has-sizelimit
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

    Allowed — volume emptyDir memiliki sizeLimit:

    apiVersion: v1
kind: Pod
metadata:
  name: test-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir:
      sizeLimit: "10Mi"

    Disallowed — volume emptyDir tidak memiliki sizeLimit:

    apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

    ACKLocalStorageRequireSafeToEvict

    Mengharuskan anotasi cluster-autoscaler.kubernetes.io/safe-to-evict: "true" pada Pod di namespace tertentu. Cluster Autoscaler melewatkan Pod dengan volume hostPath atau emptyDir secara default; anotasi ini memungkinkan eviksi mereka selama penskalaan.

    Severity: Low

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
  name: local-storage-require-safe-to-evict
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]

    Allowed — Pod memiliki anotasi safe-to-evict:

    apiVersion: v1
kind: Pod
metadata:
  name: test-1
  namespace: test-gatekeeper
  annotations:
    'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: Directory

    Disallowed — Pod memasang volume tetapi tidak memiliki anotasi:

    apiVersion: v1
kind: Pod
metadata:
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

    ACKOSSStorageLocationConstraint

    Mengontrol wilayah bucket OSS mana yang dapat dipasang ke Pod di namespace tertentu.

    Severity: Low

    Parameters:

    Parameter Type Description
    mode string allowlist (default) mengaktifkan mode allowlist; nilai lainnya mengaktifkan mode blocklist.
    regions array ID wilayah untuk dimasukkan dalam allowlist atau blocklist.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
  name: restrict-oss-location
  annotations:
    description: "Restricts location of oss storage in cluster."
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["PersistentVolume", "Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    mode: "allowlist"
    regions:
      - "cn-beijing"

    Allowed — bucket OSS berada di wilayah yang diizinkan (cn-beijing):

    apiVersion: v1
kind: Pod
metadata:
  name: pod-oss-csi-good
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-beijing.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

    Disallowed — bucket OSS berada di wilayah yang tidak ada dalam allowlist (cn-hangzhou):

    apiVersion: v1
kind: Pod
metadata:
  name: pod-oss-csi
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      csi:
        driver: ossplugin.csi.alibabacloud.com
        volumeHandle: pv-oss
        nodePublishSecretRef:
          name: oss-secret
          namespace: default
        volumeAttributes:
          bucket: "oss"
          url: "oss-cn-hangzhou.aliyuncs.com"
          otherOpts: "-o max_stat_cache_size=0 -o allow_other"
          path: "/"

    ACKPVSizeConstraint

    Menetapkan kapasitas disk maksimum untuk persistent volumes (PVs) di kluster.

    Severity: Medium

    Parameters:

    Parameter Type Description
    maxSize string Kapasitas disk maksimum untuk PVs. Default: 50Gi.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
  name: limit-pv-size
  annotations:
    description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["PersistentVolume"]
  parameters:
    maxSize: "50Gi"

    Allowed — PV meminta 25 GiB, dalam batas 50 GiB:

    apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-oss-csi
  labels:
    alicloud-pvname: pv-oss
spec:
  capacity:
    storage: 25Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: pv-oss
    nodePublishSecretRef:
      name: oss-secret
      namespace: default
    volumeAttributes:
      bucket: "oss"
      url: "oss-cn-beijing.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      path: "/"

    Disallowed — PV meminta 500 GiB, melebihi batas:

    apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-oss-csi-bad
  labels:
    alicloud-pvname: pv-oss
spec:
  capacity:
    storage: 500Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: ossplugin.csi.alibabacloud.com
    volumeHandle: pv-oss
    nodePublishSecretRef:
      name: oss-secret
      namespace: default
    volumeAttributes:
      bucket: "oss"
      url: "oss-cn-beijing.aliyuncs.com"
      otherOpts: "-o max_stat_cache_size=0 -o allow_other"
      path: "/"

    ACKPVCConstraint

    Membatasi namespace mana yang dapat menerapkan persistent volume claims (PVCs) dan menetapkan kapasitas disk PV maksimum.

    Severity: Medium

    Parameters:

    Parameter Type Description
    maxSize string Kapasitas disk maksimum untuk PVs. Default: 50Gi.
    allowNamespaces array Namespace tempat PVC dapat diterapkan.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
  name: limit-pvc-size-and-ns
  annotations:
    description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["PersistentVolumeClaim"]
  parameters:
    maxSize: "50Gi"
    allowNamespaces:
      - "test-gatekeeper"

    Allowed — PVC di namespace yang diizinkan, dalam batas ukuran:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: disk-pvc
  namespace: test-gatekeeper
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

    Disallowed — PVC melebihi batas ukuran, atau berada di namespace yang tidak ada dalam allowNamespaces:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: bad-disk-pvc
  namespace: test-gatekeeper
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: bad-namespace-pvc
  namespace: test-gatekeeper-bad
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

    ACKBlockVolumeTypes

    Memblokir Pod di namespace tertentu dari menggunakan jenis volume tertentu.

    Severity: Medium

    Parameters:

    Parameter Type Description
    volumes array Jenis volume yang tidak boleh digunakan oleh pod.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
  name: block-volume-types
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["test-gatekeeper"]
  parameters:
    volumes:
      - "gitRepo"

    Allowed — Pod menggunakan volume emptyDir (tidak diblokir):

    apiVersion: v1
kind: Pod
metadata:
  name: use-empty-dir
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
  - name: emptydir-volume
    emptyDir: {}

    Disallowed — Pod menggunakan volume gitRepo (diblokir):

    apiVersion: v1
kind: Pod
metadata:
  name: use-git-repo
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
  - name: git-volume
    gitRepo:
      repository: "git@***:***/my-git-repository.git"
      revision: "22f1d8406d464b0c08***"

    K8s-general

    ACKAllowedRepos

    Membatasi Pod di namespace tertentu hanya dapat menarik gambar dari repositori gambar tertentu.

    Severity: High

    Parameters:

    Parameter Type Description
    repos array Repositori gambar tempat pod diizinkan menarik gambar.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
  name: allowed-repos
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    repos:
      - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
      - "registry.cn-hangzhou.aliyuncs.com/acs/"

    Allowed — gambar ditarik dari repositori yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  name: pod-01
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
    name: test-container-1
  initContainers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
    name: test-container

    Disallowed — gambar ditarik dari repositori yang tidak ada dalam allowlist:

    apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container

    ACKBlockAutoinjectServiceEnv

    Mengharuskan enableServiceLinks: false pada Pod di namespace tertentu, mencegah alamat IP Service disuntikkan ke variabel lingkungan Pod.

    Severity: Low

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
  name: block-auto-inject-service-env
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — enableServiceLinks: false diatur:

    apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  enableServiceLinks: false
  containers:
  - image: openpolicyagent/test-webserver:1.0
    name: test-container

    Disallowed — enableServiceLinks tidak diatur:

    apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container

    ACKBlockAutomountToken

    Mengharuskan automountServiceAccountToken: false pada Pod di namespace tertentu, mencegah pemasangan token akun layanan secara otomatis.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
  name: block-auto-mount-service-account-token
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — automountServiceAccountToken: false diatur:

    apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  automountServiceAccountToken: false
  containers:
  - image: openpolicyagent/test-webserver:v1.0
    name: test-container

    Disallowed — automountServiceAccountToken tidak diatur ke false:

    apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container

    ACKBlockEphemeralContainer

    Memblokir Pod di namespace tertentu dari meluncurkan kontainer ephemeral.

    Severity: Medium

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
  name: block-ephemeral-container
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — tidak ada kontainer ephemeral:

    apiVersion: v1
kind: Pod
metadata:
  name: good-1
  namespace: test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis

    Disallowed — Pod menyertakan kontainer ephemeral:

    apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  containers:
  - name: mycontainer
    image: redis
  ephemeralContainers:
    - name: test
      image: test

    ACKBlockLoadBalancer

    Memblokir penerapan Service LoadBalancer di namespace tertentu.

    Severity: High

    Parameters:

    Parameter Type Description
    restrictedNamespaces array Namespace tempat Service LoadBalancer tidak dapat diterapkan.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
  name: block-load-balancer
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"

    Allowed — Service tanpa tipe LoadBalancer:

    apiVersion: v1
kind: Service
metadata:
  name: my-service-1
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

    Disallowed — Service bertipe LoadBalancer:

    apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  type: LoadBalancer
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

    ACKBlockNodePort

    Memblokir penerapan Service NodePort di namespace tertentu.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
  name: block-node-port
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"

    Allowed — Service tanpa tipe NodePort:

    apiVersion: v1
kind: Service
metadata:
  name: my-service-1
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

    Disallowed — Service bertipe NodePort:

    apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  type: NodePort
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

    ACKContainerLimits

    Mengharuskan limits resource pada semua kontainer dalam Pod di namespace tertentu.

    Severity: Low

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
  name: container-must-have-limits
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    cpu: "1000m"
    memory: "1Gi"

    Allowed — kontainer memiliki batas resource yang diatur:

    apiVersion: v1
kind: Pod
metadata:
  name: pod-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/signed   # Image dengan tanda tangan yang valid
    name: test-container

    Disallowed — batas kontainer melebihi maksimum kebijakan:

    apiVersion: v1
kind: Pod
metadata:
  name: pod-2
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver
    name: test-container
    resources:
      limits:
        memory: "100Gi"
        cpu: "2000m"

    ACKExternalIPs

    Membatasi Service di namespace tertentu hanya dapat menggunakan alamat IP eksternal yang tercantum dalam kebijakan.

    Severity: High

    Parameters:

    Parameter Type Description
    allowedIPs array Alamat IP eksternal yang diizinkan digunakan oleh Service.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
  name: external-ips
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedIPs:
      - "192.168.0.5"

    Allowed — Service tidak memiliki IP eksternal:

    apiVersion: v1
kind: Service
metadata:
  name: my-service-3
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

    Disallowed — Service menggunakan IP eksternal yang tidak ada dalam allowedIPs:

    apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: test-gatekeeper
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376
  externalIPs:
    - 80.11.XX.XX

    ACKImageDigests

    Mengharuskan Pod di namespace tertentu menggunakan gambar dengan digest dalam format yang ditentukan.

    Severity: Low

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
  name: container-image-must-have-digest
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — referensi gambar menyertakan digest:

    apiVersion: v1
kind: Pod
metadata:
  name: pod-0
  namespace: test-gatekeeper
spec:
  containers:
  - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
    name: test-container

    Disallowed — referensi gambar tidak memiliki digest:

    apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
  initContainers:
  - image: k8s.gcr.io/test-webserver
    name: test-container2

    ACKRequiredLabels

    Mengharuskan Pod di namespace tertentu memiliki label yang sesuai dengan kebijakan.

    Severity: Low

    Parameters:

    Parameter Type Description
    allowedRegex string Nilai label yang diperlukan dinyatakan sebagai ekspresi reguler.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
  name: must-have-label-test
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    labels:
      - key: test
        allowedRegex: "^test.*$"

    Allowed — Pod memiliki label yang sesuai dengan regex yang diperlukan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: test
  namespace: test-gatekeeper
  labels:
    'test': 'test_233'
spec:
  containers:
  - name: mycontainer
    image: redis

    Disallowed — nilai label tidak sesuai dengan regex yang diperlukan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: bad2
  namespace: test-gatekeeper
  labels:
    'test': '233'
spec:
  containers:
  - name: mycontainer
    image: redis

    ACKRequiredProbes

    Mengharuskan Pod di namespace tertentu memiliki jenis Pemeriksaan kesiapan dan Pemeriksaan kelangsungan hidup tertentu.

    Severity: Medium

    Parameters:

    Parameter Type Description
    probes array Jenis probe yang diperlukan. Nilai valid: readinessProbe, livenessProbe.
    probeTypes array Jenis implementasi probe yang diperlukan. Nilai valid: tcpSocket, httpGet, exec.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
  name: must-have-probes
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    probes: ["readinessProbe", "livenessProbe"]
    probeTypes: ["tcpSocket", "httpGet", "exec"]

    Allowed — kontainer memiliki kedua jenis probe:

    apiVersion: v1
kind: Pod
metadata:
  name: p4
  namespace: test-gatekeeper
spec:
  containers:
  - name: liveness
    image: k8s.gcr.io/busybox
    readinessProbe:
      exec:
        command:
          - cat
          - /tmp/healthy
      initialDelaySeconds: 5
      periodSeconds: 5
    livenessProbe:
      exec:
        command:
          - cat
          - /tmp/healthy
      initialDelaySeconds: 5
      periodSeconds: 5

    Disallowed — kontainer tidak memiliki probe:

    apiVersion: v1
kind: Pod
metadata:
  name: p1
  namespace: test-gatekeeper
spec:
  containers:
  - name: liveness
    image: k8s.gcr.io/busybox

    ACKCheckNginxPath

    Memblokir nilai berisiko tinggi dalam spec.rules[].http.paths[].path untuk resource Ingress. Aktifkan untuk versi Ingress-nginx sebelum 1.2.1.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
  name: block-nginx-path
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: ["extensions", "networking.k8s.io"]
        kinds: ["Ingress"]
    namespaces:
      - "test-gatekeeper"

    Allowed — path berisi nilai aman:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: good-paths
  namespace: test-gatekeeper
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

    Disallowed — path berisi nilai berisiko tinggi:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bad-path-secrets
  namespace: test-gatekeeper
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /var/run/secrets
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80

    ACKCheckNginxAnnotation

    Memblokir nilai berisiko tinggi dalam metadata.annotations untuk resource Ingress. Aktifkan untuk versi Ingress-nginx sebelum 1.2.1.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
  name: block-nginx-annotation
spec:
  match:
    kinds:
      - apiGroups: ["extensions", "networking.k8s.io"]
        kinds: ["Ingress"]
    namespaces:
      - "test-gatekeeper"

    Allowed — anotasi berisi nilai aman:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: good-annotations
  namespace: test-gatekeeper
  annotations:
    nginx.org/good: "value"
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

    Disallowed — anotasi berisi nilai berisiko tinggi:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: var-run-secrets
  namespace: test-gatekeeper
  annotations:
    nginx.org/bad: "/var/run/secrets"
spec:
  rules:
    - host: cafe.example.com
      http:
        paths:
          - path: /tea
            pathType: Prefix
            backend:
              service:
                name: tea-svc
                port:
                  number: 80
          - path: /coffee
            pathType: Prefix
            backend:
              service:
                name: coffee-svc
                port:
                  number: 80

    ACKBlockInternetLoadBalancer

    Memblokir pembuatan Service LoadBalancer yang menghadap internet.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
  name: block-internet-load-balancer
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]
    namespaces: ["test-gatekeeper"]

    Allowed — Service LoadBalancer menggunakan tipe alamat intranet:

    apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: non-test-gatekeeper
  annotations:
    'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

    Disallowed — Service LoadBalancer menggunakan tipe alamat internet:

    apiVersion: v1
kind: Service
metadata:
  name: bad-service-2
  namespace: test-gatekeeper
  annotations:
    'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
  type: LoadBalancer
  selector:
    app: MyApp
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 9376

    RatifyVerification

    Menggunakan Ratify untuk memverifikasi tanda tangan gambar atau metadata keamanan — seperti software bill of materials (SBOM) — untuk Pod di namespace tertentu. Instal Ratify dari Marketplace kluster sebelum mengaktifkan kebijakan ini.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
  name: ratify-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["default"]

    Allowed — gambar memiliki tanda tangan valid:

    apiVersion: v1
kind: Pod
metadata:
  name: pod-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/signed   # Gambar dengan tanda tangan valid
    name: test-container

    Disallowed — gambar tidak memiliki tanda tangan valid:

    apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned   # Gambar tanpa tanda tangan valid
    name: test-container

    PSP

    Kebijakan ini merupakan pengganti langsung untuk pod security policies (PSPs) Kubernetes.

    ACKPSPAllowPrivilegeEscalationContainer

    Mengharuskan Pod di namespace tertentu menyertakan pengaturan allowPrivilegeEscalation.

    Severity: Medium

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowPrivilegeEscalationContainer
metadata:
  name: psp-allow-privilege-escalation-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — allowPrivilegeEscalation: false diatur pada semua kontainer:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      allowPrivilegeEscalation: false
  initContainers:
    - image: test
      name: test2
      securityContext:
        allowPrivilegeEscalation: false

    Disallowed — allowPrivilegeEscalation tidak diatur:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

    ACKPSPAllowedUsers

    Mengharuskan Pod di namespace tertentu menyertakan pengaturan user, group, supplementalGroups, dan fsGroup.

    Severity: Medium

    Parameters:

    Parameter Type Description
    runAsUser object Konfigurasi user mengikuti semantik PSP Kubernetes. Lihat Pod Security Policies.
    runAsGroup object Konfigurasi group mengikuti semantik PSP Kubernetes. Lihat Pod Security Policies.
    supplementalGroups object Konfigurasi supplemental groups mengikuti semantik PSP Kubernetes. Lihat Pod Security Policies.
    fsGroup object Konfigurasi fsGroup mengikuti semantik PSP Kubernetes. Lihat Pod Security Policies.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    runAsUser:
      rule: MustRunAs # MustRunAsNonRoot # RunAsAny
      ranges:
        - min: 100
          max: 200
    runAsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200
    supplementalGroups:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200
    fsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny
      ranges:
        - min: 100
          max: 200

    Allowed — semua pengaturan user/group berada dalam rentang yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good2
  namespace: test-gatekeeper
spec:
  securityContext:
    fsGroup: 150
    supplementalGroups:
      - 150
  containers:
  - image: test
    name: test
    securityContext:
      runAsUser: 150
      runAsGroup: 150

    Disallowed — pengaturan user/group tidak tersedia:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

    ACKPSPAppArmor

    Mengharuskan Pod di namespace tertentu menyertakan pengaturan AppArmor.

    Severity: Low

    Parameters:

    Parameter Type Description
    allowedProfiles array Profil AppArmor yang diizinkan digunakan oleh pod.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
  name: psp-apparmor
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedProfiles:
      - runtime/default

    Allowed — anotasi AppArmor tersedia pada semua kontainer:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
  annotations:
    'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
    'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
  containers:
  - image: test
    name: test
  initContainers:
  - image: test
    name: test2

    Disallowed — tidak ada anotasi AppArmor:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

    ACKPSPCapabilities

    Mengharuskan Pod di namespace tertentu menyertakan pengaturan capabilities Linux.

    Severity: High

    Parameters:

    Parameter Type Description
    allowedCapabilities array Capabilities Linux yang diizinkan ditambahkan oleh kontainer.
    requiredDropCapabilities array Capabilities Linux yang harus di-drop oleh kontainer.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
  name: psp-capabilities
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedCapabilities: ["CHOWN"]
    requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]

    Allowed — hanya capabilities yang diizinkan ditambahkan; capabilities yang diperlukan di-drop:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good-4
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      capabilities:
        add:
          - CHOWN
        drop:
         - "NET_ADMIN"
         - "SYS_ADMIN"
         - "NET_RAW"

    Disallowed — tidak ada konfigurasi capabilities:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

    ACKPSPFlexVolumes

    Membatasi Pod di namespace tertentu hanya dapat menggunakan driver FlexVolume yang tercantum dalam kebijakan.

    Severity: Medium

    Parameters:

    Parameter Type Description
    allowedFlexVolumes array Driver FlexVolume yang diizinkan digunakan oleh pod.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
  name: psp-flexvolume-drivers
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod", "PersistentVolume"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedFlexVolumes:
      - driver: "alicloud/disk"
      - driver: "alicloud/nas"
      - driver: "alicloud/oss"
      - driver: "alicloud/cpfs"

    Allowed — driver FlexVolume ada dalam allowlist:

    apiVersion: v1
kind: Pod
metadata:
  name: pv-nas
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/nas"

    Disallowed — driver FlexVolume tidak ada dalam allowlist:

    apiVersion: v1
kind: Pod
metadata:
  name: pv-oss-flexvolume
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/ossxx"

    ACKPSPForbiddenSysctls

    Memblokir Pod di namespace tertentu dari menggunakan sysctls tertentu.

    Severity: High

    Parameters:

    Parameter Type Description
    forbiddenSysctls array Sysctls yang tidak boleh digunakan oleh pod. Gunakan * untuk memblokir semua sysctls.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
  name: psp-forbidden-sysctls
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    forbiddenSysctls:
      # - "*" # Gunakan * untuk melarang semua sysctls
      - "kernel.*"

    Allowed — sysctl tidak ada dalam blocklist:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good-2
  namespace: test-gatekeeper
spec:
  securityContext:
    sysctls:
      - name: 'net.ipv4.tcp_syncookies'
        value: "65536"
  containers:
  - image: test
    name: test

    Disallowed — sysctl cocok dengan pola blocklist:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  securityContext:
    sysctls:
      - name: 'kernel.shm_rmid_forced'
        value: '1024'
  containers:
  - image: test
    name: test

    ACKPSPFSGroup

    Mengharuskan Pod di namespace tertentu menggunakan pengaturan fsGroup yang sesuai dengan kebijakan.

    Severity: Medium

    Parameters:

    Parameter Type Description
    rule string Aturan fsGroup. Nilai valid: MustRunAs, MayRunAs, RunAsAny. Lihat Volumes and file systems.
    ranges object Rentang ID fsGroup yang valid. Atur min untuk nilai minimum dan max untuk nilai maksimum.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    rule: "MayRunAs" # "MustRunAs" atau "RunAsAny"
    ranges:
      - min: 1
        max: 1000

    Allowed — fsGroup dalam rentang yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  securityContext:
    fsGroup: 100
  containers:
  - image: test
    name: test

    Disallowed — fsGroup bernilai 0 berada di luar rentang yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  securityContext:
    fsGroup: 0
  shareProcessNamespace: true
  containers:
  - image: test
    name: test

    ACKPSPHostFilesystem

    Memberlakukan kondisi pada volume hostPath yang dipasang ke Pod di namespace tertentu.

    Severity: High

    Parameters:

    Parameter Type Description
    allowedHostPaths object Volume hostPath yang diizinkan dipasang oleh pod.
    readOnly boolean Apakah volume harus dipasang sebagai read-only.
    pathPrefix string Awalan path yang harus dicocokkan oleh volume hostPath.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedHostPaths:
      - readOnly: true
        pathPrefix: "/foo"

    Allowed — volume hostPath menggunakan awalan yang diizinkan dan dipasang sebagai read-only:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      readOnlyRootFilesystem: true

    Disallowed — volume hostPath menggunakan path yang tidak cocok dengan awalan yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: File

    ACKPSPHostNamespace

    Memblokir Pod di namespace tertentu dari berbagi namespace host.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
  name: psp-host-namespace
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — Pod tidak berbagi namespace host:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

    Disallowed — Pod berbagi namespace PID host:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  hostPID: true
  containers:
  - image: test
    name: test
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
status: {}

    ACKPSPHostNetworkingPorts

    Mengontrol apakah Pod di namespace tertentu dapat menggunakan jaringan host dan port tertentu.

    Severity: High

    Parameters:

    Parameter Type Description
    hostNetwork boolean Apakah pod diizinkan menggunakan jaringan host.
    min integer Nomor port host terendah yang diizinkan.
    max integer Nomor port host tertinggi yang diizinkan.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
  name: psp-host-network-ports
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    hostNetwork: true
    min: 80
    max: 9000

    Allowed — port host berada dalam rentang yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  name: good-2
  namespace: test-gatekeeper
spec:
  hostNetwork: true
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    ports:
      - hostPort: 80
        containerPort: 80
  initContainers:
    - image: k8s.gcr.io/test-webserver
      name: test-container2
      ports:
        - hostPort: 8080
          containerPort: 8080

    Disallowed — port host 22 berada di luar rentang yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  name: bad-1
  namespace: non-test-gatekeeper
spec:
  hostNetwork: true
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    ports:
      - hostPort: 22
        containerPort: 22

    ACKPSPPrivilegedContainer

    Memblokir Pod di namespace tertentu dari menjalankan kontainer istimewa.

    Severity: High

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
  name: psp-privileged-container
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — mode istimewa tidak diatur:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

    Disallowed — kontainer memiliki privileged: true:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      privileged: true
  dnsPolicy: ClusterFirst
  restartPolicy: Never

    ACKPSPProcMount

    Mengharuskan Pod di namespace tertentu menggunakan jenis Proc Mount yang ditentukan dalam kebijakan.

    Severity: Low

    Parameters:

    Parameter Type Description
    procMount string Jenis Proc Mount yang diperlukan. Default memblokir pemasangan /proc; Unmasked mengizinkannya. Lihat AllowedProcMountTypes.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
  name: psp-proc-mount
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    procMount: Default  # Default atau Unmasked

    Allowed — procMount: Default sesuai dengan kebijakan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      procMount: "Default"

    Disallowed — procMount: Unmasked tidak sesuai dengan kebijakan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad3
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      procMount: "Unmasked"
  initContainers:
  - image: test
    name: test2

    ACKPSPReadOnlyRootFilesystem

    Mengharuskan Pod di namespace tertentu berjalan dengan sistem file root read-only.

    Severity: Medium

    Parameters: None

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
  name: psp-readonlyrootfilesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"

    Allowed — readOnlyRootFilesystem: true diatur:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      readOnlyRootFilesystem: true

    Disallowed — readOnlyRootFilesystem: false:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad2
  namespace: non-test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      readOnlyRootFilesystem: false
  initContainers:
  - image: test
    name: test2

    ACKPSPSELinuxV2

    Membatasi Pod di namespace tertentu hanya dapat menggunakan opsi SELinux yang tercantum dalam kebijakan.

    Severity: Low

    Parameters:

    Parameter Type Description
    allowedSELinuxOptions object Opsi SELinux yang diizinkan digunakan oleh pod. Lihat SELinuxOptions v1 core.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedSELinuxOptions:
      - level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

    Allowed — opsi SELinux sesuai dengan allowlist:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  securityContext:
    seLinuxOptions:
      level: "s0:c123,c456"
  containers:
  - image: test
    name: test

    Disallowed — level SELinux tidak ada dalam allowlist:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      seLinuxOptions:
        level: "s0:c123,c455"

    ACKPSPSeccomp

    Mengharuskan Pod di namespace tertentu menggunakan profil seccomp tertentu.

    Severity: Low

    Parameters:

    Parameter Type Description
    allowedProfileTypes array Jenis profil seccomp yang diizinkan.
    allowedProfiles array Nama profil seccomp yang diizinkan.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
  name: psp-seccomp
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    allowedProfileTypes:
      # - Unconfined
      - RuntimeDefault
      - Localhost
    allowedProfiles:
      - runtime/default
      - docker/default
      - localhost/profiles/audit.json

    Allowed — profil seccomp sesuai dengan jenis dan nama yang diizinkan:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: good
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/audit.json
  initContainers:
  - image: test
    name: test2
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: profiles/audit.json

    Disallowed — profil seccomp tidak diatur:

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test

    ACKPSPVolumeTypes

    Membatasi Pod di namespace tertentu hanya dapat memasang volume jenis tertentu.

    Severity: Medium

    Parameters:

    Parameter Type Description
    volumes array Jenis volume yang diizinkan digunakan oleh pod. Gunakan * untuk mengizinkan semua jenis volume.

    Example

    Constraint:

    apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "test-gatekeeper"
  parameters:
    volumes:
      # - "*" # Gunakan * untuk mengizinkan semua jenis volume
      - configMap
      # - emptyDir
      - projected
      - secret
      - downwardAPI
      - persistentVolumeClaim
      # - hostPath # Diperlukan untuk allowedHostPaths
      - flexVolume # Diperlukan untuk allowedFlexVolumes

    Allowed — Pod menggunakan driver FlexVolume (ada dalam daftar yang diizinkan):

    apiVersion: v1
kind: Pod
metadata:
  name: pv-oss
  namespace: test-gatekeeper
spec:
  containers:
    - name: test
      image: test
  volumes:
    - name: test
      flexVolume:
        driver: "alicloud/oss"

    Disallowed — Pod menggunakan volume hostPath (tidak ada dalam daftar yang diizinkan):

    apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test
  name: bad-1
  namespace: test-gatekeeper
spec:
  containers:
  - image: test
    name: test
  volumes:
  - name: test-volume
    hostPath:
      path: /data