Manajemen kebijakan ACK menyediakan pustaka aturan bawaan yang menerapkan batasan keamanan pada permintaan pembuatan dan pembaruan pod. Setiap aturan merupakan templat kendala Gatekeeper yang diterapkan sebagai resource constraints.gatekeeper.sh/v1beta1. Halaman ini mencantumkan semua kebijakan yang tersedia berdasarkan kategori, termasuk tingkat keparahan, parameter, dan contoh konfigurasi.
Mode penegakan
Setiap kendala menggunakan field enforcementAction untuk mengontrol penanganan pelanggaran:
| Mode | Perilaku | Kapan Digunakan |
|---|---|---|
deny | Memblokir permintaan. Resource yang tidak sesuai tidak dapat dibuat atau diperbarui. | Gunakan di lingkungan produksi ketika Anda yakin kebijakan tersebut tidak akan mengganggu beban kerja yang ada. |
warn | Mengizinkan permintaan tetapi mengembalikan pesan peringatan. | Gunakan selama peluncuran untuk mengaudit kepatuhan sebelum beralih ke mode deny. |
Untuk mengaudit kepatuhan sebelum menegakkan kebijakan, terapkan kendala dengan enforcementAction: warn, lalu beralih ke deny setelah memastikan tidak ada pelanggaran.
Kategori kebijakan
| Kategori | Deskripsi |
|---|---|
| Compliance | Aturan keamanan berdasarkan standar kepatuhan, seperti Alibaba Cloud K8s Reinforcement. |
| Infra | Aturan yang melindungi keamanan resource infrastruktur cloud. |
| K8s-general | Aturan yang membatasi dan menstandarkan konfigurasi resource sensitif dalam kluster Kubernetes. |
| PSP | Kebijakan yang menggantikan Kubernetes Pod Security Policies (PSP). Kebijakan ini menyediakan batasan keamanan yang setara dengan fitur PSP asli dalam manajemen kebijakan ACK. |
| FinOps | Aturan kebijakan untuk tata kelola biaya. |
Pustaka aturan kebijakan
Compliance
| Kebijakan | Deskripsi | Tingkat keparahan |
|---|---|---|
ACKNoEnvVarSecrets | Membatasi pemasangan rahasia sebagai variabel lingkungan di pod aplikasi menggunakan secretKeyRef. | medium |
ACKPodsRequireSecurityContext | Mengharuskan semua kontainer dalam pod memiliki field securityContext dikonfigurasi. | rendah |
ACKRestrictNamespaces | Membatasi penerapan resource hanya pada namespace tertentu dalam kluster. | rendah |
ACKRestrictRoleBindings | Membatasi pengikatan peran (role bindings) dalam namespace tertentu agar hanya menggunakan peran atau cluster role dari rentang tertentu. | tinggi |
ACKNamespacesDeleteProtection | Mencegah penghapusan namespace tertentu secara tidak sengaja. | medium |
ACKServicesDeleteProtection | Mencegah penghapusan instans Service dalam namespace secara tidak sengaja. | medium |
ACKProtectBoundingPV | Mencegah penghapusan volume persisten (PV) yang berada dalam status terikat (bound). | tinggi |
ACKBlockNodeDelete | Mencegah penghapusan node yang memiliki tag kustom. | tinggi |
ACKResourceDeletionProtection | Mencegah penghapusan resource (termasuk Service, Namespace, dan Ingress) yang memiliki tag kustom. | tinggi |
ACKProtectCoreDNS | Mencegah penghapusan resource terkait CoreDNS dalam namespace kube-system. | tinggi |
ACKBlockCrdDeletion | Mencegah penghapusan CustomResourceDefinitions (CRD) yang masih memiliki resource kustom (CR) terkait. | medium |
Infra
| Kebijakan | Deskripsi | Tingkat keparahan |
|---|---|---|
ACKBlockProcessNamespaceSharing | Membatasi penggunaan shareProcessNamespace dalam aplikasi yang diterapkan dalam cakupan tertentu di kluster. | tinggi |
ACKEmptyDirHasSizeLimit | Mengharuskan volume bertipe emptyDir untuk menentukan sizeLimit. | rendah |
ACKLocalStorageRequireSafeToEvict | Mengharuskan pod yang diterapkan dalam cakupan tertentu memiliki anotasi "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". | rendah |
ACKOSSStorageLocationConstraint | Membatasi penerapan dalam namespace tertentu agar hanya menggunakan volume persisten (PV) Alibaba Cloud OSS dari wilayah tertentu. | rendah |
ACKPVSizeConstraint | Membatasi kapasitas disk maksimum yang dapat diminta untuk instans PV yang dibuat dalam kluster. | medium |
ACKPVCConstraint | Membatasi penerapan instans klaim volume persisten (PVC) hanya pada daftar putih namespace dan membatasi kapasitas disk maksimum yang dapat diminta. | medium |
ACKBlockVolumeTypes | Membatasi jenis volume yang dapat digunakan. | medium |
ASMSidecarInjectionEnforced | Mengharuskan pod memiliki sidecar Alibaba Cloud Service Mesh (ASM) yang disuntikkan. | tinggi |
K8s-general
| Kebijakan | Deskripsi | Tingkat keparahan |
|---|---|---|
ACKAllowedRepos | Mengharuskan pod aplikasi yang diterapkan dalam cakupan tertentu hanya menarik gambar dari repositori yang diizinkan. | tinggi |
ACKBlockAutoinjectServiceEnv | Membatasi injeksi otomatis variabel lingkungan layanan. | rendah |
ACKBlockAutomountToken | Membatasi pemasangan otomatis token akun layanan. | tinggi |
ACKBlockEphemeralContainer | Membatasi penggunaan kontainer sementara (ephemeral containers). | medium |
ACKBlockLoadBalancer | Membatasi pembuatan Service bertipe LoadBalancer. | tinggi |
ACKBlockNodePort | Membatasi pembuatan Service bertipe NodePort. | tinggi |
ACKContainerLimits | Mengharuskan kontainer menentukan batas resource. | rendah |
ACKExternalIPs | Membatasi penggunaan IP eksternal. | tinggi |
ACKImageDigests | Mengharuskan gambar kontainer ditentukan menggunakan digest gambar. | rendah |
ACKRequiredLabels | Mengharuskan resource memiliki label tertentu. | rendah |
ACKRequiredProbes | Mengharuskan kontainer memiliki probe liveness dan readiness dikonfigurasi. | medium |
ACKCheckNginxPath | Memvalidasi konfigurasi path ingress nginx. | tinggi |
ACKCheckNginxAnnotation | Memvalidasi konfigurasi anotasi ingress nginx. | tinggi |
ACKBlockInternetLoadBalancer | Membatasi pembuatan load balancer yang menghadap internet. | tinggi |
RatifyVerification | Mengharuskan verifikasi gambar kontainer menggunakan Ratify. | tinggi |
PSP
| Kebijakan | Deskripsi | Tingkat keparahan |
|---|---|---|
ACKPSPAllowedUsers | Membatasi ID pengguna dan grup yang dapat dijalankan oleh kontainer. | medium |
ACKPSPAllowPrivilegeEscalationContainer | Membatasi peningkatan hak istimewa dalam kontainer. | medium |
ACKPSPAppArmor | Membatasi profil AppArmor yang digunakan oleh kontainer. | rendah |
ACKPSPCapabilities | Membatasi kemampuan Linux untuk kontainer. | tinggi |
ACKPSPFlexVolumes | Membatasi penggunaan driver FlexVolume. | medium |
ACKPSPForbiddenSysctls | Membatasi penggunaan sysctl tertentu. | tinggi |
ACKPSPFSGroup | Membatasi grup tambahan yang dapat digunakan. | medium |
ACKPSPHostFilesystem | Membatasi penggunaan path sistem file host. | tinggi |
ACKPSPHostNamespace | Membatasi berbagi namespace host. | tinggi |
ACKPSPHostNetworkingPorts | Membatasi penggunaan jaringan host dan range port. | tinggi |
ACKPSPPrivilegedContainer | Membatasi menjalankan kontainer istimewa (privileged). | tinggi |
ACKPSPProcMount | Membatasi penggunaan tipe proc mount non-default. | rendah |
ACKPSPReadOnlyRootFilesystem | Mengharuskan kontainer menggunakan sistem file root read-only. | medium |
ACKPSPSeccomp | Membatasi profil seccomp. | rendah |
ACKPSPSELinuxV2 | Membatasi label SELinux. | rendah |
ACKPSPVolumeTypes | Membatasi jenis volume yang dapat digunakan. | medium |
FinOps
| Kebijakan | Deskripsi | Tingkat keparahan |
|---|---|---|
ACKContainerRequests | Mengharuskan kontainer menentukan permintaan resource. | rendah |
ACKContainerResourcesWhitelist | Membatasi konfigurasi resource kontainer hanya pada daftar putih yang telah ditentukan. | rendah |
ACKContainerResourcesRange | Membatasi permintaan dan batas resource kontainer dalam rentang tertentu. | rendah |
ACKRequiredNodeSelector | Mengharuskan pod menggunakan selector node tertentu. | rendah |
ACKWorkloadReplicasRange | Membatasi jumlah replika beban kerja dalam rentang tertentu. | rendah |
ACKRestrictALBCreation | Membatasi pembuatan Application Load Balancer (ALB). | rendah |
Compliance
ACKNoEnvVarSecrets
Membatasi pemasangan rahasia sebagai variabel lingkungan di pod aplikasi menggunakan secretKeyRef.
Tingkat keparahan: medium
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
name: no-env-var-secrets
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: test-gatekeeper
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-usernameDilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKPodsRequireSecurityContext
Mengharuskan semua kontainer dalam pod memiliki field securityContext yang dikonfigurasi.
Tingkat keparahan: rendah
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
name: pods-require-security-context
annotations:
description: "Requires that Pods must have a `securityContext` defined."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: test-gatekeeper
spec:
securityContext:
runAsNonRoot: false
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKRestrictNamespaces
Membatasi penerapan resource hanya pada namespace tertentu dalam kluster.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
restrictedNamespaces | array | Namespace tempat penerapan resource dilarang. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
name: restrict-default-namespace
annotations:
description: "Restricts resources from using the restricted namespace."
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Pod']
parameters:
restrictedNamespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
restartPolicy: NeverACKRestrictRoleBindings
Membatasi RoleBinding dalam namespace tertentu hanya pada kumpulan peran atau ClusterRole tertentu.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
restrictedRole | object | ClusterRole atau Role yang dibatasi. |
allowedSubjects | array | Subjek yang diizinkan untuk dilampirkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings
annotations:
description: "Restricts use of sensitive role in specific rolebinding."
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["RoleBinding"]
parameters:
restrictedRole:
apiGroup: "rbac.authorization.k8s.io"
kind: "ClusterRole"
name: "cluster-admin"
allowedSubjects:
- apiGroup: "rbac.authorization.k8s.io"
kind: "Group"
name: "system:masters"Diizinkan:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: good-2
namespace: test-gatekeeper
subjects:
- kind: Group
name: 'system:masters'
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioDilarang:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bad-1
namespace: test-gatekeeper
subjects:
- kind: ServiceAccount
name: policy-template-controller
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
Mencegah penghapusan namespace tertentu secara tidak sengaja. Gunakan parameter protectionNamespaces untuk mengonfigurasi namespace yang dilindungi.
Tingkat keparahan: medium
Prasyarat: Komponen Gatekeeper v3.10.0.130-g0e79597d-aliyun atau lebih baru. Untuk informasi versi, lihat Gatekeeper.
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
protectionNamespaces | array | Nama namespace yang dilindungi. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
name: namespace-delete-protection
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Namespace']
parameters:
protectionNamespaces:
- test-gatekeeperDiizinkan:
apiVersion: v1
kind: Namespace
metadata:
name: will-deleteDilarang:
apiVersion: v1
kind: Namespace
metadata:
name: test-gatekeeperACKServicesDeleteProtection
Mencegah penghapusan instans Service dalam namespace tertentu secara tidak sengaja. Gunakan parameter protectionServices untuk mengonfigurasi instans Service yang dilindungi.
Tingkat keparahan: medium
Parameter:
| Parameter | Jenis | Deskripsi |
|---|---|---|
protectionServices | array | Nama instans Service yang dilindungi dalam namespace tertentu. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
name: service-delete-protection
annotations:
description: "Protect to delete specific service."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ['']
kinds: ['Service']
namespaces: ["test-gatekeeper"]
parameters:
protectionServices:
- test-svcDiizinkan:
apiVersion: v1
kind: Service
metadata:
name: good
namespace: test-gatekeeperDilarang:
apiVersion: v1
kind: Service
metadata:
name: test-svcACKProtectBoundingPV
Mencegah penghapusan volume persisten (PV) yang terikat pada klaim volume persisten (PVC) dalam kluster.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectBoundingPV
metadata:
name: protect-pv-deletion
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeDiizinkan:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
hostPath:
path: /tmp/data
type: DirectoryOrCreate
status:
phase: ReleasedDilarang:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
hostPath:
path: /tmp/data
type: DirectoryOrCreate
status:
phase: BoundACKBlockNodeDelete
Mencegah penghapusan node yang memiliki tag kustom dalam kluster. Sebuah node dilindungi jika cocok dengan salah satu pasangan kunci-nilai yang ditentukan. Beberapa pasangan dapat didefinisikan.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
protectedLabels | array | Tag kustom yang mengidentifikasi node yang dilindungi. |
protectedLabels.labelName | string | Kunci tag. |
protectedLabels.labelValue | string | Nilai tag. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodeDelete
metadata:
name: block-node-delete
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Node"]
parameters:
protectedLabels:
- labelName: policy.alibabacloud.vpc.com/node-delete-protection
labelValue: "true"
- labelName: policy.alibabacloud.com/node-delete-protection
labelValue: "true"Diizinkan:
apiVersion: v1
kind: Node
metadata:
name: cn-hangzhou-1Dilarang:
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-1
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-2
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.com/node-delete-protection: "true"
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-3ACKResourceDeletionProtection
Mencegah penghapusan resource yang memiliki tag kustom dalam kluster. Jenis resource yang didukung: Service, Namespace, Ingress, Deployment, StatefulSet, DaemonSet, Job, dan CronJob. Sebuah resource dilindungi jika cocok dengan salah satu pasangan kunci-nilai yang ditentukan. Beberapa pasangan dapat didefinisikan.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
labels | array | Tag kustom yang mengidentifikasi resource yang dilindungi. |
labels.labelName | string | Kunci tag. |
labels.labelValue | string | Nilai tag. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKResourceDeletionProtection
metadata:
name: resource-deletion-protection
annotations:
description: "Protect resources from being accidentally deleted."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
- Namespace
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
- apiGroups:
- apps
kinds:
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- Job
- CronJob
parameters:
labels:
- labelName: policy.alibabacloud.com/delete-protection
labelValue: "true"Diizinkan:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80Dilarang:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
labels:
policy.alibabacloud.com/delete-protection: "true"
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80ACKProtectCoreDNS
Mencegah penghapusan resource terkait CoreDNS dalam namespace kube-system, termasuk Deployment, Service, dan ConfigMap terkait.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
min_replicas | int | Jumlah replika minimum yang diperlukan untuk Deployment CoreDNS. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectCoreDNS
metadata:
name: coredns-protect-rule
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Deployment", "Service", "Scale", "ConfigMap"]
scope: "Namespaced"
namespaces: ["kube-system"]
parameters:
min_replicas: 2Diizinkan:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 3
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
- name: coredns
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresentDilarang:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
- name: coredns
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresent
---
apiVersion: v1
data:
Corefile: ""
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: KubeDNS
name: kube-dns
namespace: kube-systemACKBlockCrdDeletion
Mencegah penghapusan CustomResourceDefinitions (CRD) yang masih memiliki resource kustom (CR) terkait.
Tingkat keparahan: medium
Parameter: Tidak ada
Prasyarat: Sebelum menerapkan kebijakan ini, instal dan konfigurasikan ack-policy-external-provider.
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockCrdDeletion
metadata:
name: block-crd-deletion
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- '*'
kinds:
- CustomResourceDefinitionInfra
ACKBlockProcessNamespaceSharing
Membatasi penggunaan shareProcessNamespace dalam aplikasi yang diterapkan dalam cakupan tertentu di kluster.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
metadata:
name: block-share-process-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test-3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
shareProcessNamespace: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKEmptyDirHasSizeLimit
Mengharuskan volume emptyDir menentukan sizeLimit.
Tingkat keparahan: rendah
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-sizelimit
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir:
sizeLimit: "10Mi"Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKLocalStorageRequireSafeToEvict
Mengharuskan pod yang diterapkan dalam cakupan tertentu memiliki anotasi "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Selama autoscaling, autoscaler kluster tidak mengeluarkan (evict) pod yang tidak memiliki anotasi ini.
Tingkat keparahan: rendah
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
annotations:
'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /data
type: DirectoryDilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKOSSStorageLocationConstraint
Membatasi penerapan dalam namespace tertentu agar hanya menggunakan volume persisten (PV) Alibaba Cloud Object Storage Service (OSS) dari wilayah tertentu.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
mode | string | Apakah akan menggunakan daftar putih. Nilai default allowlist mengaktifkan mode daftar putih. Nilai lainnya mengaktifkan mode daftar blokir. |
regions | array | ID wilayah Alibaba Cloud yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
name: restrict-oss-location
annotations:
description: "Restricts location of oss storage in cluster."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolume", "Pod"]
namespaces:
- "test-gatekeeper"
parameters:
mode: "allowlist"
regions:
- "cn-beijing"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi-good
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi
namespace: test-gatekeeper
spec:
containers:
- name: test
image: nginx:latest
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
nodePublishSecretRef:
name: oss-secret
volumeAttributes:
bucket: "oss"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVSizeConstraint
Membatasi kapasitas disk maksimum yang dapat diminta untuk instans PV yang dibuat dalam kluster.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
maxSize | string | Kapasitas disk maksimum untuk instans PV. Default: 50 GiB. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
name: limit-pv-size
annotations:
description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolume"]
parameters:
maxSize: "50Gi"Diizinkan:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 25Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Dilarang:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi-bad
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 500Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVCConstraint
Membatasi penerapan instans klaim volume persisten (PVC) hanya pada daftar putih namespace dan membatasi kapasitas disk maksimum yang dapat diminta.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
maxSize | string | Kapasitas disk maksimum untuk instans PVC. Default: 50 GiB. |
allowNamespaces | array | Namespace tempat instans PVC dapat diterapkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
name: limit-pvc-size-and-ns
annotations:
description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolumeClaim"]
parameters:
maxSize: "50Gi"
allowNamespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20GiDilarang:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-namespace-pvc
namespace: test-gatekeeper-bad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20GiACKBlockVolumeTypes
Menolak jenis pemasangan volume tertentu untuk pod yang diterapkan dalam cakupan tertentu di kluster.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
volumes | array | Jenis pemasangan volume yang dilarang. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
name: block-volume-types
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]
parameters:
volumes:
- "gitRepo"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: use-empty-dir
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: emptydir-volume
emptyDir: {}Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: use-git-repo
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: git-volume
gitRepo:
repository: "git@***:***/my-git-repository.git"
revision: "22f1d8406d464b0c08***"ASMSidecarInjectionEnforced
Mengharuskan pod memiliki sidecar Alibaba Cloud Service Mesh (ASM) yang disuntikkan.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ASMSidecarInjectionEnforced
metadata:
name: asm-sidecar-injectionen-forced
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
- name: istio-proxy
image: xxx/proxyv2:xxxDilarang:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: testK8s-general
ACKAllowedRepos
Mengharuskan pod aplikasi yang diterapkan dalam cakupan tertentu hanya menarik gambar dari repositori yang diizinkan.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
repos | array | Repositori gambar yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
name: allowed-repos
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
repos:
- "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
- "registry.cn-hangzhou.aliyuncs.com/acs/"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-01
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-container-1
initContainers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-containerDilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container-3ACKBlockAutoinjectServiceEnv
Mengharuskan aplikasi menyetel enableServiceLinks: false untuk mencegah alamat IP layanan diekspos sebagai variabel lingkungan pod.
Tingkat keparahan: rendah
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
name: block-auto-inject-service-env
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
enableServiceLinks: false
containers:
- image: openpolicyagent/test-webserver:1.0
name: test-containerDilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockAutomountToken
Mengharuskan aplikasi menyetel automountServiceAccountToken: false untuk mencegah pemasangan otomatis token ServiceAccount.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
name: block-auto-mount-service-account-token
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
automountServiceAccountToken: false
containers:
- image: openpolicyagent/test-webserver:v1.0
name: test-containerDilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2ACKBlockEphemeralContainer
Mencegah kontainer sementara (ephemeral containers) dimulai dalam pod aplikasi dalam cakupan tertentu.
Tingkat keparahan: medium
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
name: block-ephemeral-container
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: hello-pod
namespace: test-gatekeeper
spec:
containers:
- name: hello-pod
image: redisDilarang:
Jalankan kontainer sementara dalam pod yang sudah ada:
kubectl debug -it hello-pod -n test-gatekeeper --image=test --target=hello-podOutput yang diharapkan:
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [block-ephemeral-container-w5c6n] Creating ephemeral containers is disallowed, pod: hello-podACKBlockLoadBalancer
Mencegah penerapan Service bertipe LoadBalancer dalam cakupan tertentu di kluster.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
restrictedNamespaces | array | Namespace tempat Service bertipe LoadBalancer ditolak. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Dilarang:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKBlockNodePort
Mencegah Service bertipe NodePort dalam cakupan tertentu di kluster.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Dilarang:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: NodePort
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKContainerLimits
Mengharuskan pod aplikasi dalam cakupan tertentu memiliki limits resource yang dikonfigurasi.
Tingkat keparahan: rendah
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Mi"
cpu: "500m"Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: pod-2
namespace: non-test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Gi"
cpu: "2000m"ACKExternalIPs
Mengharuskan instans Service dalam cakupan tertentu hanya menggunakan externalIPs dari daftar putih.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedIPs | array | externalIPs yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"
parameters:
allowedIPs:
- "192.168.0.5"Diizinkan:
apiVersion: v1
kind: Service
metadata:
name: my-service-3
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Dilarang:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
externalIPs:
- 80.11.XX.XXACKImageDigests
Mengharuskan gambar yang diterapkan dalam cakupan tertentu menggunakan format digest.
Tingkat keparahan: rendah
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 10m
memory: 512Mi
limits:
cpu: "1"
memory: 1GiDilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2ACKRequiredLabels
Memverifikasi bahwa pod berisi label tertentu dan nilai label sesuai dengan format yang ditentukan. Gunakan ekspresi reguler untuk memvalidasi setiap nilai label. Parameter optional mengontrol apakah label tersebut wajib.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedRegex | string | Ekspresi reguler untuk memvalidasi nilai label. |
key | string | Kunci label yang divalidasi. |
optional | bool | Apakah label tersebut opsional. true: label divalidasi hanya jika ada. false: label harus ada dan lolos validasi. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
name: must-have-label-test
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
labels:
- key: test
allowedRegex: "^test.*$"
- key: env
allowedRegex: "^(dev|prod)$"
optional: trueDiizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: test
namespace: test-gatekeeper
labels:
'test': 'test_233'
spec:
containers:
- name: mycontainer
image: redisDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: bad2
namespace: test-gatekeeper
labels:
'test': '233'
'env': 'invalid'
spec:
containers:
- name: mycontainer
image: redisACKRequiredProbes
Mengharuskan pod yang diterapkan dalam cakupan tertentu memiliki readinessProbe dan livenessProbe yang dikonfigurasi.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
probes | array | Jenis probe yang harus dikonfigurasi. Contoh: readinessProbe, livenessProbe. |
probeTypes | array | Jenis mekanisme probe yang harus dikonfigurasi. Contoh: tcpSocket, httpGet, exec. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
probes: ["readinessProbe", "livenessProbe"]
probeTypes: ["tcpSocket", "httpGet", "exec"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: p4
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busybox
readinessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: p1
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busyboxACKCheckNginxPath
Mencegah konfigurasi berbahaya dalam field spec.rules[].http.paths[].path instans Ingress. Aktifkan kebijakan ini untuk versi Ingress-nginx sebelum 1.2.1.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
name: block-nginx-path
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-paths
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Dilarang:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bad-path-secrets
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /var/run/secrets
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80ACKCheckNginxAnnotation
Mencegah konfigurasi berbahaya dalam field metadata.annotations instans Ingress. Aktifkan kebijakan ini untuk versi Ingress-nginx sebelum 1.2.1.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
name: block-nginx-annotation
spec:
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-annotations
namespace: test-gatekeeper
annotations:
nginx.org/good: "value"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Dilarang:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: var-run-secrets
namespace: test-gatekeeper
annotations:
nginx.org/bad: "/var/run/secrets"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80ACKBlockInternetLoadBalancer
Mencegah pembuatan Service LoadBalancer yang menghadap internet.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
name: block-internet-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces: ["test-gatekeeper"]Diizinkan:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: non-test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancerDilarang:
apiVersion: v1
kind: Service
metadata:
name: bad-service-2
namespace: test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376RatifyVerification
Setelah menginstal komponen Ratify dari pasar, gunakan kebijakan ini untuk memverifikasi metadata keamanan — seperti signature atau bill of materials (BOM) — untuk gambar pod yang diterapkan dalam cakupan tertentu.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
name: ratify-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["default"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/signed # Terapkan gambar dengan signature yang valid.
name: test-containerDilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # Terapkan gambar yang tidak valid karena gagal verifikasi signature Ratify.
name: test-containerPSP
ACKPSPAllowedUsers
Membatasi user, group, supplementalGroups, dan fsGroup yang dapat dijalankan oleh pod dalam cakupan tertentu.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
runAsUser | object | Konfigurasi pengguna. Mendukung tipe aturan dan rentang UID (min/maks). Lihat Users and groups. |
runAsGroup | object | Konfigurasi grup. Mendukung tipe aturan dan rentang GID (min/maks). Lihat Users and groups. |
supplementalGroups | object | Konfigurasi SupplementalGroups. Mendukung tipe aturan dan rentang GID (min/maks). Lihat Users and groups. |
fsGroup | object | Konfigurasi fsGroup. Mendukung tipe aturan dan rentang GID (min/maks). Lihat Users and groups. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
runAsUser:
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good2
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 150
supplementalGroups:
- 150
containers:
- image: test
name: test
securityContext:
runAsUser: 150
runAsGroup: 150Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAllowPrivilegeEscalationContainer
Membatasi konfigurasi allowPrivilegeEscalation untuk pod yang diterapkan dalam cakupan tertentu.
Tingkat keparahan: medium
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: test
name: test2
securityContext:
allowPrivilegeEscalation: falseDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAppArmor
Membatasi konfigurasi AppArmor untuk pod yang diterapkan dalam cakupan tertentu.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedProfiles | array | Profil AppArmor yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfiles:
- runtime/defaultDiizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
annotations:
'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
containers:
- image: test
name: test
initContainers:
- image: test
name: test2Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPCapabilities
Membatasi konfigurasi kemampuan Linux untuk pod yang diterapkan dalam cakupan tertentu.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedCapabilities | array | Kemampuan Linux yang diizinkan. |
requiredDropCapabilities | array | Kemampuan yang harus di-drop. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
name: psp-capabilities
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedCapabilities: ["CHOWN"]
requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-4
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
capabilities:
add:
- CHOWN
drop:
- "NET_ADMIN"
- "SYS_ADMIN"
- "NET_RAW"Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPFlexVolumes
Membatasi konfigurasi driver FlexVolume untuk pod yang diterapkan dalam cakupan tertentu.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedFlexVolumes | array | Driver FlexVolume yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod", "PersistentVolume"]
namespaces:
- "test-gatekeeper"
parameters:
allowedFlexVolumes:
- driver: "alicloud/disk"
- driver: "alicloud/nas"
- driver: "alicloud/oss"
- driver: "alicloud/cpfs"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pv-nas
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/nas"Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss-flexvolume
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
Membatasi sysctl yang dapat digunakan oleh pod dalam cakupan tertentu.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
forbiddenSysctls | array | Sysctl yang dilarang dalam pod. Gunakan * untuk melarang semua sysctl. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- "kernel.*"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-2
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'net.ipv4.tcp_syncookies'
value: "65536"
containers:
- image: test
name: testDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'kernel.shm_rmid_forced'
value: '1024'
containers:
- image: test
name: testACKPSPFSGroup
Membatasi konfigurasi fsGroup untuk pod yang diterapkan dalam cakupan tertentu.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
rule | string | Tipe aturan fsGroup. Nilai yang didukung: MustRunAs, MayRunAs, RunAsAny. Lihat Volumes and file systems. |
ranges | object | Berisi min (ID fsGroup minimum) dan max (ID fsGroup maksimum). |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
ranges:
- min: 1
max: 1000Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 100
containers:
- image: test
name: testDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: non-test-gatekeeper
spec:
securityContext:
fsGroup: 0
shareProcessNamespace: true
containers:
- image: test
name: testACKPSPHostFilesystem
Membatasi path direktori host yang dapat dipasang oleh pod dalam cakupan tertentu.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedHostPaths | object | Konfigurasi daftar putih path host. |
readOnly | boolean | Apakah path tersebut read-only. |
pathPrefix | string | Awalan path yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedHostPaths:
- readOnly: true
pathPrefix: "/foo"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: trueDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /data
type: FileACKPSPHostNamespace
Membatasi apakah pod dalam cakupan tertentu dapat berbagi namespace host.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
hostPID: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKPSPHostNetworkingPorts
Membatasi penggunaan jaringan host dan rentang port untuk pod dalam cakupan tertentu.
Tingkat keparahan: tinggi
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
hostNetwork | boolean | Apakah pod diizinkan berbagi jaringan host. |
min | int | Port host hostPort minimum yang diizinkan. |
max | int | Port host hostPort maksimum yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
hostNetwork: true
min: 80
max: 9000Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: good-2
namespace: test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 80
containerPort: 80
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2
ports:
- hostPort: 8080
containerPort: 8080Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 22
containerPort: 22ACKPSPPrivilegedContainer
Mencegah kontainer istimewa (privileged) dimulai dalam pod yang diterapkan dalam cakupan tertentu.
Tingkat keparahan: tinggi
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
privileged: true
dnsPolicy: ClusterFirst
restartPolicy: NeverACKPSPProcMount
Membatasi tipe proc mount yang diizinkan untuk pod dalam cakupan tertentu. Nilai yang didukung: Default (menyembunyikan /proc) dan Unmasked (tidak menyembunyikan /proc). Untuk informasi lebih lanjut, lihat AllowedProcMountTypes.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
procMount | string | Tipe proc mount yang diizinkan: Default atau Unmasked. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
procMount: Default # Default or UnmaskedDiizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Default"Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad3
namespace: test-gatekeeper
spec:
hostUsers: false
containers:
- image: test
name: test
securityContext:
procMount: "Unmasked"
initContainers:
- image: test
name: test2ACKPSPReadOnlyRootFilesystem
Mengharuskan pod dalam cakupan tertentu menggunakan sistem file root read-only.
Tingkat keparahan: medium
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: trueDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad2
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: false
initContainers:
- image: test
name: test2ACKPSPSeccomp
Membatasi pod dalam cakupan tertentu agar hanya menggunakan profil Seccomp tertentu.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedProfileTypes | array | Tipe profil Seccomp yang diizinkan. |
allowedProfiles | array | Profil Seccomp yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfileTypes:
# - Unconfined
- RuntimeDefault
- Localhost
allowedProfiles:
- runtime/default
- docker/default
- localhost/profiles/audit.jsonDiizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
initContainers:
- image: test
name: test2
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.jsonDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPSELinuxV2
Mengharuskan pod dalam cakupan tertentu menggunakan konfigurasi SELinux yang ditentukan dalam allowedSELinuxOptions. Untuk detail parameter, lihat SELinuxOptions v1 core.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
allowedSELinuxOptions | object | Konfigurasi SELinux yang diizinkan. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_uDiizinkan:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: test
name: testDilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seLinuxOptions:
level: "s0:c123,c455"ACKPSPVolumeTypes
Membatasi pod dalam cakupan tertentu agar hanya menggunakan jenis pemasangan volume tertentu.
Tingkat keparahan: medium
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
volumes | array | Jenis pemasangan volume yang diizinkan. Gunakan * untuk mengizinkan semua jenis. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
volumes:
# - "*" # * may be used to allow all volume types
- configMap
# - emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
# - hostPath #required for allowedHostPaths
- flexVolume #required for allowedFlexVolumesDiizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/oss"Dilarang:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /dataFinOps
ACKContainerRequests
Mengharuskan pod aplikasi tertentu dalam kluster mendeklarasikan requests resource.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
cpu | string | Nilai maksimum requests CPU untuk kontainer. |
memory | string | Nilai maksimum requests memori untuk kontainer. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerRequests
metadata:
name: container-must-have-requests
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
requests:
memory: "100Mi"
cpu: "500m"Dilarang:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-containerACKContainerResourcesWhitelist
Mengharuskan konfigurasi resource CPU dan memori pod aplikasi tertentu dipilih dari daftar opsi yang telah ditentukan.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
cpuRequests | array | Nilai requests CPU yang diizinkan. Array kosong [] mengizinkan semua nilai. |
cpuLimits | array | Nilai limits CPU yang diizinkan. Array kosong [] mengizinkan semua nilai. |
memoryRequests | array | Nilai requests memori yang diizinkan. Array kosong [] mengizinkan semua nilai. |
memoryLimits | array | Nilai limits memori yang diizinkan. Array kosong [] mengizinkan semua nilai. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesWhitelist
metadata:
name: container-resources-whitelist
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpuRequests:
- "100m"
- "500m"
- "1"
cpuLimits:
- "2"
- "4000m"
memoryRequests:
- "256Mi"
- "512Mi"
memoryLimits:
- "1Gi"
- "2048Mi"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1GiDilarang:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 10m
memory: 512Mi
limits:
cpu: "1"
memory: 1GiACKContainerResourcesRange
Membatasi konfigurasi resource pod aplikasi tertentu dalam rentang tertentu.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
cpuRequests | object | min dan max untuk requests CPU kontainer. |
cpuLimits | object | min dan max untuk limits CPU kontainer. |
memoryRequests | object | min dan max untuk requests memori kontainer. |
memoryLimits | object | min dan max untuk limits memori kontainer. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesRange
metadata:
name: container-resources-range
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpuRequests:
min: "100m"
max: "1"
cpuLimits:
min: "500m"
max: "2"
memoryRequests:
min: "256Mi"
max: "512Mi"
memoryLimits:
min: "1Gi"
max: "2048Mi"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 2GiDilarang:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 10m
memory: 5Mi
limits:
cpu: "3"
memory: 128MiACKRequiredNodeSelector
Mengharuskan pod aplikasi tertentu dalam kluster memiliki nodeSelector yang dikonfigurasi.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
nodeSelector | array | Berisi key (kunci label) dan allowedRegex (ekspresi reguler untuk nilai label). |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredNodeSelector
metadata:
name: must-have-nodeselector
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
nodeSelector:
- key: "node.alibabacloud.com/nodepool-id"
allowedRegex: "^np.*$"
- key: "kubernetes.io/os"
allowedRegex: "^linux$"Diizinkan:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
nodeSelector:
node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
kubernetes.io/os: linuxDilarang:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
nodeSelector:
node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
kubernetes.io/os: windowsACKWorkloadReplicasRange
Membatasi jumlah replika untuk beban kerja dalam rentang tertentu.
Tingkat keparahan: rendah
Parameter:
| Parameter | Tipe | Deskripsi |
|---|---|---|
minReplicas | int | Jumlah replika minimum. |
maxReplicas | int | Jumlah replika maksimum. |
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKWorkloadReplicasRange
metadata:
name: replica-limiter
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Deployment", "StatefulSet", "ReplicaSet", "Scale"]
namespaces:
- "test-gatekeeper"
parameters:
minReplicas: 2
maxReplicas: 3Diizinkan:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"Dilarang:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic-0
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic-1
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 4
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"ACKRestrictALBCreation
Menegakkan penggunaan ulang instans Application Load Balancer (ALB) yang ada dan melarang pembuatan instans ALB baru melalui AlbConfig.
Tingkat keparahan: rendah
Parameter: Tidak ada
Kendala:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictALBCreation
metadata:
name: restrict-alb-creation
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["alibabacloud.com"]
kinds: ["AlbConfig"]Diizinkan:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: reuse-alb
spec:
config:
id: 'abcdefghijklmnopqrstuvwxyz'
forceOverride: false
listenerForceOverride: falseDilarang:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
name: alb
addressType: Internet
zoneMappings:
- vSwitchId: vsw-uf6ccg2a9g71hx8go**** # Ganti dengan ID vSwitch dari minimal dua vSwitch di zona berbeda dalam VPC tempat kluster berada.
allocationId: eip-asdfas**** # Ganti dengan ID EIP. Opsi default adalah menetapkan alamat IP publik secara otomatis.
- vSwitchId: vsw-uf6nun9tql5t8nh15**** # Ganti dengan ID vSwitch dari minimal dua vSwitch di zona berbeda dalam VPC tempat kluster berada.
allocationId: eip-dpfmss**** # Ganti dengan ID EIP.
listeners:
- port: 80
protocol: HTTP