您可以為Pod配置安全性原則,驗證Pod部署和更新的請求是否安全。ACK叢集策略管理功能提供多個內建規則庫,包括Compliance、Infra、K8s-general、PSP和FinOps。
規則介紹
當前Container ServiceACK容器安全性原則規則庫包含以下規則模板:
Compliance:基於阿里雲K8s加固等合規規範定製化的安全規則。
Infra:用於增強和保護雲基礎設施層資源安全。
K8s-general:用於約束和規範K8s叢集內敏感資源配置,增強K8s叢集內應用安全。
PSP:用於替換K8s PSP的相關策略,使用該類策略可以實現等同於原ACK策略管理中PSP提供的安全約束能力。
FinOps:用於成本治理流程中的控制與最佳化策略規則。
策略規則庫說明
當前阿里雲Container ServiceACK內建如下類型的策略規則庫,策略分類和簡要說明如下:
Category | Policy | Description | Severity |
Compliance |
| 限制Secret以secretKeyRef的形式掛載到應用Pod環境變數中。 | medium |
| 限制Pod中所有容器必須配置 | low | |
| 限制資源部署在叢集指定的命名空間中。 | low | |
| 限制指定命名空間下的rolebinding使用指定範圍內的Role或Clusterrole。 | high | |
| 限制指定的Namespace被誤刪除。 | medium | |
| 防止Namespace中的Service執行個體被誤刪除。 | medium | |
| 防止綁定狀態的持久化儲存卷(PV)被刪除。 | high | |
| 防止帶有自訂標籤的節點(Node)被刪除。 | high | |
| 防止帶有自訂標籤的多種資源(包括Service、Namespace、Ingress等)被刪除。 | high | |
| 防止kube-system命名空間中CoreDNS相關資源被刪除。 | high | |
Infra |
| 限制在叢集指定範圍部署的應用中使用shareProcessNamespace。 | high |
| 要求emptyDir類型的Volume必須指定 | low | |
| 限制部署在叢集指定範圍內的Pod必須具有 | low | |
| 限制指定Namespaces下的部署只能使用指定Region中的阿里雲OSS儲存卷 | low | |
| 限制叢集中建立的PV執行個體中能夠申請的最大磁碟容量。 | medium | |
| 限制能夠部署PVC執行個體的命名空間白名單列表以及限制PVC執行個體中能夠申請的最大磁碟容量。 | medium | |
| 限制在叢集指定範圍內部署的Pod禁止使用的Volume掛載類型。 | medium | |
| 限制Pod必須注入ASM Sidecar。 | high | |
K8s-general |
| 限制在叢集指定範圍部署的應用Pod中拉取白名單列表外的鏡像。 | high |
| 要求在應用中配置 | low | |
| 要求在應用中設定 | high | |
| 限制在叢集指定範圍的應用Pod中啟動臨時容器。 | medium | |
| 限制在叢集指定範圍內部署LoadBalancer類型的Service。 | high | |
| 限制在叢集指定範圍內使用NodePort類型的Service。 | high | |
| 要求叢集指定範圍的應用Pod配置資源 | low | |
| 限制在叢集指定範圍內的Service執行個體使用白名單範圍之外的externalIPs。 | high | |
| 限制在叢集指定範圍內部署不符合digest格式的鏡像。 | low | |
| 限制在叢集指定範圍內部署沒有指定範式label標籤的應用。 | low | |
| 限制在叢集指定範圍內部署的Pod配置指定類型的readinessProbe和livenessProbe。 | medium | |
| 限制在Ingress執行個體的 | high | |
| 限制在Ingress執行個體的 | high | |
| 限制建立公網類型的LoadBalancer Service。 | high | |
| 您在叢集中安裝應用市場組件Ratify後,可以驗證在叢集指定範圍內部署的Pod鏡像中的簽名或SBOM等安全中繼資料。 | high | |
PSP |
| 限制在叢集指定範圍內部署的Pod配置 | medium |
| 限制在叢集指定範圍內部署的Pod中的啟動 | medium | |
| 限制在叢集指定範圍內部署的Pod配置AppArmor。 | low | |
| 限制在叢集指定範圍內部署的Pod配置Linux Capabilities能力。 | high | |
| 限制在叢集指定範圍內部署的Pod配置 fsGroup。 | medium | |
| 限制在叢集指定範圍內部署Pod的FlexVolume驅動配置。 | medium | |
| 限制在叢集指定範圍內部署Pod的禁止的Sysctl範圍。 | high | |
| 限制在叢集指定範圍內部署的Pod允許掛載的主機host目錄範圍。 | high | |
| 限制在叢集指定範圍內部署的Pod是否允許共用主機host命名空間。 | high | |
| 限制在叢集指定範圍內部署的Pod使用主機網路和指定連接埠。 | high | |
| 限制在叢集指定範圍內部署的Pod中啟動特權容器。 | high | |
| 限制在叢集指定範圍內部署的Pod允許掛載的Proc類型。 | low | |
| 限制在叢集指定範圍內部署的Pod使用唯讀根檔案系統。 | medium | |
| 限制在叢集指定範圍內部署的Pod必須使用AllowedSELinuxOptions參數中規定的Selinux配置。 | low | |
| 限制在叢集指定範圍內部署的Pod使用指定的Seccomp設定檔。 | low | |
| 限制在叢集指定範圍內部署的Pod使用指定的Volume掛載類型。 | medium | |
FinOps |
| 要求叢集中某些應用 Pod 必須聲明資源 | low |
| 要求叢集中某些應用 Pod 的 CPU 和記憶體資源配置必須從預設選項中選取。 | low | |
| 限制叢集中某些應用 Pod 的資源配置必須在指定的上下限範圍內。 | low | |
| 限制叢集中某些應用 Pod 必須配置指定的 | low | |
| 限制應用副本數量的上下限。 | low | |
| 強制複用已有ALB執行個體,禁止通過ALBConfig建立新的ALB資源執行個體。 | low |
Compliance
ACKNoEnvVarSecrets
規則說明:限制Secret以secretKeyRef的形式掛載到應用Pod環境變數中使用。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNoEnvVarSecrets
metadata:
name: no-env-var-secrets
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: test-gatekeeper
spec:
containers:
- name: mypod
image: redis
volumeMounts:
- name: foo
mountPath: "/etc/foo"
volumes:
- name: foo
secret:
secretName: mysecret
items:
- key: username
path: my-group/my-usernameDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: mysecret
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: mysecret
key: password
restartPolicy: NeverACKPodsRequireSecurityContext
規則說明:限制Pod中所有容器必須配置securitycontext欄位。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPodsRequireSecurityContext
metadata:
name: pods-require-security-context
annotations:
description: "Requires that Pods must have a `securityContext` defined."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: test-gatekeeper
spec:
securityContext:
runAsNonRoot: false
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test2
- image: test
name: test
resources: {}
securityContext:
runAsNonRoot: falseACKRestrictNamespaces
規則說明:限制資源部署在叢集指定的命名空間中。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
restrictedNamespaces | array | 禁止資源部署在該參數聲明的列表中。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictNamespaces
metadata:
name: restrict-default-namespace
annotations:
description: "Restricts resources from using the restricted namespace."
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Pod']
parameters:
restrictedNamespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
restartPolicy: NeverACKRestrictRoleBindings
規則說明:限制在指定命名空間下的Rolebinding使用指定範圍內的Role或Clusterrole。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
restrictedRole | object | 限制使用的Clusterrole或Role。 |
allowedSubjects | array | 允許掛載的Subjects白名單列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictRoleBindings
metadata:
name: restrict-clusteradmin-rolebindings
annotations:
description: "Restricts use of sensitive role in specific rolebinding."
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["RoleBinding"]
parameters:
restrictedRole:
apiGroup: "rbac.authorization.k8s.io"
kind: "ClusterRole"
name: "cluster-admin"
allowedSubjects:
- apiGroup: "rbac.authorization.k8s.io"
kind: "Group"
name: "system:masters"Allowed:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: good-2
namespace: test-gatekeeper
subjects:
- kind: Group
name: 'system:masters'
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioDisallowed:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bad-1
namespace: test-gatekeeper
subjects:
- kind: ServiceAccount
name: policy-template-controller
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.ioACKNamespacesDeleteProtection
規則說明:限制指定的Namespace被誤刪除。可以通過protectionNamespaces參數配置受保護命名空間的Name。
使用前提:需確保gatekeeper組件已升級至v3.10.0.130-g0e79597d-aliyun或以上版本。關於gatekeeper組件版本資訊,請參見gatekeeper。
重要等級:medium。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 受保護Namespace的名稱列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKNamespacesDeleteProtection
metadata:
name: namespace-delete-protection
spec:
match:
kinds:
- apiGroups: ['']
kinds: ['Namespace']
parameters:
protectionNamespaces:
- test-gatekeeperAllowed:
apiVersion: v1
kind: Namespace
metadata:
name: will-deleteDisallowed:
apiVersion: v1
kind: Namespace
metadata:
name: test-gatekeeperACKServicesDeleteProtection
規則說明:限制指定Namespace中的Service執行個體被誤刪除,可以通過protectionServices參數配置受保護的Service執行個體名稱。
重要等級:medium。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
protectionServices | array | 指定命名空間下受保護的Service執行個體名稱列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKServicesDeleteProtection
metadata:
name: service-delete-protection
annotations:
description: "Protect to delete specific service."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ['']
kinds: ['Service']
namespaces: ["test-gatekeeper"]
parameters:
protectionServices:
- test-svcAllowed:
apiVersion: v1
kind: Service
metadata:
name: good
namespace: test-gatekeeperDisallowed:
apiVersion: v1
kind: Service
metadata:
name: test-svcACKProtectBoundingPV
規則說明:防止叢集中綁定到持久化儲存卷聲明(PVC)的持久化儲存卷(PV)被刪除。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectBoundingPV
metadata:
name: protect-pv-deletion
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- PersistentVolumeAllowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
status:
phase: ReleasedDisallowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: test-pv-bound-should-be-blocked
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 1Gi
persistentVolumeReclaimPolicy: Retain
storageClassName: manual-sc
status:
phase: BoundACKBlockNodeDelete
規則說明:防止叢集中帶有自訂標籤的節點(Node)被刪除。可定義多組索引值對,節點只要滿足其中任意一對即可受到保護。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 自訂標籤,用於識別需要被保護的節點。 |
| string | 自訂標籤的鍵。 |
| string | 自訂標籤的值。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodeDelete
metadata:
name: block-node-delete
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Node"]
parameters:
protectedLabels:
- labelName: policy.alibabacloud.vpc.com/node-delete-protection
labelValue: "true"
- labelName: policy.alibabacloud.com/node-delete-protection
labelValue: "true"Allowed:
apiVersion: v1
kind: Node
metadata:
name: cn-hangzhou-1Disallowed:
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-1
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-2
---
apiVersion: v1
kind: Node
metadata:
labels:
policy.alibabacloud.com/node-delete-protection: "true"
policy.alibabacloud.vpc.com/node-delete-protection: "true"
name: cn-hangzhou-3ACKResourceDeletionProtection
規則說明:防止叢集中帶有自訂標籤的資源被刪除。支援Service、Namespace、Ingress、Deployment、StatefulSet、DaemonSet、Job、CronJob等資源類型。可定義多組索引值對,資源只要滿足其中任意一對即可受到保護。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 自訂標籤,用於識別需要被保護的節點。 |
| string | 自訂標籤的鍵。 |
| string | 自訂標籤的值。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKResourceDeletionProtection
metadata:
name: resource-deletion-protection
annotations:
description: "Protect resources from being accidentally deleted."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ""
kinds:
- Service
- Namespace
- apiGroups:
- extensions
- networking.k8s.io
kinds:
- Ingress
- apiGroups:
- apps
kinds:
- Deployment
- StatefulSet
- DaemonSet
- apiGroups:
- batch
kinds:
- Job
- CronJob
parameters:
labels:
- labelName: policy.alibabacloud.com/delete-protection
labelValue: "true"Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80Disallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-deployment
namespace: test-gatekeeper
labels:
policy.alibabacloud.com/delete-protection: "true"
spec:
replicas: 2
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80ACKProtectCoreDNS
規則說明:防止kube-system命名空間中CoreDNS相關資源被刪除,包括其使用的Deployment、Service和ConfigMap。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| int | 定義 CoreDNS Deployment期望的最小副本數量。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKProtectCoreDNS
metadata:
name: coredns-protect-rule
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Deployment", "Service", "Scale", "ConfigMap" ]
scope: "Namespaced"
namespaces: ["kube-system"]
parameters:
min_replicas: 2Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 3
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresentDisallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
spec:
containers:
image: registry-cn-hangzhou-vpc.ack.aliyuncs.com/acs/coredns:latest
imagePullPolicy: IfNotPresent
---
apiVersion: v1
data:
Corefile: ""
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: KubeDNS
name: kube-dns
namespace: kube-systemInfra
ACKBlockProcessNamespaceSharing
規則說明:限制在叢集指定範圍部署的應用中使用shareProcessNamespace。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockProcessNamespaceSharing
metadata:
name: block-share-process-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: test-3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
shareProcessNamespace: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKEmptyDirHasSizeLimit
規則說明:要求emptyDir類型的Volume必須指定sizelimit。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKEmptyDirHasSizeLimit
metadata:
name: empty-dir-has-sizelimit
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir:
sizeLimit: "10Mi"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKLocalStorageRequireSafeToEvict
規則說明:限制部署在叢集指定範圍內的Pod必須具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注釋標籤。叢集自動調整時不會刪除沒有此注釋標籤的Pod。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKLocalStorageRequireSafeToEvict
metadata:
name: local-storage-require-safe-to-evict
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: test-1
namespace: test-gatekeeper
annotations:
'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
# directory location on host
path: /data
# this field is optional
type: DirectoryDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir: {}ACKOSSStorageLocationConstraint
規則說明:限制指定命名空間下的部署只能使用指定地區中的阿里雲OSS儲存卷。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| string | 是否採用白名單模式,預設值 |
| array | 指定的阿里雲Region ID列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKOSSStorageLocationConstraint
metadata:
name: restrict-oss-location
annotations:
description: "Restricts location of oss storage in cluster."
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["PersistentVolume", "Pod"]
namespaces:
- "test-gatekeeper"
parameters:
mode: "allowlist"
regions:
- "cn-beijing"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi-good
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-oss-csi
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-hangzhou.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVSizeConstraint
規則說明:限制叢集中建立的PV執行個體中能夠申請的最大磁碟容量。
重要等級:medium。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| string | PV執行個體中能申請的最大磁碟容量,預設為50 GiB。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVSizeConstraint
metadata:
name: limit-pv-size
annotations:
description: "Limit the pv storage capacity size within a specified maximum amount."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "PersistentVolume" ]
parameters:
maxSize: "50Gi"Allowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 25Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"Disallowed:
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-oss-csi-bad
labels:
alicloud-pvname: pv-oss
spec:
capacity:
storage: 500Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
csi:
driver: ossplugin.csi.alibabacloud.com
volumeHandle: pv-oss
nodePublishSecretRef:
name: oss-secret
namespace: default
volumeAttributes:
bucket: "oss"
url: "oss-cn-beijing.aliyuncs.com"
otherOpts: "-o max_stat_cache_size=0 -o allow_other"
path: "/"ACKPVCConstraint
規則說明:限制能夠部署PVC執行個體的命名空間白名單列表以及限制PVC執行個體中能夠申請的最大磁碟容量。
重要等級:medium
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| string | PV執行個體中能申請的最大磁碟容量,預設為50 GiB。 |
| array | 能夠部署PVC執行個體的命名空間白名單列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPVCConstraint
metadata:
name: limit-pvc-size-and-ns
annotations:
description: "Limit the maximum pvc storage capacity size and the namespace whitelists that can be deployed."
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "PersistentVolumeClaim" ]
parameters:
maxSize: "50Gi"
allowNamespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20GiDisallowed:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-disk-pvc
namespace: test-gatekeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 200Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bad-namespace-pvc
namespace: test-gatekeeper-bad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi ACKBlockVolumeTypes
規則說明:限制在叢集指定範圍內部署的Pod禁止使用的Volume掛載類型。
重要等級:medium
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 禁止使用的Volume掛載類型列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockVolumeTypes
metadata:
name: block-volume-types
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]
parameters:
volumes:
- "gitRepo"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: use-empty-dir
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: emptydir-volume
emptyDir: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: use-git-repo
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: git-volume
gitRepo:
repository: "git@***:***/my-git-repository.git"
revision: "22f1d8406d464b0c08***"ASMSidecarInjectionEnforced
規則說明:限制Pod必須注入ASM Sidecar。
重要等級:high
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ASMSidecarInjectionEnforced
metadata:
name: asm-sidecar-injectionen-forced
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
- name: istio-proxy
image: xxx/proxyv2:xxx
Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: sidecar-injection
namespace: test-gatekeeper
spec:
containers:
- name: test
image: testK8s-general
ACKAllowedRepos
規則說明:限制在叢集指定範圍部署的應用Pod中拉取白名單列表外的鏡像。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 合法的鏡像倉庫白名單。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKAllowedRepos
metadata:
name: allowed-repos
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
repos:
- "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
- "registry.cn-hangzhou.aliyuncs.com/acs/"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-01
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-container-1
initContainers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container-3ACKBlockAutoinjectServiceEnv
規則說明:要求在應用中配置enableServiceLinks: false防止在Pod環境變數中透出服務IP。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutoinjectServiceEnv
metadata:
name: block-auto-inject-service-env
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
enableServiceLinks: false
containers:
- image: openpolicyagent/test-webserver:1.0
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockAutomountToken
規則說明:要求在應用中設定automountServiceAccountToken: false欄位防止自動掛載serviceaccount。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockAutomountToken
metadata:
name: block-auto-mount-service-account-token
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
automountServiceAccountToken: false
containers:
- image: openpolicyagent/test-webserver:v1.0
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-containerACKBlockEphemeralContainer
規則說明:限制在叢集指定範圍的應用Pod中啟動臨時容器。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockEphemeralContainer
metadata:
name: block-ephemeral-container
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: good-1
namespace: test-gatekeeper
spec:
containers:
- name: mycontainer
image: redisDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
containers:
- name: mycontainer
image: redis
ephemeralContainers:
- name: test
image: testACKBlockLoadBalancer
規則說明:限制在指定叢集範圍內部署LoadBalancer類型的Service。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
restrictedNamespaces | array | 禁止資源部署在該參數聲明的列表中。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockLoadBalancer
metadata:
name: block-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKBlockNodePort
規則說明:限制在叢集指定範圍內使用NodePort類型的Service。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-1
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
type: NodePort
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376ACKContainerLimits
規則說明:要求叢集指定範圍的應用Pod配置資源limits。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Mi"
cpu: "500m"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-2
namespace: non-test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
limits:
memory: "100Gi"
cpu: "2000m"ACKExternalIPs
規則說明:限制在叢集指定範圍內的Service執行個體使用白名單範圍之外的externalIPs。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array |
|
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKExternalIPs
metadata:
name: external-ips
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces:
- "test-gatekeeper"
parameters:
allowedIPs:
- "192.168.0.5"Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service-3
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376Disallowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: test-gatekeeper
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
externalIPs:
- 80.11.XX.XXACKImageDigests
規則說明:限制在叢集指定範圍內部署不符合digest格式的鏡像。
重要等級:low。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKImageDigests
metadata:
name: container-image-must-have-digest
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2ACKRequiredLabels
規則說明:校正 Pod 是否包含特定的標籤(Labels),並確保標籤值符合預定義格式。支援為每個標籤鍵(Key)指定一個Regex,用於驗證其值(Value)。還可通過 optional 來控制標籤校正的強制性。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| string | Label白名單的Regex。 |
| string | 待校正的標籤Key。 |
| bool | 是否允許 Pod 缺少此標籤。
|
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredLabels
metadata:
name: must-have-label-test
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
labels:
- key: test
allowedRegex: "^test.*$"
- key: env
allowedRegex: "^(dev|prod)$"
optional: trueAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: test
namespace: test-gatekeeper
labels:
'test': 'test_233'
spec:
containers:
- name: mycontainer
image: redisDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: bad2
namespace: test-gatekeeper
labels:
'test': '233'
'env': 'invalid'
spec:
containers:
- name: mycontainer
image: redisACKRequiredProbes
規則說明:限制在叢集指定範圍內部署的Pod配置指定類型的readinessProbe和livenessProbe。
重要等級:medium。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。 |
| array | Pod中需要配置的Probe類型。例如,tcpSocket,httpGet和exec類型。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
probes: ["readinessProbe", "livenessProbe"]
probeTypes: ["tcpSocket", "httpGet", "exec"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: p4
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busybox
readinessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5
livenessProbe:
exec:
command:
- cat
- /tmp/healthy
initialDelaySeconds: 5
periodSeconds: 5Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: p1
namespace: test-gatekeeper
spec:
containers:
- name: liveness
image: k8s.gcr.io/busyboxACKCheckNginxPath
限制在Ingress執行個體spec.rules[].http.paths[].path欄位中使用危險配置,Ingress-nginx 1.2.1以下版本建議開啟該策略。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxPath
metadata:
name: block-nginx-path
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-paths
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bad-path-secrets
namespace: test-gatekeeper
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /var/run/secrets
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80ACKCheckNginxAnnotation
限制在Ingress執行個體metadata.annotations欄位中使用危險配置,Ingress-nginx 1.2.1以下版本建議開啟該策略。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKCheckNginxAnnotation
metadata:
name: block-nginx-annotation
spec:
match:
kinds:
- apiGroups: ["extensions", "networking.k8s.io"]
kinds: ["Ingress"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: good-annotations
namespace: test-gatekeeper
annotations:
nginx.org/good: "value"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80Disallowed:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: var-run-secrets
namespace: test-gatekeeper
annotations:
nginx.org/bad: "/var/run/secrets"
spec:
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80ACKBlockInternetLoadBalancer
規則說明:限制建立公網類型的LoadBalancer Service。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKBlockInternetLoadBalancer
metadata:
name: block-internet-load-balancer
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
namespaces: ["test-gatekeeper"]Allowed:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: non-test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'intranet'
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancerDisallowed:
apiVersion: v1
kind: Service
metadata:
name: bad-service-2
namespace: test-gatekeeper
annotations:
'service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type': 'internet'
spec:
type: LoadBalancer
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376RatifyVerification
規則說明:您在叢集中安裝應用市場組件Ratify後,可以驗證在叢集指定範圍內部署的Pod鏡像中的簽名或SBOM等安全中繼資料。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
name: ratify-constraint
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces: ["default"]Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/signed # 部署合法簽名的鏡像。
name: test-containerDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: registry.cn-hangzhou.aliyuncs.com/acs/unsigned # 部署不滿足Ratify簽名校正的非法鏡像。
name: test-containerPSP
ACKPSPAllowedUsers
規則說明:限制在叢集指定範圍內部署的Pod中的啟動user、group、supplementalGroups以及fsGroup。
重要等級:medium。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| object | 關於該參數的具體說明,請參見原PSP規則中對User的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。 |
| object | 關於該參數的具體說明,請參見原PSP規則中對Group的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。 |
| object | 關於該參數的具體說明,請參見原PSP規則中對SupplementalGroups的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。 |
| object | 關於該參數的具體說明,請參見原PSP規則中對fsGroup的配置,支援規則類型和UID最大值、最小值的配置。更多資訊,請參見Users and groups。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
runAsUser:
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good2
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 150
supplementalGroups:
- 150
containers:
- image: test
name: test
securityContext:
runAsUser: 150
runAsGroup: 150Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAllowPrivilegeEscalationContainer
規則說明:限制在叢集指定範圍內部署的Pod配置allowPrivilegeEscalation參數。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: test
name: test2
securityContext:
allowPrivilegeEscalation: falseDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPAppArmor
規則說明:限制在叢集指定範圍內部署的Pod配置AppArmor。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | Pod中需要配置的Probe。例如,readinessProbe和livenessProbe。 |
| array | Pod中需要配置的Probe類型。例如,tcpSocket、httpGet和exec類型。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfiles:
- runtime/defaultAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
annotations:
'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
spec:
containers:
- image: test
name: test
initContainers:
- image: test
name: test2Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPCapabilities
規則說明:限制在叢集指定範圍內部署的Pod配置Linux Capabilities能力。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 允許的capabilities白名單。 |
| array | 需要強制Drop的capabilities。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPCapabilities
metadata:
name: psp-capabilities
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedCapabilities: ["CHOWN"]
requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-4
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
capabilities:
add:
- CHOWN
drop:
- "NET_ADMIN"
- "SYS_ADMIN"
- "NET_RAW"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPFlexVolumes
規則說明:限制在叢集指定範圍內部署Pod的FlexVolume驅動配置。
重要等級:medium。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 允許配置的FlexVolume驅動列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod", "PersistentVolume"]
namespaces:
- "test-gatekeeper"
parameters:
allowedFlexVolumes: #[]
- driver: "alicloud/disk"
- driver: "alicloud/nas"
- driver: "alicloud/oss"
- driver: "alicloud/cpfs"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-nas
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/nas"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss-flexvolume
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/ossxx"ACKPSPForbiddenSysctls
規則說明:限制在叢集指定範圍內部署的Pod禁止的Sysctl範圍。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | Pod中禁止的sysctl列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
forbiddenSysctls:
# - "*" # * may be used to forbid all sysctls
- "kernel.*"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good-2
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'net.ipv4.tcp_syncookies'
value: "65536"
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
securityContext:
sysctls:
- name: 'kernel.shm_rmid_forced'
value: '1024'
containers:
- image: test
name: testACKPSPFSGroup
規則說明:限制在叢集指定範圍內部署的Pod的fsGroup配置。
重要等級:medium。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| string | 關於該參數的具體說明,請參見原PSP規則中對fsGroup的配置,支援MustRunAs、MayRunAs、RunAsAny。更多資訊,請參見Volumes and file systems。 |
| object | 包含以下取值。
|
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
ranges:
- min: 1
max: 1000Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
fsGroup: 100
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: non-test-gatekeeper
spec:
securityContext:
fsGroup: 0
shareProcessNamespace: true
containers:
- image: test
name: testACKPSPHostFilesystem
規則說明:限制在叢集指定範圍內部署的Pod允許掛載的主機host目錄範圍。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| object | 主機路徑白名單配置。 |
| boolean | 是否唯讀。 |
| string | 路徑首碼。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedHostPaths:
- readOnly: true
pathPrefix: "/foo"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumeMounts:
- name: test-volume
mountPath: "/projected-volume"
readOnly: true
volumes:
- name: test-volume
hostPath:
path: /fooDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /data
type: FileACKPSPHostNamespace
規則說明:限制在叢集指定範圍內部署的Pod是否允許共用主機host命名空間。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
hostPID: true
containers:
- image: test
name: test
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
status: {}ACKPSPHostNetworkingPorts
規則說明:限制在叢集指定範圍內部署的Pod使用主機網路和指定連接埠。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| boolean | 是否允許Pod共用使用主機網路。 |
| int | 最小使用的hostPort值。 |
| int | 最大使用的hostPort值。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
hostNetwork: true
min: 80
max: 9000Allowed:
apiVersion: v1
kind: Pod
metadata:
name: good-2
namespace: test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 80
containerPort: 80
initContainers:
- image: k8s.gcr.io/test-webserver
name: test-container2
ports:
- hostPort: 8080
containerPort: 8080Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: bad-1
namespace: non-test-gatekeeper
spec:
hostNetwork: true
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
ports:
- hostPort: 22
containerPort: 22ACKPSPPrivilegedContainer
規則說明:限制在叢集指定範圍內部署的Pod中啟動特權容器。
重要等級:high。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
privileged: true
dnsPolicy: ClusterFirst
restartPolicy: NeverACKPSPProcMount
規則說明:限制在叢集指定範圍內部署的Pod允許掛載的proc類型。
重要等級:high。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| string | proc掛載類型,允許配置如下類型:
關於參數配置的具體說明,請參見AllowedProcMountTypes。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
procMount: Default # Default or UnmaskedAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Default"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad3
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
procMount: "Unmasked"
initContainers:
- image: test
name: test2ACKPSPReadOnlyRootFilesystem
規則說明:限制在叢集指定範圍內部署的Pod使用唯讀根檔案系統。
重要等級:medium。
參數說明:無。
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"Allowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: trueDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad2
namespace: non-test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
readOnlyRootFilesystem: false
initContainers:
- image: test
name: test2ACKPSPSeccomp
規則說明:限制在叢集指定範圍內部署的Pod使用指定的Seccomp設定檔。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 允許的Seccomp profile類型白名單。 |
| array | 允許的Seccomp profile。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedProfileTypes:
# - Unconfined
- RuntimeDefault
- Localhost
allowedProfiles:
- runtime/default
- docker/default
- localhost/profiles/audit.jsonAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.json
initContainers:
- image: test
name: test2
securityContext:
seccompProfile:
type: Localhost
localhostProfile: profiles/audit.jsonDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
echo-k8s-webhook-enabled: 'true'
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: testACKPSPSELinuxV2
規則說明:限制在叢集指定範圍內部署的Pod必須使用allowedSELinuxOptions參數中規定的SELinux配置。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| object | 允許的SELinux配置白名單。更多資訊,請參見SELinuxOptions v1 core。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_uAllowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: good
namespace: test-gatekeeper
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: test
name: testDisallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
securityContext:
seLinuxOptions:
level: "s0:c123,c455"ACKPSPVolumeTypes
規則說明:限制在叢集指定範圍內部署的Pod使用指定Volume掛載類型。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
volumes | array | 允許使用的Volume掛載類型列表。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
volumes:
# - "*" # * may be used to allow all volume types
- configMap
# - emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
# - hostPath #required for allowedHostPaths
- flexVolume #required for allowedFlexVolumesAllowed:
apiVersion: v1
kind: Pod
metadata:
name: pv-oss
namespace: test-gatekeeper
spec:
containers:
- name: test
image: test
volumes:
- name: test
flexVolume:
driver: "alicloud/oss"Disallowed:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: test
name: bad-1
namespace: test-gatekeeper
spec:
containers:
- image: test
name: test
volumes:
- name: test-volume
hostPath:
path: /dataFinOps
ACKContainerRequests
規則說明:要求叢集中某些應用 Pod 必須聲明資源 requests。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| string | 容器CPU |
| string | 容器記憶體 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerRequests
metadata:
name: container-must-have-requests
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
cpu: "1000m"
memory: "1Gi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-1
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-container
resources:
requests:
memory: "100Mi"
cpu: "500m"Disallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: openpolicyagent/test-webserver
name: test-containerACKContainerResourcesWhitelist
規則說明:要求叢集中某些應用 Pod 的 CPU 和記憶體資源配置必須從預設選項中選取。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 容器 CPU |
| array | 容器 CPU |
| array | 容器記憶體 |
| array | 容器記憶體 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesWhitelist
metadata:
name: container-resources-whitelist
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaces:
- "test-gatekeeper"
parameters:
cpuRequests:
- "100m"
- "500m"
- "1"
cpuLimits:
- "2"
- "4000m"
memoryRequests:
- "256Mi"
- "512Mi"
memoryLimits:
- "1Gi"
- "2048Mi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1GiDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 10m
memory: 512Mi
limits:
cpu: "1"
memory: 1GiACKContainerResourcesRange
規則說明:限制叢集中某些應用 Pod 的資源配置必須在指定的上下限範圍內。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| object | 包含以下取值。
|
| object | 包含以下取值。
|
| object | 包含以下取值。
|
| object | 包含以下取值。
|
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKContainerResourcesRange
metadata:
name: container-resources-range
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [ "" ]
kinds: [ "Pod" ]
namespaces:
- "test-gatekeeper"
parameters:
cpuRequests:
min: "100m"
max: "1"
cpuLimits:
min: "500m"
max: "2"
memoryRequests:
min: "256Mi"
max: "512Mi"
memoryLimits:
min: "1Gi"
max: "2048Mi"Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 2GiDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 10m
memory: 5Mi
limits:
cpu: "3"
memory: 128MiACKRequiredNodeSelector
規則說明:限制叢集中某些應用 Pod 必須配置指定的 nodeSelector 標籤。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| array | 包含以下取值。
|
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRequiredNodeSelector
metadata:
name: must-have-nodeselector
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "test-gatekeeper"
parameters:
nodeSelector:
- key: "node.alibabacloud.com/nodepool-id"
allowedRegex: "^np.*$"
- key: "kubernetes.io/os"
allowedRegex: "^linux$"
Allowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
nodeSelector:
node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
kubernetes.io/os: linuxDisallowed:
apiVersion: v1
kind: Pod
metadata:
name: pod-0
namespace: test-gatekeeper
spec:
containers:
- image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
name: test-container
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
nodeSelector:
node.alibabacloud.com/nodepool-id: npd37f0e64410c41328a6282dbe5d35cae
kubernetes.io/os: windowsACKWorkloadReplicasRange
規則說明:限制應用副本數量的上下限。
重要等級:low。
參數說明:
參數名稱 | 參數類型 | 參數說明 |
| int | 應用的最小副本數。 |
| int | 應用的最大副本數。 |
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKWorkloadReplicasRange
metadata:
name: replica-limiter
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["*"]
kinds: ["Deployment", "StatefulSet", "ReplicaSet", "Scale"]
namespaces:
- "test-gatekeeper"
parameters:
minReplicas: 2
maxReplicas: 3Allowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"Disallowed:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic-0
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-basic-1
namespace: test-gatekeeper
labels:
app: nginx
spec:
replicas: 4
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
ports:
- containerPort: 80
resources:
limits:
cpu: "500m"ACKRestrictALBCreation
規則說明:強制複用已有ALB執行個體,禁止通過ALBConfig建立新的ALB資源執行個體。
重要等級:low。
參數說明:無
樣本:
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ACKRestrictALBCreation
metadata:
name: restrict-alb-creation
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: ["alibabacloud.com"]
kinds: ["AlbConfig"]Allowed:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: reuse-alb
spec:
config:
id: 'abcdefghijklmnopqrstuvwxyz'
forceOverride: false
listenerForceOverride: falseDisallowed:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
name: alb
addressType: Internet
zoneMappings:
- vSwitchId: vsw-uf6ccg2a9g71hx8go**** # 替換為叢集所在VPC中至少兩個處於不同可用性區域的VSwitch IDVSwitch ID
allocationId: eip-asdfas**** # 替換為EIP ID,預設選項為自動分配公網IP。
- vSwitchId: vsw-uf6nun9tql5t8nh15**** # 替換為叢集所在VPC中至少兩個處於不同可用性區域的VSwitchIDID
allocationId: eip-dpfmss**** # 替換為EIP ID。EIP ID。
listeners:
- port: 80
protocol: HTTP