容器服务ACK策略管理功能提供了种类丰富的内置规则库。本文主要说明当前阿里云容器服务ACK容器安全策略规则库中的各个规则模板。

背景信息

当前容器服务ACK容器安全策略规则库包含以下四类规则模板:
  • CIS-K8s:基于CIS Kubernetes Benchmark等合规规范定制化的安全规则。
  • Infra:用于增强和保护云基础设施层资源安全。
  • K8s-general:用于约束和规范K8s集群内敏感资源配置,增强K8s集群内应用安全。
  • PSP:用于替换K8s PSP的相关策略,使用该类策略可以实现等同于原ACK策略管理中PSP提供的安全约束能力。

策略规则库说明

当前阿里云容器服务ACK内置如下类型的策略规则库,策略分类和简要说明如下:

Category Policy Description Severity
CIS-K8s ACKNoEnvVarSecrets 限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中。 medium
ACKPodsRequireSecurityContext 限制Pod中所有容器必须配置securitycontext字段。 low
ACKRestrictNamespaces 限制资源部署在集群指定的命名空间中。 low
ACKRestrictRoleBindings 限制指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。 high
Infra ACKBlockProcessNamespaceSharing 限制在集群指定范围部署的应用中使用shareProcessNamespace high
ACKEmptyDirHasSizeLimit 要求emptyDir类型的Volume必须指定sizelimit low
ACKLocalStorageRequireSafeToEvict 限制部署在集群指定范围内的Pod必须具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注释标签。默认情况下autoscaler在集群自动伸缩时不会驱逐使用HostPath或EmptyDir卷的Pod。为了允许驱逐这些Pod,必须在Pod上添加该注释标签。 low
ACKOSSStorageLocationConstraint 限制指定Namespaces下的部署只能使用指定Region中的阿里云OSS存储卷 low
K8s-general ACKAllowedRepos 限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。 high
ACKBlockAutoinjectServiceEnv 要求在应用中配置enableServiceLinks: false防止在Pod环境变量中透出服务IP。 low
ACKBlockAutomountToken 要求在应用中设置automountServiceAccountToken: false字段防止自动挂载serviceaccount high
ACKBlockEphemeralContainer 限制在集群指定范围的应用Pod中启动临时容器。 medium
ACKBlockLoadBalancer 限制在集群指定范围内部署LoadBalancer类型的Service。 high
ACKBlockNodePort 限制在集群指定范围内使用NodePort类型的Service。 high
ACKContainerLimits 要求集群指定范围的应用Pod配置资源limits low
ACKExternalIPs 限制在集群指定范围内的Services实例使用白名单范围之外的externalIPs。 high
ACKImageDigests 限制在集群指定范围内部署不符合digest格式的镜像。 low
ACKRequiredLabels 限制在集群指定范围内部署没有指定范式label标签的应用。 low
ACKRequiredProbes 限制在集群指定范围内部署的Pod配置指定类型的readinessProbe和livenessProbe。 medium
ACKCheckNginxPath CVE-2021-25745止血方案,限制在Ingress实例的spec.rules[].http.paths[].path字段中使用危险配置。Ingress-nginx 1.2.0以下版本建议开启该策略。 high
ACKCheckNginxAnnotation CVE-2021-25746止血方案,限制在Ingress实例的metadata.annotations字段中使用危险配置。Ingress-nginx 1.2.0以下版本建议开启该策略。 high
PSP ACKPSPAllowPrivilegeEscalationContainer 限制在集群指定范围内部署的Pod配置allowPrivilegeEscalation参数。 medium
ACKPSPAllowedUsers 限制在集群指定范围内部署的Pod中的启动usergroupsupplementalGroups以及fsGroup medium
ACKPSPAppArmor 限制在集群指定范围内部署的Pod配置AppArmor。 low
ACKPSPCapabilities 限制在集群指定范围内部署的Pod配置Linux Capabilities能力。 high
ACKPSPFSGroup 限制在集群指定范围内部署的Pod配置 fsGroup。 medium
ACKPSPFlexVolumes 限制在集群指定范围内部署Pod的FlexVolume驱动配置。 medium
ACKPSPForbiddenSysctls 限制在集群指定范围内部署Pod的禁止的Sysctl范围。 high
ACKPSPHostFilesystem 限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。 high
ACKPSPHostNamespace 限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。 high
ACKPSPHostNetworkingPorts 限制在集群指定范围内部署的Pod使用主机网络和指定端口。 high
ACKPSPPrivilegedContainer 限制在集群指定范围内部署的Pod中启动特权容器。 high
ACKPSPProcMount 限制在集群指定范围内部署的Pod允许挂载的Proc类型。 low
ACKPSPReadOnlyRootFilesystem 限制在集群指定范围内部署的Pod使用只读的根文件系统。 medium
ACKPSPSELinuxV2 制在集群指定范围内部署的Pod必须使用AllowedSELinuxOptions参数中规定的Selinux配置 low
ACKPSPSeccomp 限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。 low
ACKPSPVolumeTypes 限制在集群指定范围内部署的Pod使用指定的Volume挂载类型。 medium

CIS-K8s

  • ACKNoEnvVarSecrets

    规则说明:限制Secret以secretKeyRef的形式挂载到应用Pod环境变量中使用。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKNoEnvVarSecrets
    metadata:
      name: no-env-var-secrets
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: mypod
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mypod
        image: redis
        volumeMounts:
        - name: foo
          mountPath: "/etc/foo"
      volumes:
      - name: foo
        secret:
          secretName: mysecret
          items:
          - key: username
            path: my-group/my-username
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
        env:
          - name: SECRET_USERNAME
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: username
          - name: SECRET_PASSWORD
            valueFrom:
              secretKeyRef:
                name: mysecret
                key: password
      restartPolicy: Never
  • ACKPodsRequireSecurityContext

    规则说明:限制Pod中所有容器必须配置securitycontext字段。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPodsRequireSecurityContext
    metadata:
      name: pods-require-security-context
      annotations:
        # This constraint is not certified by CIS.
        description: "Requires that Pods must have a `securityContext` defined."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: test-gatekeeper
    spec:
      securityContext:
        runAsNonRoot: false
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test2
      - image: test
        name: test
        resources: {}
        securityContext:
          runAsNonRoot: false
  • ACKRestrictNamespaces

    规则说明:限制资源部署在集群指定的命名空间中。

    重要等级:low。

    参数说明:
    参数名称 参数类型 参数说明
    restrictedNamespaces array 禁止资源部署在该参数声明的列表中。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictNamespaces
    metadata:
      name: restrict-default-namespace
      annotations:
        # This constraint is not certified by CIS .
        description: "Restricts resources from using the restricted namespace."
    spec:
      match:
        kinds:
          - apiGroups: ['']
            kinds: ['Pod']
      parameters:
        restrictedNamespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      restartPolicy: Never
  • ACKRestrictRoleBindings

    规则说明:限制在指定命名空间下的rolebinding使用指定范围内的Role或Clusterrole。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    restrictedRole object 限制使用的Clusterrole或Role。
    allowedSubjects array 允许挂载的Subjects白名单列表。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRestrictRoleBindings
    metadata:
      name: restrict-clusteradmin-rolebindings
      annotations:
        # This constraint is not certified by CIS.
        description: "Restricts use of sensitive role in specific rolebinding."
    spec:
      match:
        kinds:
          - apiGroups: ["rbac.authorization.k8s.io"]
            kinds: ["RoleBinding"]
      parameters:
        restrictedRole:
          apiGroup: "rbac.authorization.k8s.io"
          kind: "ClusterRole"
          name: "cluster-admin"
        allowedSubjects:
          - apiGroup: "rbac.authorization.k8s.io"
            kind: "Group"
            name: "system:masters"
    Allowed:
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: good-2
      namespace: test-gatekeeper
    subjects:
      - kind: Group
        name: 'system:masters'
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
    Disallowed:
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    subjects:
      - kind: ServiceAccount
        name: policy-template-controller
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io

Infra基础设施

  • ACKBlockProcessNamespaceSharing

    规则说明:限制在集群指定范围部署的应用中使用shareProcessNamespace

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockProcessNamespaceSharing
    metadata:
      name: block-share-process-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: test-3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKEmptyDirHasSizeLimit

    规则说明:要求emptyDir类型的Volume必须指定sizelimit

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKEmptyDirHasSizeLimit
    metadata:
      name: empty-dir-has-sizelimit
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir:
          sizeLimit: "10Mi"
  • ACKLocalStorageRequireSafeToEvict

    规则说明:限制部署在集群指定范围内的Pod必须具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注释标签。集群自动伸缩时不会删除没有此注释标签的Pod。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKLocalStorageRequireSafeToEvict
    metadata:
      name: local-storage-require-safe-to-evict
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces: ["test-gatekeeper"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: test-1
      namespace: test-gatekeeper
      annotations:
        'cluster-autoscaler.kubernetes.io/safe-to-evict': 'true'
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /test-pd
          name: test-volume
      volumes:
      - name: test-volume
        hostPath:
          # directory location on host
          path: /data
          # this field is optional
          type: Directory
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        volumeMounts:
        - mountPath: /cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
  • ACKOSSStorageLocationConstraint

    规则说明:限制指定命名空间下的部署只能使用指定地域中的阿里云OSS存储卷。

    重要等级:low。

    参数说明:
    参数名称 参数类型 参数说明
    mode string 是否采用白名单模式,默认值allowlist为白名单模式,其他值为黑名单模式。
    regions array 指定的阿里云Region ID列表。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKOSSStorageLocationConstraint
    metadata:
      name: restrict-oss-location
      annotations:
        description: "Restricts location of oss storage in cluster."
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["PersistentVolume", "Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        mode: "allowlist"
        regions:
          - "cn-beijing"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi-good
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-beijing.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-oss-csi
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          csi:
            driver: ossplugin.csi.alibabacloud.com
            volumeHandle: pv-oss
            nodePublishSecretRef:
              name: oss-secret
              namespace: default
            volumeAttributes:
              bucket: "oss"
              url: "oss-cn-hangzhou.aliyuncs.com"
              otherOpts: "-o max_stat_cache_size=0 -o allow_other"
              path: "/"

K8s-general

  • ACKAllowedRepos

    规则说明:限制在集群指定范围部署的应用Pod中拉取白名单列表外的镜像。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    repos array 合法的镜像仓库白名单。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKAllowedRepos
    metadata:
      name: allowed-repos
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        repos:
          - "registry-vpc.cn-hangzhou.aliyuncs.com/acs/"
          - "registry.cn-hangzhou.aliyuncs.com/acs/"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-01
      namespace: test-gatekeeper
    spec:
      containers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container-1
      initContainers:
      - image: registry.cn-hangzhou.aliyuncs.com/acs/test-webserver
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container-3
  • ACKBlockAutoinjectServiceEnv

    规则说明:要求在应用中配置enableServiceLinks: false防止在Pod环境变量中透出服务IP。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutoinjectServiceEnv
    metadata:
      name: block-auto-inject-service-env
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      enableServiceLinks: false
      containers:
      - image: openpolicyagent/test-webserver:1.0
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockAutomountToken

    规则说明:要求在应用中设置automountServiceAccountToken: false字段防止自动挂载serviceaccount

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockAutomountToken
    metadata:
      name: block-auto-mount-service-account-token
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      automountServiceAccountToken: false
      containers:
      - image: openpolicyagent/test-webserver:v1.0
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
  • ACKBlockEphemeralContainer

    规则说明:限制在集群指定范围的应用Pod中启动临时容器。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockEphemeralContainer
    metadata:
      name: block-ephemeral-container
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: good-1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - name: mycontainer
        image: redis
      ephemeralContainers:
        - name: test
          image: test
  • ACKBlockLoadBalancer

    规则说明:限制在指定集群范围内部署LoadBalancer类型的Service。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    restrictedNamespaces array 禁止资源部署在该参数声明的列表中。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockLoadBalancer
    metadata:
      name: block-load-balancer
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
    Disallowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: LoadBalancer
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKBlockNodePort

    规则说明:限制在集群指定范围内使用NodePort类型的Service。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKBlockNodePort
    metadata:
      name: block-node-port
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-1
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
    Disallowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      type: NodePort
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
  • ACKContainerLimits

    规则说明:要求集群指定范围的应用Pod配置资源limits

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKContainerLimits
    metadata:
      name: container-must-have-limits
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        cpu: "1000m"
        memory: "1Gi"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Mi"
            cpu: "500m"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver
        name: test-container
        resources:
          limits:
            memory: "100Gi"
            cpu: "2000m"
  • ACKExternalIPs

    规则说明:限制在集群指定范围内的Services实例使用白名单范围之外的externalIPs

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    allowedIPs array externalIPs白名单列表。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKExternalIPs
    metadata:
      name: external-ips
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Service"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedIPs:
          - "192.168.0.5"
    Allowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service-3
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
    Disallowed:
    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: test-gatekeeper
    spec:
      selector:
        app: MyApp
      ports:
        - name: http
          protocol: TCP
          port: 80
          targetPort: 9376
      externalIPs:
        - 80.11.12.10
  • ACKImageDigests

    规则说明:限制在集群指定范围内部署不符合digest格式的镜像。

    重要等级:low。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKImageDigests
    metadata:
      name: container-image-must-have-digest
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-0
      namespace: test-gatekeeper
    spec:
      containers:
      - image: openpolicyagent/test-webserver@sha256:12e469267d21d66ac9dcae33a4d3d202ccb2591869270b95d0aad7516c7d075b
        name: test-container
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
      initContainers:
      - image: k8s.gcr.io/test-webserver
        name: test-container2
  • ACKRequiredLabels

    规则说明:限制在集群指定范围内部署的Pod必须包含allowedRegex参数中定义的label

    重要等级:low。

    参数说明:
    参数名称 参数类型 参数说明
    allowedRegex string label白名单的正则表达式。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredLabels
    metadata:
      name: must-have-label-test
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
    #            message: ''
        labels:
          - key: test
            # value
            allowedRegex: "^test.*$"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: test
      namespace: test-gatekeeper
      labels:
        'test': 'test_233'
    spec:
      containers:
      - name: mycontainer
        image: redis
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      name: bad2
      namespace: test-gatekeeper
      labels:
        'test': '233'
    spec:
      containers:
      - name: mycontainer
        image: redis
  • ACKRequiredProbes

    规则说明:限制在集群指定范围内部署的Pod配置指定类型的readinessProbelivenessProbe

    重要等级:medium。

    参数说明:
    参数名称 参数类型 参数说明
    probes array Pod中需要配置的Probe。例如,readinessProbelivenessProbe
    probeTypes array Pod中需要配置的Probe类型。例如,tcpSockethttpGetexec类型。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKRequiredProbes
    metadata:
      name: must-have-probes
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        probes: ["readinessProbe", "livenessProbe"]
        probeTypes: ["tcpSocket", "httpGet", "exec"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: p4
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
        readinessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5
        livenessProbe:
          exec:
            command:
              - cat
              - /tmp/healthy
          initialDelaySeconds: 5
          periodSeconds: 5
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: p1
      namespace: test-gatekeeper
    spec:
      containers:
      - name: liveness
        image: k8s.gcr.io/busybox
  • ACKCheckNginxPath

    规则说明:CVE-2021-25745止血方案,限制在Ingress实例spec.rules[].http.paths[].path字段中使用危险配置,Ingress-nginx 1.2.0以下版本建议开启该策略。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxPath
    metadata:
      name: block-nginx-path
    spec:
      enforcementAction: deny
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-paths
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80
    Disallowed:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: bad-path-secrets
      namespace: test-gatekeeper
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /var/run/secrets
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
  • ACKCheckNginxAnnotation

    规则说明:CVE-2021-25746止血方案,限制在Ingress实例metadata.annotations字段中使用危险配置,Ingress-nginx 1.2.0以下版本建议开启该策略。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKCheckNginxAnnotation
    metadata:
      name: block-nginx-annotation
    spec:
      match:
        kinds:
          - apiGroups: ["extensions", "networking.k8s.io"]
            kinds: ["Ingress"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: good-annotations
      namespace: test-gatekeeper
      annotations:
        nginx.org/good: "value"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80
    Disallowed:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: var-run-secrets
      namespace: test-gatekeeper
      annotations:
        nginx.org/bad: "/var/run/secrets"
    spec:
      rules:
        - host: cafe.example.com
          http:
            paths:
              - path: /tea
                pathType: Prefix
                backend:
                  service:
                    name: tea-svc
                    port:
                      number: 80
              - path: /coffee
                pathType: Prefix
                backend:
                  service:
                    name: coffee-svc
                    port:
                      number: 80

PSP

  • ACKPSPAllowedUsers

    规则说明:限制在集群指定范围内部署的Pod中的启动usergroupsupplementalGroups以及fsGroup

    重要等级:medium。

    参数说明:
    参数名称 参数类型 参数说明
    runAsUser object 关于该参数的具体说明,请参见原PSP规则中对User的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups
    runAsGroup object 关于该参数的具体说明,请参见原PSP规则中对Group的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups
    supplementalGroups object 关于该参数的具体说明,请参见原PSP规则中对SupplementalGroups的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups
    fsGroup object 关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持规则类型和UID最大值、最小值的配置。更多信息,请参见Users and groups

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowedUsers
    metadata:
      name: psp-pods-allowed-user-ranges
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        runAsUser:
          rule: MustRunAs # MustRunAsNonRoot # RunAsAny
          ranges:
            - min: 100
              max: 200
        runAsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        supplementalGroups:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
        fsGroup:
          rule: MustRunAs # MayRunAs # RunAsAny
          ranges:
            - min: 100
              max: 200
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good2
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 150
        supplementalGroups:
          - 150
      containers:
      - image: test
        name: test
        securityContext:
          runAsUser: 150
          runAsGroup: 150
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAllowPrivilegeEscalationContainer

    规则说明:限制在集群指定范围内部署的Pod配置allowPrivilegeEscalation参数。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAllowPrivilegeEscalationContainer
    metadata:
      name: psp-allow-privilege-escalation-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          allowPrivilegeEscalation: false
      initContainers:
        - image: test
          name: test2
          securityContext:
            allowPrivilegeEscalation: false
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPAppArmor

    规则说明:限制在集群指定范围内部署的Pod配置AppArmor。

    重要等级:low。

    参数说明:
    参数名称 参数类型 参数说明
    probes array Pod中需要配置的Probe。例如,readinessProbelivenessProbe
    probeTypes array Pod中需要配置的Probe类型。例如,tcpSockethttpGetexec类型。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPAppArmor
    metadata:
      name: psp-apparmor
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfiles:
          - runtime/default
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
      annotations:
        'container.apparmor.security.beta.kubernetes.io/test': 'runtime/default'
        'container.apparmor.security.beta.kubernetes.io/test2': 'runtime/default'
    spec:
      containers:
      - image: test
        name: test
      initContainers:
      - image: test
        name: test2
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPCapabilities

    规则说明:限制在集群指定范围内部署的Pod配置Linux Capabilities能力。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    allowedCapabilities array 允许的capabilities白名单。
    requiredDropCapabilities array 需要强制Drop的capabilities

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPCapabilities
    metadata:
      name: psp-capabilities
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedCapabilities: ["CHOWN"]
        requiredDropCapabilities: ["NET_ADMIN", "SYS_ADMIN", "NET_RAW"]
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-4
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          capabilities:
            add:
              - CHOWN
            drop:
             - "NET_ADMIN"
             - "SYS_ADMIN"
             - "NET_RAW"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPFlexVolumes

    规则说明:限制在集群指定范围内部署Pod的FlexVolume驱动配置。

    重要等级:medium。

    参数说明:
    参数名称 参数类型 参数说明
    allowedFlexVolumes array 允许配置的FlexVolume驱动列表。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFlexVolumes
    metadata:
      name: psp-flexvolume-drivers
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod", "PersistentVolume"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedFlexVolumes: #[]
          - driver: "alicloud/disk"
          - driver: "alicloud/nas"
          - driver: "alicloud/oss"
          - driver: "alicloud/cpfs"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-nas
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/nas"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss-flexvolume
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/ossxx"
  • ACKPSPForbiddenSysctls

    规则说明:限制在集群指定范围内部署的Pod禁止的Sysctl范围。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    forbiddenSysctls array Pod中禁止的Sysctl列表。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPForbiddenSysctls
    metadata:
      name: psp-forbidden-sysctls
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        forbiddenSysctls:
          # - "*" # * may be used to forbid all sysctls
          - "kernel.*"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good-2
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'net.ipv4.tcp_syncookies'
            value: "65536"
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: test-gatekeeper
    spec:
      securityContext:
        sysctls:
          - name: 'kernel.shm_rmid_forced'
            value: '1024'
      containers:
      - image: test
        name: test
  • ACKPSPFSGroup

    规则说明:限制在集群指定范围内部署的Pod的fsGroup配置。

    重要等级:medium。

    参数说明:
    参数名称 参数类型 参数说明
    rule string 关于该参数的具体说明,请参见原PSP规则中对fsGroup的配置,支持MustRunAsMayRunAsRunAsAny。更多信息,请参见Volumes and file systems
    ranges object 包含以下取值。
    • min:fsGroup id的最小值。
    • max:fsGroup id的最大值。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPFSGroup
    metadata:
      name: psp-fsgroup
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
        ranges:
          - min: 1
            max: 1000
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        fsGroup: 100
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      securityContext:
        fsGroup: 0
      shareProcessNamespace: true
      containers:
      - image: test
        name: test
  • ACKPSPHostFilesystem

    规则说明:限制在集群指定范围内部署的Pod允许挂载的主机host目录范围。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    allowedHostPaths object 主机路径白名单配置。
    readOnly boolean 是否只读。
    pathPrefix string 路径前缀。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostFilesystem
    metadata:
      name: psp-host-filesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedHostPaths:
          - readOnly: true
            pathPrefix: "/foo"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        volumeMounts:
          - name: test-volume
            mountPath: "/projected-volume"
            readOnly: true
      volumes:
      - name: test-volume
        hostPath:
          path: /foo
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data
          type: File
  • ACKPSPHostNamespace

    规则说明:限制在集群指定范围内部署的Pod是否允许共享主机host命名空间。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNamespace
    metadata:
      name: psp-host-namespace
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      hostPID: true
      containers:
      - image: test
        name: test
        resources: {}
      dnsPolicy: ClusterFirst
      restartPolicy: Never
    status: {}
  • ACKPSPHostNetworkingPorts

    规则说明:限制在集群指定范围内部署的Pod使用主机网络和指定端口。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    hostNetwork boolean 是否允许Pod共享使用主机网络。
    min int 最小使用的hostPort值。
    max int 最大使用的hostPort值。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPHostNetworkingPorts
    metadata:
      name: psp-host-network-ports
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        hostNetwork: true
        min: 80
        max: 9000
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: good-2
      namespace: test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 80
            containerPort: 80
      initContainers:
        - image: k8s.gcr.io/test-webserver
          name: test-container2
          ports:
            - hostPort: 8080
              containerPort: 8080
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      hostNetwork: true
      containers:
      - image: k8s.gcr.io/test-webserver
        name: test-container
        ports:
          - hostPort: 22
            containerPort: 22
  • ACKPSPPrivilegedContainer

    规则说明:限制在集群指定范围内部署的Pod中启动特权容器。

    重要等级:high。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPPrivilegedContainer
    metadata:
      name: psp-privileged-container
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          privileged: true
      dnsPolicy: ClusterFirst
      restartPolicy: Never
  • ACKPSPProcMount

    规则说明:限制在集群指定范围内部署的Pod允许挂载的proc类型。

    重要等级:high。

    参数说明:
    参数名称 参数类型 参数说明
    procMount string proc挂载类型,允许配置如下类型:
    • Default:默认屏蔽挂载/proc目录。
    • Unmasked:不屏蔽挂载/proc
    关于参数配置的具体说明,请参见AllowedProcMountTypes

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPProcMount
    metadata:
      name: psp-proc-mount
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        procMount: Default  # Default or Unmasked
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Default"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad3
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          procMount: "Unmasked"
      initContainers:
      - image: test
        name: test2
  • ACKPSPReadOnlyRootFilesystem

    规则说明:限制在集群指定范围内部署的Pod使用只读的根文件系统。

    重要等级:medium。

    参数说明:无。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPReadOnlyRootFilesystem
    metadata:
      name: psp-readonlyrootfilesystem
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good1
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: true
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad2
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          readOnlyRootFilesystem: false
      initContainers:
      - image: test
        name: test2
  • ACKPSPSeccomp

    规则说明:限制在集群指定范围内部署的Pod使用指定的Seccomp配置文件。

    重要等级:low。

    参数说明:
    参数名称 参数类型 参数说明
    allowedProfileTypes array 允许的Seccomp profile类型白名单。
    allowedProfiles array 允许的Seccomp profile。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSeccomp
    metadata:
      name: psp-seccomp
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedProfileTypes:
          # - Unconfined
          - RuntimeDefault
          - Localhost
        allowedProfiles:
          - runtime/default
          - docker/default
          - localhost/profiles/audit.json
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json
      initContainers:
      - image: test
        name: test2
        securityContext:
          seccompProfile:
            type: Localhost
            localhostProfile: profiles/audit.json
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
        echo-k8s-webhook-enabled: 'true'
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
  • ACKPSPSELinuxV2

    规则说明:限制在集群指定范围内部署的Pod必须使用allowedSELinuxOptions参数中规定的SELinux配置。

    重要等级:low。

    参数说明:
    参数名称 参数类型 参数说明
    allowedSELinuxOptions object 允许的SELinux配置白名单。更多信息,请参见SELinuxOptions v1 core

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPSELinuxV2
    metadata:
      name: psp-selinux-v2
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        allowedSELinuxOptions:
          - level: s0:c123,c456
            role: object_r
            type: svirt_sandbox_file_t
            user: system_u
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: good
      namespace: test-gatekeeper
    spec:
      securityContext:
        seLinuxOptions:
          level: "s0:c123,c456"
      containers:
      - image: test
        name: test
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad
      namespace: test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
        securityContext:
          seLinuxOptions:
            level: "s0:c123,c455"
  • ACKPSPVolumeTypes

    规则说明:限制在集群指定范围内部署的Pod使用指定Volume挂载类型。

    重要等级:low。

    参数说明:
    参数名称 参数类型 参数说明
    volumes object 允许的挂载卷类型。

    示例:

    Constraint:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: ACKPSPVolumeTypes
    metadata:
      name: psp-volume-types
    spec:
      match:
        kinds:
          - apiGroups: [""]
            kinds: ["Pod"]
        namespaces:
          - "test-gatekeeper"
      parameters:
        volumes:
          # - "*" # * may be used to allow all volume types
          - configMap
          # - emptyDir
          - projected
          - secret
          - downwardAPI
          - persistentVolumeClaim
          # - hostPath #required for allowedHostPaths
          - flexVolume #required for allowedFlexVolumes
    Allowed:
    apiVersion: v1
    kind: Pod
    metadata:
      name: pv-oss
      namespace: test-gatekeeper
    spec:
      containers:
        - name: test
          image: test
      volumes:
        - name: test
          flexVolume:
            driver: "alicloud/oss"
    Disallowed:
    apiVersion: v1
    kind: Pod
    metadata:
      creationTimestamp: null
      labels:
        run: test
      name: bad-1
      namespace: non-test-gatekeeper
    spec:
      containers:
      - image: test
        name: test
      volumes:
      - name: test-volume
        hostPath:
          path: /data