I modelli di vincoli ti consentono di definire il funzionamento di un vincolo, ma delegare la definizione delle specifiche del vincolo a una persona o un gruppo con competenza in materia. Oltre a separare i problemi, viene separata anche la logica del vincolo dalla sua definizione.
Tutti i vincoli contengono una sezione match, che definisce gli oggetti a cui si applica un vincolo. Per informazioni su come configurare questa sezione, consulta la sezione sulla corrispondenza dei vincoli.
Non tutti i modelli di vincoli sono disponibili per tutte le versioni di Policy Controller e i modelli possono variare da una versione all'altra. Utilizza i seguenti link per confrontare i vincoli delle versioni supportate:
Link alle versioni supportate di questa pagina
Per assicurarti di ricevere un'assistenza completa, ti consigliamo di utilizzare i modelli di vincoli di una versione supportata di Policy Controller.
Per aiutarti a capire come funzionano i modelli di vincolo, ogni modello include un vincolo di esempio e una risorsa che viola il vincolo.
Modelli di vincoli disponibili
| Modello di vincolo | Descrizione | Referenziale |
|---|---|---|
| AllowedServicePortName | Richiede che i nomi delle porte dei servizi abbiano un prefisso di un elenco specificato. | No |
| AsmAuthzPolicyDefaultDeny | Applica il criterio AuthorizationPolicy di rifiuto predefinito a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns. | Sì |
| AsmAuthzPolicyDisallowedPrefix | Richiede che i principali e gli spazi dei nomi nelle regole "AuthorizationPolicy" di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| AsmAuthzPolicyEnforceSourcePrincipals | Richiede che il campo "from" di AuthorizationPolicy di Istio, se definito, abbia principi di origine che devono essere impostati su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| AsmAuthzPolicyNormalization | Applica la normalizzazione di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/reference/config/security/normalization/. | No |
| AsmAuthzPolicySafePattern | Applica i pattern sicuri di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. | No |
| AsmIngressgatewayLabel | Applica l'utilizzo dell'etichetta istio ingressgateway solo ai pod ingressgateway. | No |
| AsmPeerAuthnMeshStrictMtls | Applica la verifica dell'autenticazione peer mTLS restrittiva a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | Sì |
| AsmPeerAuthnStrictMtls | L'applicazione di tutte le autenticazioni peer non può sovrascrivere mTLS restrittivo. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | No |
| AsmRequestAuthnProhibitedOutputHeaders | In RequestAuthentication, verifica che il campo "jwtRules.outPayloadToHeader" non contenga intestazioni di richiesta HTTP ben note o intestazioni vietate personalizzate. Fai riferimento a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. | No |
| AsmSidecarInjection | Imposta il sidecar proxy Istio in modo che venga sempre iniettato nei pod del carico di lavoro. | No |
| DestinationRuleTLSEnabled | Vieta la disattivazione di TLS per tutti gli host e i sottoinsiemi di host in Istio DestinationRules. | No |
| DisallowedAuthzPrefix | Richiede che i principali e gli spazi dei nomi nelle regole "AuthorizationPolicy" di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| GCPStorageLocationConstraintV1 | Limita i "locations" consentiti per le risorse del connettore di configurazione StorageBucket all'elenco di località fornito nel vincolo. I nomi dei bucket nell'elenco "esclusioni" sono esenti. | No |
| GkeSpotVMTerminationGrace | I pod e i modelli di pod con "nodeSelector" o "nodeAffinity" di "gke-spot" devono avere un valore "terminationGracePeriodSeconds" pari o inferiore a 15 secondi. | Sì |
| K8sAllowedRepos | Richiede che le immagini container inizino con una stringa dell'elenco specificato. | No |
| K8sAvoidUseOfSystemMastersGroup | Non consente l'utilizzo del gruppo "system:masters". Non ha alcun effetto durante l'audit. | No |
| K8sBlockAllIngress | Non consente la creazione di oggetti Ingress (tipi "Ingress", "Gateway" e "Service" di "NodePort" e "LoadBalancer"). | No |
| K8sBlockCreationWithDefaultServiceAccount | Non consente la creazione di risorse utilizzando un account di servizio predefinito. Non ha alcun effetto durante l'audit. | No |
| K8sBlockEndpointEditDefaultRole | Molte installazioni di Kubernetes hanno per impostazione predefinita un ruolo ClusterRole system:aggregate-to-edit che non limita correttamente l'accesso alla modifica degli endpoint. Questo modello di vincolo impedisce al ruolo ClusterRole system:aggregate-to-edit di concedere l'autorizzazione per creare/eseguire patch/aggiornare gli endpoint. ClusterRole/system:aggregate-to-edit non deve consentire le autorizzazioni di modifica degli endpoint a causa della vulnerabilità CVE-2021-25740. Le autorizzazioni Endpoint ed EndpointSlice consentono il forwarding tra spazi dei nomi, https://github.com/kubernetes/kubernetes/issues/103675 | No |
| K8sBlockLoadBalancer | Non sono consentiti tutti i servizi di tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | No |
| K8sBlockNodePort | Non sono consentiti tutti i servizi di tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | No |
| K8sBlockObjectsOfType | Non sono consentiti oggetti di tipi vietati. | No |
| K8sBlockProcessNamespaceSharing | Vieta le specifiche del pod con "shareProcessNamespace" impostato su "true". In questo modo vengono evitati scenari in cui tutti i container di un pod condividono uno spazio dei nomi PID e possono accedere al file system e alla memoria l'uno dell'altro. | No |
| K8sBlockWildcardIngress | Gli utenti non devono essere in grado di creare ingressi con un nome host vuoto o jolly (*), in quanto ciò consentirebbe loro di intercettare il traffico per altri servizi nel cluster, anche se non hanno accesso a questi servizi. | No |
| K8sContainerEphemeralStorageLimit | Richiede che per i container sia impostato un limite di spazio di archiviazione temporaneo e limita il limite a rientrare nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerLimits | Richiede che i container abbiano limiti di memoria e CPU impostati e limita i limiti in modo che rientrino nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerRatios | Imposta un rapporto massimo per i limiti delle risorse dei container rispetto alle richieste. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerRequests | Richiede che i container abbiano richieste di memoria e CPU impostate e limita le richieste a rientrare nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sCronJobAllowedRepos | Richiede che le immagini dei container dei CronJob inizino con una stringa dell'elenco specificato. | No |
| K8sDisallowAnonymous | Non consente di associare le risorse ClusterRole e Role all'utente system:anonymous e al gruppo system:unauthenticated. | No |
| K8sDisallowInteractiveTTY | Richiede che gli oggetti abbiano i campi "spec.tty" e "spec.stdin" impostati su false o non impostati. | No |
| K8sDisallowedRepos | Repository di contenitori non consentiti che iniziano con una stringa dell'elenco specificato. | No |
| K8sDisallowedRoleBindingSubjects | Vieta RoleBinding o ClusterRoleBindings con soggetti corrispondenti a qualsiasi "disallowedSubjects" passato come parametro. | No |
| K8sDisallowedTags | Richiede che le immagini container abbiano un tag immagine diverso da quelli nell'elenco specificato. https://kubernetes.io/docs/concepts/containers/images/#image-names | No |
| K8sEmptyDirHasSizeLimit | Richiede che tutti i volumi "emptyDir" specifichino un "sizeLimit". Se vuoi, puoi specificare un parametro "maxSizeLimit" nel vincolo per specificare un limite di dimensioni massimo consentito. | No |
| K8sEnforceCloudArmorBackendConfig | Applica la configurazione di Cloud Armor alle risorse BackendConfig | No |
| K8sEnforceConfigManagement | Richiede la presenza e il funzionamento di Config Management. I vincoli che utilizzano questo "ConstraintTemplate" saranno solo di controllo, indipendentemente dal valore di "enforcementAction". | Sì |
| K8sExternalIPs | Limita gli indirizzi IP esterni del servizio a un elenco consentito di indirizzi IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | No |
| K8sHorizontalPodAutoscaler | Non consentire i seguenti scenari durante il deployment di "HorizontalPodAutoscaler" 1. Deployment di HorizontalPodAutoscaler con ".spec.minReplicas" o ".spec.maxReplicas" al di fuori degli intervalli definiti nel vincolo 2. Deployment di HorizontalPodAutoscaler in cui la differenza tra ".spec.minReplicas" e ".spec.maxReplicas" è inferiore al valore "minimumReplicaSpread" configurato 3. Deployment di HorizontalPodAutoscaler che non fanno riferimento a un valore "scaleTargetRef" valido (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet). | Sì |
| K8sHttpsOnly | Richiede che le risorse Ingress siano solo HTTPS. Le risorse Ingress devono includere l'annotazione "kubernetes.io/ingress.allow-http", impostata su "false". Per impostazione predefinita è richiesta una configurazione TLS {} valida, che può essere resa facoltativa impostando il parametro "tlsOptional" su "true". https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | No |
| K8sImageDigests | Richiede che le immagini container contengano un digest. https://kubernetes.io/docs/concepts/containers/images/ | No |
| K8sLocalStorageRequireSafeToEvict | I pod che utilizzano lo spazio di archiviazione locale ("emptyDir" o "hostPath") devono avere l'annotazione ""cluster-autoscaler.kubernetes.io/safe-to-evict": "true"". Cluster Autoscaler non eliminerà i pod senza questa annotazione. | No |
| K8sMemoryRequestEqualsLimit | Promuove la stabilità del pod richiedendo che la memoria richiesta da tutti i container corrisponda esattamente al limite di memoria, in modo che i pod non siano mai in uno stato in cui l'utilizzo della memoria superi la quantità richiesta. In caso contrario, Kubernetes può terminare i pod che richiedono memoria aggiuntiva se questa è necessaria sul nodo. | No |
| K8sNoEnvVarSecrets | Vieta l'utilizzo dei secret come variabili di ambiente nelle definizioni dei container del pod. Utilizza invece i file secret montati nei volumi di dati: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod | No |
| K8sNoExternalServices | Vieta la creazione di risorse note che espongono i carichi di lavoro a IP esterni. Sono incluse le risorse Istio Gateway e Kubernetes Ingress. I servizi Kubernetes non sono consentiti, a meno che non soddisfino i seguenti criteri: Qualsiasi servizio di tipo "LoadBalancer" in Google Cloud deve avere l'annotazione ""networking.gke.io/load-balancer-type": "Internal"". Qualsiasi servizio di tipo "LoadBalancer" in AWS deve avere un'annotazione "service.beta.kubernetes.io/aws-load-balancer-internal: "true". Tutti gli "IP esterni" (esterni al cluster) associati al servizio devono essere membri di un intervallo di CIDR interni come specificato nella limitazione. | No |
| K8sPSPAllowPrivilegeEscalationContainer | Controlla la limitazione dell'escalation ai privilegi di root. Corrisponde al campo "allowPrivilegeEscalation" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation | No |
| K8sPSPAllowedUsers | Controlla gli ID utente e gruppo del contenitore e di alcuni volumi. Corrisponde ai campi "runAsUser", "runAsGroup", "supplementalGroups" e "fsGroup" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups | No |
| K8sPSPAppArmor | Configura una lista consentita di profili AppArmor da utilizzare per i container. Corrisponde ad annotazioni specifiche applicate a un PodSecurityPolicy. Per informazioni su AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/ | No |
| K8sPSPAutomountServiceAccountTokenPod | Controlla la possibilità di qualsiasi pod di attivare automountServiceAccountToken. | No |
| K8sPSPCapabilities | Controlla le funzionalità di Linux nei contenitori. Corrisponde ai campi "allowedCapabilities" e "requiredDropCapabilities" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities | No |
| K8sPSPFSGroup | Controlla l'allocazione di un gruppo FS che possiede i volumi del pod. Corrisponde al campo "fsGroup" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPFlexVolumes | Controlla la lista consentita dei driver FlexVolume. Corrisponde al campo "allowedFlexVolumes" in PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers | No |
| K8sPSPForbiddenSysctls | Controlla il profilo "sysctl" utilizzato dai container. Corrisponde ai campi "allowedUnsafeSysctls" e "forbiddenSysctls" in un PodSecurityPolicy. Se specificato, qualsiasi sysctl non presente nel parametro "allowedSysctls" è considerato vietato. Il parametro "forbiddenSysctls" ha la precedenza sul parametro "allowedSysctls". Per ulteriori informazioni, consulta https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | No |
| K8sPSPHostFilesystem | Controlla l'utilizzo del file system dell'host. Corrisponde al campo "allowedHostPaths" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPHostNamespace | Non consente la condivisione degli spazi dei nomi PID e IPC dell'host da parte dei contenitori dei pod. Corrisponde ai campi "hostPID" e "hostIPC" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | No |
| K8sPSPHostNetworkingPorts | Controlla l'utilizzo dello spazio dei nomi di rete dell'host da parte dei container dei pod. È necessario specificare porte specifiche. Corrisponde ai campi "hostNetwork" e "hostPorts" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | No |
| K8sPSPPrivilegedContainer | Controlla la capacità di qualsiasi contenitore di attivare la modalità con privilegi. Corrisponde al campo "privileged" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | No |
| K8sPSPProcMount | Controlla i tipi di "procMount" consentiti per il contenitore. Corrisponde al campo "allowedProcMountTypes" in un PodSecurityPolicy. Per ulteriori informazioni, consulta la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes | No |
| K8sPSPReadOnlyRootFilesystem | Richiede l'utilizzo di un file system principale di sola lettura da parte dei container pod. Corrisponde al campo "readOnlyRootFilesystem" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPSELinuxV2 | Definisce una lista consentita di configurazioni seLinuxOptions per i container dei pod. Corrisponde a un PodSecurityPolicy che richiede configurazioni SELinux. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux | No |
| K8sPSPSeccomp | Controlla il profilo seccomp utilizzato dai container. Corrisponde all'annotazione `seccomp.security.alpha.kubernetes.io/allowedProfileNames` in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp | No |
| K8sPSPVolumeTypes | Limita i tipi di volumi montabili a quelli specificati dall'utente. Corrisponde al campo "volumes" in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPWindowsHostProcess | Limita l'esecuzione di container / pod HostProcess Windows. Per ulteriori informazioni, consulta la pagina https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/. | No |
| K8sPSSRunAsNonRoot | Richiede l'esecuzione dei container come utenti non root. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/security/pod-security-standards/ | No |
| K8sPodDisruptionBudget | Non consentire i seguenti scenari durante il deployment di PodDisruptionBudget o risorse che implementano la risorsa secondaria replica (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment di PodDisruptionBudget con .spec.maxUnavailable == 0 2. Deployment di PodDisruptionBudget con .spec.minAvailable == .spec.replicas della risorsa con risorsa secondaria replica. In questo modo, i PodDisruptionBudget non bloccheranno le interruzioni volontarie come lo svuotamento dei nodi. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | Sì |
| K8sPodResourcesBestPractices | Richiede che i container non siano best effort (impostando le richieste di CPU e memoria) e che seguano le best practice per i burst (la richiesta di memoria deve essere esattamente uguale al limite). Se vuoi, puoi configurare le chiavi di annotazione in modo da saltare le varie convalide. | No |
| K8sPodsRequireSecurityContext | Richiede che tutti i pod definiscano securityContext. Richiede che tutti i container definiti nei pod abbiano un SecurityContext definito a livello di pod o container. | No |
| K8sProhibitRoleWildcardAccess | Richiede che i ruoli e i clusterrole non imposti l'accesso alle risorse su un valore jolly "*", tranne per i ruoli e i clusterrole esenti forniti come esenzioni. Non limita l'accesso con caratteri jolly alle risorse secondarie, ad esempio "*/status". | No |
| K8sReplicaLimits | Richiede che gli oggetti con il campo "spec.replicas" (Deployment, ReplicaSet e così via) specifichino un numero di repliche all'interno di intervalli definiti. | No |
| K8sRequireAdmissionController | Richiede l'ammissione in base ai criteri di sicurezza dei pod o un sistema di controllo dei criteri esterno | Sì |
| K8sRequireBinAuthZ | Richiede l'webhook di ammissione con convalida di Autorizzazione binaria. I vincoli che utilizzano questo "ConstraintTemplate" saranno solo di controllo, indipendentemente dal valore di "enforcementAction". | Sì |
| K8sRequireCosNodeImage | Impone l'utilizzo di Container-Optimized OS di Google sui nodi. | No |
| K8sRequireDaemonsets | Richiede la presenza dell'elenco dei daemonset specificati. | Sì |
| K8sRequireDefaultDenyEgressPolicy | Richiede che ogni spazio dei nomi definito nel cluster abbia una policy NetworkPolicy predefinita per il traffico in uscita. | Sì |
| K8sRequireNamespaceNetworkPolicies | Richiede che ogni spazio dei nomi definito nel cluster abbia una NetworkPolicy. | Sì |
| K8sRequireValidRangesForNetworks | Applica i blocchi CIDR consentiti per il traffico in entrata e in uscita della rete. | No |
| K8sRequiredAnnotations | Richiede che le risorse contengano annotazioni specificate, con valori corrispondenti alle espressioni regolari fornite. | No |
| K8sRequiredLabels | Richiede che le risorse contengano etichette specificate, con valori corrispondenti alle espressioni regolari fornite. | No |
| K8sRequiredProbes | Richiede che i pod dispongano di probe di idoneità e/o di attività. | No |
| K8sRequiredResources | Richiede che i container abbiano risorse definite. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sRestrictAdmissionController | Limita i controller di ammissione dinamica a quelli consentiti | No |
| K8sRestrictAutomountServiceAccountTokens | Limita l'utilizzo dei token degli account di servizio. | No |
| K8sRestrictLabels | Non consente alle risorse di contenere etichette specificate, a meno che non esista un'eccezione per la risorsa specifica. | No |
| K8sRestrictNamespaces | Impedisce alle risorse di utilizzare gli spazi dei nomi elencati nel parametro restrictedNamespaces. | No |
| K8sRestrictNfsUrls | Non consente alle risorse di contenere URL NFS, a meno che non sia specificato. | No |
| K8sRestrictRbacSubjects | Limita l'utilizzo dei nomi negli oggetti RBAC ai valori consentiti. | No |
| K8sRestrictRoleBindings | Limita gli oggetti specificati in ClusterRoleBindings e RoleBinding a un elenco di oggetti consentiti. | No |
| K8sRestrictRoleRules | Limita le regole che possono essere impostate sugli oggetti Role e ClusterRole. | No |
| K8sStorageClass | Richiede la specifica delle classi di archiviazione quando viene utilizzato. Sono supportati solo Gatekeeper 3.9 e versioni successive e i contenitori non effimeri. | Sì |
| K8sUniqueIngressHost | Richiede che tutti gli host delle regole di ingresso siano univoci. Non gestisce i caratteri jolly per i nomi host: https://kubernetes.io/docs/concepts/services-networking/ingress/ | Sì |
| K8sUniqueServiceSelector | Richiede che i servizi abbiano selettori univoci all'interno di uno spazio dei nomi. I selettori sono considerati uguali se hanno chiavi e valori identici. I selettori possono condividere una coppia chiave/valore purché esista almeno una coppia chiave/valore distinta tra di loro. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | Sì |
| NoUpdateServiceAccount | Blocca l'aggiornamento dell'account di servizio nelle risorse che eseguono l'astrazione dei pod. Questo criterio viene ignorato in modalità di controllo. | No |
| PolicyStrictOnly | Richiede che TLS reciproco Istio "STRICT" sia sempre specificato quando si utilizza [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). Questo vincolo garantisce inoltre che le risorse [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) e MeshPolicy deprecate applichino TLS reciproco "STRICT". Vedi: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh | No |
| RestrictNetworkExclusions | Controlla quali porte in entrata, porte in uscita e intervalli IP in uscita possono essere esclusi dalla cattura della rete Istio. Le porte e gli intervalli IP che aggirano la cattura di rete di Istio non sono gestite dal proxy Istio e non sono soggette all'autenticazione mTLS di Istio, ai criteri di autorizzazione e ad altre funzionalità di Istio. Questo vincolo può essere utilizzato per applicare limitazioni all'uso delle seguenti annotazioni:
Consulta la pagina https://istio.io/latest/docs/reference/config/annotations/. Quando limiti gli intervalli IP in uscita, il vincolo calcola se gli intervalli IP esclusi corrispondono o sono un sottoinsieme delle esclusioni di intervalli IP consentite. Quando utilizzi questo vincolo, tutte le porte in entrata, le porte in uscita e gli intervalli IP in uscita devono essere sempre inclusi impostando le annotazioni "include" corrispondenti su"*" o lasciandole non impostate. Non è consentito impostare una delle seguenti annotazione su un valore diverso da"*":
Questo vincolo consente sempre di escludere la porta 15020 perché l'iniettore sidecar Istio la aggiunge sempre all'annotazione | No |
| SourceNotAllAuthz | Richiede che le regole AuthorizationPolicy di Istio abbiano entità di origine impostate su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| VerifyDeprecatedAPI | Verifica le API Kubernetes deprecate per assicurarti che tutte le versioni dell'API siano aggiornate. Questo modello non si applica al controllo, in quanto quest'ultimo esamina le risorse già presenti nel cluster con versioni API non ritirate. | No |
AllowedServicePortName
Nomi delle porte dei servizi consentiti v1.0.1
Richiede che i nomi delle porte dei servizi abbiano un prefisso di un elenco specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # prefixes <array>: Prefixes of allowed service port names. prefixes: - <string> Esempi
vincolo-nome-porta
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: port-name-constraint spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Service parameters: prefixes: - http- - http2- - grpc- - mongo- - redis- - tcp-
Consentito
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-http spec: ports: - name: http-helloport port: 5000 selector: app: helloworld
Operazione non consentita
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-tcp spec: ports: - name: foo-helloport port: 5000 selector: app: helloworld
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-bad spec: ports: - name: helloport port: 5000 selector: app: helloworld
AsmAuthzPolicyDefaultDeny
ASM AuthorizationPolicy Default Deny v1.0.4
Applica il criterio AuthorizationPolicy di rifiuto predefinito a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # rootNamespace <string>: Anthos Service Mesh root namespace, default value # is "istio-system" if not specified. rootNamespace: <string> # strictnessLevel <string>: Level of AuthorizationPolicy strictness. # Allowed Values: Low, High strictnessLevel: <string> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "security.istio.io" version: "v1beta1" kind: "AuthorizationPolicy" Esempi
asm-authz-policy-default-deny-with-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
asm-authz-policy-default-deny-no-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
AsmAuthzPolicyDisallowedPrefix
Prefissi non consentiti di AuthorizationPolicy di ASM v1.0.2
Richiede che i principali e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces. disallowedNamespacePrefixes: - <string> # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals. disallowedPrincipalPrefixes: - <string> Esempi
asm-authz-policy-disallowed-prefix-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: asm-authz-policy-disallowed-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedNamespacePrefixes: - bad-ns-prefix - worse-ns-prefix disallowedPrincipalPrefixes: - bad-principal-prefix - worse-principal-prefix
Consentito
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test selector: matchLabels: app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/worse-principal-prefix-sleep - source: namespaces: - test selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - bad-ns-prefix-test selector: matchLabels: app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
ASM AuthorizationPolicy Enforcement Principals v1.0.2
Richiede che il campo "from" di AuthorizationPolicy di Istio, se definito, abbia principi di origine che devono essere impostati su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
asm-authz-policy-enforce-source-principals-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: asm-authz-policy-enforce-source-principals-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Consentito
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: no-source-principals spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-wildcard spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-contains-wildcard spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
AsmAuthzPolicyNormalization
Normalizzazione di AuthorizationPolicy di ASM versione 1.0.2
Applica la normalizzazione di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/reference/config/security/normalization/.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
asm-authz-policy-normalization-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: asm-authz-policy-normalization-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Consentito
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-method-lowercase spec: action: ALLOW rules: - to: - operation: methods: - get selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-request-header-whitespace spec: action: ALLOW rules: - to: - operation: methods: - GET - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Ag ent] values: - Mozilla/* selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: path-unnormalized spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test\/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
AsmAuthzPolicySafePattern
Pattern sicuri di AuthorizationPolicy di ASM versione 1.0.4
Applica i pattern sicuri di AuthorizationPolicy. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of AuthorizationPolicy strictness. # Allowed Values: Low, High strictnessLevel: <string> Esempi
asm-authz-policy-safe-pattern-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: asm-authz-policy-safe-pattern-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: strictnessLevel: High
Consentito
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-istio-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-asm-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: asm: ingressgateway
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: hosts-on-noningress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: invalid-hosts spec: action: ALLOW rules: - to: - operation: hosts: - test.com methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-negative-match spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* notMethods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-positive-match spec: action: DENY rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
AsmIngressgatewayLabel
Etichetta gateway di ingresso ASM v1.0.3
Applica l'utilizzo dell'etichetta istio ingressgateway solo ai pod ingressgateway.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
asm-ingressgateway-label-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: asm-ingressgateway-label-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: istio name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: istio-ingressgateway istio: ingressgateway name: istio-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: asm-ingressgateway asm: ingressgateway name: asm-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep asm: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
AsmPeerAuthnMeshStrictMtls
ASM Peer Authentication Mesh Strict mTLS v1.0.4
Applica la verifica dell'autenticazione peer mTLS restrittiva a livello di mesh. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # rootNamespace <string>: Anthos Service Mesh root namespace, default value # is "istio-system" if not specified. rootNamespace: <string> # strictnessLevel <string>: Level of PeerAuthentication strictness. # Allowed Values: Low, High strictnessLevel: <string> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "security.istio.io" version: "v1beta1" kind: "PeerAuthentication" Esempi
asm-peer-authn-mesh-strict-mtls-with-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: asm-root spec: mtls: mode: STRICT
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: asm-root spec: mtls: mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
Consentito
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: istio-system spec: mtls: mode: STRICT
Operazione non consentita
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: istio-system spec: mtls: mode: PERMISSIVE
AsmPeerAuthnStrictMtls
Autenticazione peer ASM mTLS restrittiva v1.0.3
L'applicazione di tutte le autenticazioni peer non può sovrascrivere mTLS restrittivo. Fai riferimento a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of PeerAuthentication strictness. # Allowed Values: Low, High strictnessLevel: <string> Esempi
asm-peer-authn-strict-mtls-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: asm-peer-authn-strict-mtls-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication parameters: strictnessLevel: High
Consentito
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: valid-strict-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-permissive-mtls-pa namespace: foo spec: mtls: mode: PERMISSIVE portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-port-disable-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: DISABLE "443": mode: STRICT selector: matchLabels: app: bar
AsmRequestAuthnProhibitedOutputHeaders
Intestazioni di output vietate per l'autenticazione della richiesta ASM v1.0.2
In RequestAuthentication, assicurati che il campo jwtRules.outPayloadToHeader non contenga intestazioni di richiesta HTTP ben note o intestazioni vietate personalizzate. Fai riferimento a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # prohibitedHeaders <array>: User predefined prohibited headers. prohibitedHeaders: - <string> Esempi
asm-request-authn-prohibited-output-headers-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: asm-request-authn-prohibited-output-headers-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - RequestAuthentication parameters: prohibitedHeaders: - Bad-Header - X-Bad-Header
Consentito
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: valid-request-authn namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Good-Header selector: matchLabels: app: istio-ingressgateway
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Host selector: matchLabels: app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: X-Bad-Header selector: matchLabels: app: istio-ingressgateway
AsmSidecarInjection
Iniezione sidecar ASM versione 1.0.2
Imposta il sidecar proxy Istio in modo che venga sempre iniettato nei pod del carico di lavoro.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of sidecar injection strictness. # Allowed Values: Low, High strictnessLevel: <string> Esempi
asm-sidecar-injection-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: asm-sidecar-injection-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: strictnessLevel: High
Consentito
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "true" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: annotations: "false": "false" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
Operazione non consentita
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "false" name: sleep spec: containers: - image: curlimages/curl name: sleep
DestinationRuleTLSEnabled
Regola di destinazione TLS abilitata v1.0.1
Vieta la disattivazione di TLS per tutti gli host e i sottoinsiemi di host in Istio DestinationRules.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
dr-tls-enabled
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: dr-tls-enabled spec: enforcementAction: dryrun match: kinds: - apiGroups: - networking.istio.io kinds: - DestinationRule
Operazione non consentita
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-subset-tls-disable namespace: default spec: host: myservice subsets: - name: v1 trafficPolicy: tls: mode: DISABLE - name: v2 trafficPolicy: tls: mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-traffic-tls-disable namespace: default spec: host: myservice trafficPolicy: tls: mode: DISABLE
DisallowedAuthzPrefix
Disallow Istio AuthorizationPolicy Prefixes v1.0.2
Richiede che i principali e gli spazi dei nomi nelle regole AuthorizationPolicy di Istio non abbiano un prefisso di un elenco specificato. https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedprefixes <array>: Disallowed prefixes of principals and # namespaces. disallowedprefixes: - <string> Esempi
disallowed-authz-prefix-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: disallowed-authz-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedprefixes: - badprefix - reallybadprefix
Consentito
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/badprefix-sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - badprefix-test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
GCPStorageLocationConstraintV1
Limitazione della posizione di archiviazione Google Cloud v1.0.3
Limita i valori locations consentiti per le risorse del connettore di configurazione StorageBucket all'elenco delle posizioni fornite nel vincolo. I nomi dei bucket nell'elenco exemptions sono esenti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptions <array>: A list of bucket names that are exempt from this # constraint. exemptions: - <string> # locations <array>: A list of locations that a bucket is permitted to # have. locations: - <string> Esempi
singapore-and-jakarta-only
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: singapore-and-jakarta-only spec: enforcementAction: deny match: kinds: - apiGroups: - storage.cnrm.cloud.google.com kinds: - StorageBucket parameters: exemptions: - my_project_id_cloudbuild locations: - asia-southeast1 - asia-southeast2
Consentito
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Operazione non consentita
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
GkeSpotVMTerminationGrace
Limita terminationGracePeriodSeconds per le VM spot GKE v1.1.3
I pod e i modelli di pod con nodeSelector o nodeAfffinty di gke-spot devono avere un terminationGracePeriodSeconds di massimo 15 secondi.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds` # of 15s or less for all `Pod` on a `gke-spot` Node. includePodOnSpotNodes: <boolean> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "" version: "v1" kind: "Node" Esempi
spotvm-termination-grace
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: spotvm-termination-grace spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: includePodOnSpotNodes: true
Consentito
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
K8sAllowedRepos
Repository consentiti v1.0.1
Richiede che le immagini container inizino con una stringa dell'elenco specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is allowed to have. repos: - <string> Esempi
repo-is-openpolicyagent
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: repo-is-openpolicyagent spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: repos: - openpolicyagent/
Consentito
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi ephemeralContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
K8sAvoidUseOfSystemMastersGroup
Disattivazione dell'utilizzo del gruppo "system:masters" v1.0.0
Non consente l'utilizzo del gruppo "system:masters". Non ha alcun effetto durante l'audit.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowlistedUsernames <array>: allowlistedUsernames is the list of # usernames that are allowed to use system:masters group. allowlistedUsernames: - <string> Esempi
avoid-use-of-system-masters-group
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: avoid-use-of-system-masters-group
Consentito
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockAllIngress
Block all Ingress v1.0.4
Non consente la creazione di oggetti Ingress (tipi Ingress, Gateway e Service di NodePort e LoadBalancer).
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowList <array>: A list of regular expressions for the Ingress object # names that are exempt from the constraint. allowList: - <string> Esempi
block-all-ingress
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: block-all-ingress spec: enforcementAction: dryrun parameters: allowList: - name1 - name2 - name3 - my-*
Consentito
apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: allowed-clusterip-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: ClusterIP
Operazione non consentita
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: disallowed-gateway-example spec: gatewayClassName: istio listeners: - allowedRoutes: namespaces: from: All hostname: '*.example.com' name: default port: 80 protocol: HTTP
K8sBlockCreationWithDefaultServiceAccount
Blocca la creazione con l'account di servizio predefinito v1.0.2
Non consente la creazione di risorse utilizzando un account di servizio predefinito. Non ha alcun effetto durante l'audit.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
block-creation-with-default-serviceaccount
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
Consentito
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockEndpointEditDefaultRole
Block Endpoint Edit Default Role v1.0.0
Molte installazioni di Kubernetes hanno per impostazione predefinita un ruolo ClusterRole system:aggregate-to-edit che non limita correttamente l'accesso alla modifica degli endpoint. Questo modello di vincolo impedisce al ruolo ClusterRole system:aggregate-to-edit di concedere l'autorizzazione per creare/eseguire patch/aggiornare gli endpoint. ClusterRole/system:aggregate-to-edit non deve consentire le autorizzazioni di modifica degli endpoint a causa della vulnerabilità CVE-2021-25740. Le autorizzazioni Endpoint ed EndpointSlice consentono il forwarding tra spazi dei nomi, https://github.com/kubernetes/kubernetes/issues/103675
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
block-endpoint-edit-default-role
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: block-endpoint-edit-default-role spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - endpoints - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update
K8sBlockLoadBalancer
Blocca servizi con tipo LoadBalancer v1.0.0
Non sono consentiti tutti i servizi di tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
block-load-balancer
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: - "" kinds: - Service
Consentito
apiVersion: v1 kind: Service metadata: name: my-service-allowed spec: ports: - port: 80 targetPort: 80 type: ClusterIP
Operazione non consentita
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: LoadBalancer
K8sBlockNodePort
Block NodePort v1.0.0
Non sono consentiti tutti i servizi di tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
porta-nodo-blocco
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: - "" kinds: - Service
Operazione non consentita
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: NodePort
K8sBlockObjectsOfType
Bloccare oggetti di tipo v1.0.1
Non sono consentiti oggetti di tipi vietati.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: forbiddenTypes: - <string> Esempi
block-secrets-of-type-basic-auth
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: block-secrets-of-type-basic-auth spec: match: kinds: - apiGroups: - "" kinds: - Secret parameters: forbiddenTypes: - kubernetes.io/basic-auth
Consentito
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
Operazione non consentita
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
K8sBlockProcessNamespaceSharing
Blocca la condivisione dello spazio dei nomi dei processi v1.0.1
Vieta le specifiche dei pod con shareProcessNamespace impostato su true. In questo modo si evitano scenari in cui tutti i container di un pod condividono uno spazio dei nomi PID e possono accedere al file system e alla memoria l'uno dell'altro.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
block-process-namespace-sharing
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Consentito
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx shareProcessNamespace: true
K8sBlockWildcardIngress
Block Wildcard Ingress v1.0.1
Gli utenti non devono essere in grado di creare ingressi con un nome host vuoto o jolly (*), in quanto ciò consentirebbe loro di intercettare il traffico per altri servizi nel cluster, anche se non hanno accesso a questi servizi.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
block-wildcard-ingress
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: block-wildcard-ingress spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Consentito
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: non-wildcard-ingress spec: rules: - host: myservice.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: "" http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: '*.example.com' http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix - host: valid.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
K8sContainerEphemeralStorageLimit
Limite di spazio di archiviazione temporanea del container v1.0.2
Richiede che per i container sia impostato un limite di spazio di archiviazione temporaneo e limita il limite a rientrare nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ephemeral-storage <string>: The maximum allowed ephemeral storage limit # on a Pod, exclusive. ephemeral-storage: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
container-ephemeral-storage-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: container-ephemeral-storage-limit spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ephemeral-storage: 500Mi
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
K8sContainerLimits
Container Limits v1.0.1
Richiede che i container abbiano limiti di memoria e CPU impostati e limita i limiti in modo che rientrino nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive. cpu: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # memory <string>: The maximum allowed memory limit on a Pod, exclusive. memory: <string> Esempi
container-must-have-limits
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
K8sContainerRatios
Container Ratios v1.0.1
Imposta un rapporto massimo per i limiti delle risorse dei container rispetto alle richieste. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to # `resources.requests.cpu` on a container. If not specified, equal to # `ratio`. cpuRatio: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # ratio <string>: The maximum allowed ratio of `resources.limits` to # `resources.requests` on a container. ratio: <string> Esempi
container-must-meet-ratio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ratio: "2"
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 200m memory: 200Mi requests: cpu: 100m memory: 100Mi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 800m memory: 2Gi requests: cpu: 100m memory: 100Mi
container-must-meet-memory-and-cpu-ratio
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-memory-and-cpu-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpuRatio: "10" ratio: "1"
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: "1" memory: 2Gi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: 100m memory: 2Gi
K8sContainerRequests
Container Requests v1.0.1
Richiede che i container abbiano richieste di memoria e CPU impostate e limita le richieste a rientrare nei valori massimi specificati. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpu <string>: The maximum allowed cpu request on a Pod, exclusive. cpu: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # memory <string>: The maximum allowed memory request on a Pod, exclusive. memory: <string> Esempi
container-must-have-requests
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: container-must-have-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 1Gi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
K8sCronJobAllowedRepos
Repositori consentiti per CronJob v1.0.1
Richiede che le immagini dei container dei CronJob inizino con una stringa dell'elenco specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is allowed to have. repos: - <string> Esempi
cronjob-restrict-repos
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata: name: cronjob-restrict-repos spec: match: kinds: - apiGroups: - batch kinds: - CronJob parameters: repos: - gke.gcr.io/
Consentito
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: gke.gcr.io/busybox:1.28 name: hello schedule: '* * * * *'
Operazione non consentita
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: busybox:1.28 name: hello schedule: '* * * * *'
K8sDisallowAnonymous
Disallow Anonymous Access v1.0.0
Non consente di associare le risorse ClusterRole e Role all'utente system:anonymous e al gruppo system:unauthenticated.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedRoles <array>: The list of ClusterRoles and Roles that may be # associated with the `system:unauthenticated` group and `system:anonymous` # user. allowedRoles: - <string> Esempi
no-anonymous
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: no-anonymous spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRoleBinding - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding parameters: allowedRoles: - cluster-role-1
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowInteractiveTTY
Disattiva i container TTY interattivi v1.0.0
Richiede che gli oggetti abbiano i campi spec.tty e spec.stdin impostati su false o non impostati.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
no-interactive-tty-containers
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata: name: no-interactive-tty-containers spec: match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-interactive-tty name: nginx-interactive-tty-allowed spec: containers: - image: nginx name: nginx stdin: false tty: false
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx stdin: true tty: true
K8sDisallowedRepos
Repository non consentiti versione 1.0.0
Repository di contenitori non consentiti che iniziano con una stringa dell'elenco specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is not allowed to # have. repos: - <string> Esempi
repo-must-not-be-k8s-gcr-io
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: repo-must-not-be-k8s-gcr-io spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: repos: - k8s.gcr.io/
Consentito
apiVersion: v1 kind: Pod metadata: name: kustomize-allowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize ephemeralContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
K8sDisallowedRoleBindingSubjects
Disallowed Rolebinding Subjects v1.0.1
Vieta RoleBinding o ClusterRoleBinding con soggetti corrispondenti a qualsiasi disallowedSubjects passato come parametro.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedSubjects <array>: A list of subjects that cannot appear in a # RoleBinding. disallowedSubjects: - # apiGroup <string>: The Kubernetes API group of the disallowed role # binding subject. Currently ignored. apiGroup: <string> # kind <string>: The kind of the disallowed role binding subject. kind: <string> # name <string>: The name of the disallowed role binding subject. name: <string> Esempi
soggetti-associazione-ruolo-non-consentiti
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: disallowed-rolebinding-subjects spec: parameters: disallowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Disallow tags v1.0.1
Richiede che le immagini container abbiano un tag immagine diverso da quelli nell'elenco specificato. https://kubernetes.io/docs/concepts/containers/images/#image-names
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # tags <array>: Disallowed container image tags. tags: - <string> Esempi
container-image-must-not-have-latest-tag
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: container-image-must-not-have-latest-tag spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: exemptImages: - openpolicyagent/opa-exp:latest - openpolicyagent/opa-exp2:latest tags: - latest
Consentito
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa
apiVersion: v1 kind: Pod metadata: name: opa-exempt-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa-exp - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:v1 name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-2 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-ephemeral spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-3 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:latest name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2 - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/monitor:latest name: opa-monitor
K8sEmptyDirHasSizeLimit
Empty Directory has Size Limit v1.0.5
Richiede che tutti i volumi emptyDir specifichino un sizeLimit. Se vuoi, puoi specificare un parametro maxSizeLimit nel vincolo per indicare un limite di dimensioni massime consentito.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptVolumesRegex <array>: Exempt Volume names as regex match. exemptVolumesRegex: - <string> # maxSizeLimit <string>: When set, the declared size limit for each volume # must be less than `maxSizeLimit`. maxSizeLimit: <string> Esempi
empty-dir-has-size-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: empty-dir-has-size-limit spec: match: excludedNamespaces: - istio-system - kube-system - gatekeeper-system parameters: exemptVolumesRegex: - ^istio-[a-z]+$ maxSizeLimit: 4Gi
Consentito
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: sizeLimit: 2Gi name: good-pod-volume
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: istio-envoy
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: bad-pod-volume
K8sEnforceCloudArmorBackendConfig
Applicare Cloud Armor alle risorse BackendConfig v1.0.2
Applica la configurazione di Cloud Armor alle risorse BackendConfig
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
enforce-cloudarmor-backendconfig
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
Consentito
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: example-security-policy
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: second-backendconfig spec: securityPolicy: name: my-security-policy
Operazione non consentita
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: null
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: ""
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig spec: logging: enable: true sampleRate: 0.5
K8sEnforceConfigManagement
Enforce Config Management versione 1.1.6
Richiede la presenza e il funzionamento di Config Management. I vincoli che utilizzano questo ConstraintTemplate verranno sottoposti a controllo indipendentemente dal valore di enforcementAction.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # requireDriftPrevention <boolean>: Require Config Sync drift prevention to # prevent config drift. requireDriftPrevention: <boolean> # requireRootSync <boolean>: Require a Config Sync `RootSync` object for # cluster config management. requireRootSync: <boolean> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "configsync.gke.io" version: "v1beta1" kind: "RootSync" Esempi
enforce-config-management
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: enforce-config-management spec: enforcementAction: dryrun match: kinds: - apiGroups: - configmanagement.gke.io kinds: - ConfigManagement
Consentito
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: proxy: {} syncRepo: [email protected]:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2 healthy: true
Operazione non consentita
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: syncRepo: [email protected]:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2
K8sExternalIPs
Indirizzi IP esterni v1.0.0
Limita gli indirizzi IP esterni del servizio a un elenco consentito di indirizzi IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedIPs <array>: An allow-list of external IP addresses. allowedIPs: - <string> Esempi
external-ips
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: allowedIPs: - 203.0.113.0
Consentito
apiVersion: v1 kind: Service metadata: name: allowed-external-ip spec: externalIPs: - 203.0.113.0 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
Operazione non consentita
apiVersion: v1 kind: Service metadata: name: disallowed-external-ip spec: externalIPs: - 1.1.1.1 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
K8sHorizontalPodAutoscaler
Horizontal Pod Autoscaler versione 1.0.1
Non consentire i seguenti scenari durante il deployment di HorizontalPodAutoscalers 1. Deployment di HorizontalPodAutoscaler con .spec.minReplicas o .spec.maxReplicas al di fuori degli intervalli definiti nel vincolo 2. Deployment di HorizontalPodAutoscaler se la differenza tra .spec.minReplicas e .spec.maxReplicas è inferiore al valore minimumReplicaSpread 3 configurato. Deployment di HorizontalPodAutoscaler che non fanno riferimento a un scaleTargetRef valido (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet).
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # enforceScaleTargetRef <boolean>: If set to true it validates the HPA # scaleTargetRef exists enforceScaleTargetRef: <boolean> # minimumReplicaSpread <integer>: If configured it enforces the minReplicas # and maxReplicas in an HPA must have a spread of at least this many # replicas minimumReplicaSpread: <integer> # ranges <array>: Allowed ranges for numbers of replicas. Values are # inclusive. ranges: # <list item: object>: A range of allowed replicas. Values are # inclusive. - # max_replicas <integer>: The maximum number of replicas allowed, # inclusive. max_replicas: <integer> # min_replicas <integer>: The minimum number of replicas allowed, # inclusive. min_replicas: <integer> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "apps" version: "v1" kind: "Deployment" OR - group: "apps" version: "v1" kind: "StatefulSet" Esempi
horizontal-pod-autoscaler
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: horizontal-pod-autoscaler spec: enforcementAction: deny match: kinds: - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: enforceScaleTargetRef: true minimumReplicaSpread: 1 ranges: - max_replicas: 6 min_replicas: 3
Consentito
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-allowed namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
Operazione non consentita
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicas namespace: default spec: maxReplicas: 7 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 2 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicaspread namespace: default spec: maxReplicas: 4 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 4 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-scaletarget namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment-missing --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sHttpsOnly
Solo HTTPS v1.0.2
Richiede che le risorse Ingress siano solo HTTPS. Le risorse Ingress devono includere l'annotazione kubernetes.io/ingress.allow-http, impostata su false. Per impostazione predefinita è richiesta una configurazione TLS {} valida, che può essere resa facoltativa impostando il parametro tlsOptional su true. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # tlsOptional <boolean>: When set to `true` the TLS {} is optional, # defaults to false. tlsOptional: <boolean> Esempi
ingress-https-only
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Consentito
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix tls: - {}
Operazione non consentita
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
ingress-https-only-tls-optional
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only-tls-optional spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress parameters: tlsOptional: true
Consentito
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sImageDigests
Digest delle immagini v1.0.1
Richiede che le immagini container contengano un digest. https://kubernetes.io/docs/concepts/containers/images/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
container-image-must-have-digest
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default
Consentito
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a name: opa
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
K8sLocalStorageRequireSafeToEvict
Lo spazio di archiviazione locale richiede Safe to Evict 1.0.1
Richiede che i pod che utilizzano lo spazio di archiviazione locale (emptyDir o hostPath) abbiano l'annotazione "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". Il gestore della scalabilità automatica dei cluster non eliminerà i pod senza questa annotazione.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
local-storage-require-safe-to-evict
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: excludedNamespaces: - kube-system - istio-system - gatekeeper-system
Consentito
apiVersion: v1 kind: Pod metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" name: good-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
K8sMemoryRequestEqualsLimit
Richiesta di memoria uguale a limite v1.0.4
Promuove la stabilità del pod richiedendo che la memoria richiesta da tutti i container corrisponda esattamente al limite di memoria, in modo che i pod non siano mai in uno stato in cui l'utilizzo della memoria superi la quantità richiesta. In caso contrario, Kubernetes può terminare i pod che richiedono memoria aggiuntiva se questa è necessaria sul nodo.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptContainersRegex <array>: Exempt Container names as regex match. exemptContainersRegex: - <string> Esempi
container-must-request-limit
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit spec: match: excludedNamespaces: - kube-system - resource-group-system - asm-system - istio-system - config-management-system - config-management-monitoring parameters: exemptContainersRegex: - ^istio-[a-z]+$
Consentito
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 4Gi
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: auto name: istio-proxy resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
K8sNoEnvVarSecrets
No Environment Variable Secrets v1.0.1
Vieta l'utilizzo dei secret come variabili di ambiente nelle definizioni dei container del pod. Utilizza invece i file secret montati nei volumi di dati: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
no-secrets-as-env-vars-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
Consentito
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: redis name: test volumeMounts: - mountPath: /etc/test name: test readOnly: true volumes: - name: test secret: secretName: mysecret
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - env: - name: MY_PASSWORD valueFrom: secretKeyRef: key: password name: mysecret image: redis name: test
K8sNoExternalServices
Nessun servizio esterno versione 1.0.3
Vieta la creazione di risorse note che espongono i carichi di lavoro a IP esterni. Sono incluse le risorse Istio Gateway e Kubernetes Ingress. I servizi Kubernetes non sono consentiti, a meno che non soddisfino i seguenti criteri: Qualsiasi servizio di tipo LoadBalancer in Google Cloud deve avere un'annotazione "networking.gke.io/load-balancer-type": "Internal". Qualsiasi servizio di tipo LoadBalancer in AWS deve avere un'annotazione service.beta.kubernetes.io/aws-load-balancer-internal: "true. Tutti gli "IP esterni" (esterni al cluster) associati al servizio devono essere membri di un intervallo di CIDR interni come specificato nella limitazione.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS` # are supported currently. cloudPlatform: <string> # internalCIDRs <array>: A list of CIDRs that are only accessible # internally, for example: `10.3.27.0/24`. Which IP ranges are # internal-only is determined by the underlying network infrastructure. internalCIDRs: - <string> Esempi
no-external
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external spec: parameters: internalCIDRs: - 10.0.0.1/32
Consentito
apiVersion: v1 kind: Service metadata: name: good-service namespace: default spec: externalIPs: - 10.0.0.1 ports: - port: 8888 protocol: TCP targetPort: 8888
apiVersion: v1 kind: Service metadata: annotations: networking.gke.io/load-balancer-type: Internal name: allowed-internal-load-balancer namespace: default spec: type: LoadBalancer
Operazione non consentita
apiVersion: v1 kind: Service metadata: name: bad-service namespace: default spec: externalIPs: - 10.0.0.2 ports: - port: 8888 protocol: TCP targetPort: 8888
no-external-aws
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external-aws spec: parameters: cloudPlatform: AWS
Consentito
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" name: good-aws-service namespace: default spec: type: LoadBalancer
Operazione non consentita
apiVersion: v1 kind: Service metadata: annotations: cloud.google.com/load-balancer-type: Internal name: bad-aws-service namespace: default spec: type: LoadBalancer
K8sPSPAllowPrivilegeEscalationContainer
Consenti l'escalation dei privilegi nel contenitore v1.0.1
Controlla la limitazione dell'escalation ai privilegi di root. Corrisponde al campo allowPrivilegeEscalation in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
psp-allow-privilege-escalation-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-allowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: false
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Utenti consentiti v1.0.2
Controlla gli ID utente e gruppo del contenitore e di alcuni volumi. Corrisponde ai campi runAsUser, runAsGroup, supplementalGroups e fsGroup in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod # or container-level SecurityContext. fsGroup: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the fsGroup restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> # runAsGroup <object>: Controls which group ID values are allowed in a Pod # or container-level SecurityContext. runAsGroup: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the runAsGroup restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> # runAsUser <object>: Controls which user ID values are allowed in a Pod or # container-level SecurityContext. runAsUser: # ranges <array>: A list of user ID ranges affected by the rule. ranges: # <list item: object>: The range of user IDs affected by the rule. - # max <integer>: The maximum user ID in the range, inclusive. max: <integer> # min <integer>: The minimum user ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the runAsUser restriction. # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny rule: <string> # supplementalGroups <object>: Controls the supplementalGroups values that # are allowed in a Pod or container-level SecurityContext. supplementalGroups: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the supplementalGroups # restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> Esempi
psp-pods-allowed-user-ranges
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: fsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsUser: ranges: - max: 200 min: 100 rule: MustRunAs supplementalGroups: ranges: - max: 200 min: 100 rule: MustRunAs
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-allowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 199 runAsUser: 199 securityContext: fsGroup: 199 supplementalGroups: - 199
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
K8sPSPAppArmor
App Armor v1.0.0
Configura una lista consentita di profili AppArmor da utilizzare per i container. Corrisponde ad annotazioni specifiche applicate a un PodSecurityPolicy. Per informazioni su AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedProfiles <array>: An array of AppArmor profiles. Examples: # `runtime/default`, `unconfined`. allowedProfiles: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
psp-apparmor
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default
Consentito
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor name: nginx-apparmor-allowed spec: containers: - image: nginx name: nginx
Operazione non consentita
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPAutomountServiceAccountTokenPod
Token dell'account di servizio per il montaggio automatico del pod v1.0.1
Controlla la possibilità di qualsiasi pod di attivare automountServiceAccountToken.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: <object> Esempi
psp-automount-serviceaccount-token-pod
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: psp-automount-serviceaccount-token-pod spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-not-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-allowed spec: automountServiceAccountToken: false containers: - image: nginx name: nginx
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-disallowed spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
K8sPSPCapabilities
Capabilities v1.0.2
Controlla le funzionalità di Linux nei contenitori. Corrisponde ai campi allowedCapabilities e requiredDropCapabilities in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedCapabilities <array>: A list of Linux capabilities that can be # added to a container. allowedCapabilities: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # requiredDropCapabilities <array>: A list of Linux capabilities that are # required to be dropped from a container. requiredDropCapabilities: - <string> Esempi
capabilities-demo
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: capabilities-demo spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: allowedCapabilities: - something requiredDropCapabilities: - must_drop
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - something drop: - must_drop - another_one
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
K8sPSPFSGroup
Gruppo FS v1.0.2
Controlla l'allocazione di un gruppo FS che possiede i volumi del pod. Corrisponde al campo fsGroup in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ranges <array>: GID ranges affected by the rule. ranges: - # max <integer>: The maximum GID in the range, inclusive. max: <integer> # min <integer>: The minimum GID in the range, inclusive. min: <integer> # rule <string>: An FSGroup rule name. # Allowed Values: MayRunAs, MustRunAs, RunAsAny rule: <string> Esempi
psp-fsgroup
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ranges: - max: 1000 min: 1 rule: MayRunAs
Consentito
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 500 volumes: - emptyDir: {} name: fsgroup-demo-vol
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 2000 volumes: - emptyDir: {} name: fsgroup-demo-vol
K8sPSPFlexVolumes
FlexVolumes v1.0.1
Controlla la lista consentita dei driver FlexVolume. Corrisponde al campo allowedFlexVolumes in PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects. allowedFlexVolumes: - # driver <string>: The name of the FlexVolume driver. driver: <string> Esempi
psp-flexvolume-drivers
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedFlexVolumes: - driver: example/lvm - driver: example/cifs
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/lvm name: test-volume
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/testdriver name: test-volume
K8sPSPForbiddenSysctls
Istruzioni sysctl vietate v1.1.3
Controlla il profilo sysctl utilizzato dai contenitori. Corrisponde ai campi allowedUnsafeSysctls e forbiddenSysctls in un PodSecurityPolicy. Se specificato, qualsiasi sysctl non presente nel parametro allowedSysctls è considerato vietato. Il parametro forbiddenSysctls ha la precedenza sul parametro allowedSysctls. Per ulteriori informazioni, consulta https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls # not listed in the `forbiddenSysctls` parameter. allowedSysctls: - <string> # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all # sysctls. forbiddenSysctls: - <string> Esempi
psp-forbidden-sysctls
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSysctls: - '*' forbiddenSysctls: - kernel.*
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: net.core.somaxconn value: "1024"
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536" - name: net.core.somaxconn value: "1024"
K8sPSPHostFilesystem
File system host v1.0.2
Controlla l'utilizzo del file system dell'host. Corrisponde al campo allowedHostPaths in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedHostPaths <array>: An array of hostpath objects, representing # paths and read/write configuration. allowedHostPaths: - # pathPrefix <string>: The path prefix that the host volume must # match. pathPrefix: <string> # readOnly <boolean>: when set to true, any container volumeMounts # matching the pathPrefix must include `readOnly: true`. readOnly: <boolean> Esempi
psp-host-filesystem
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedHostPaths: - pathPrefix: /foo readOnly: true
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /foo/bar name: cache-volume
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: ephemeralContainers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
K8sPSPHostNamespace
Host Namespace v1.0.1
Non consente la condivisione degli spazi dei nomi PID e IPC dell'host da parte dei contenitori dei pod. Corrisponde ai campi hostPID e hostIPC in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: <object> Esempi
psp-host-namespace-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: psp-host-namespace-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-allowed spec: containers: - image: nginx name: nginx hostIPC: false hostPID: false
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-disallowed spec: containers: - image: nginx name: nginx hostIPC: true hostPID: true
K8sPSPHostNetworkingPorts
Porte di rete dell'host v1.0.2
Controlla l'utilizzo dello spazio dei nomi di rete dell'host da parte dei container dei pod. È necessario specificare porte specifiche. Corrisponde ai campi hostNetwork e hostPorts in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # hostNetwork <boolean>: Determines if the policy allows the use of # HostNetwork in the pod spec. hostNetwork: <boolean> # max <integer>: The end of the allowed port range, inclusive. max: <integer> # min <integer>: The start of the allowed port range, inclusive. min: <integer> Esempi
psp-host-network-ports-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: psp-host-network-ports-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: hostNetwork: true max: 9000 min: 80
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-allowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9000 hostPort: 80 hostNetwork: false
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: ephemeralContainers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
K8sPSPPrivilegedContainer
Privileged Container v1.0.1
Controlla la capacità di qualsiasi contenitore di attivare la modalità con privilegi. Corrisponde al campo privileged in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
psp-privileged-container-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container-sample spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-allowed spec: containers: - image: nginx name: nginx securityContext: privileged: false
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: containers: - image: nginx name: nginx securityContext: privileged: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: privileged: true
K8sPSPProcMount
Proc Mount v1.0.3
Controlla i tipi di procMount consentiti per il contenitore. Corrisponde al campo allowedProcMountTypes in un PodSecurityPolicy. Per ulteriori informazioni, consulta la pagina https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # procMount <string>: Defines the strategy for the security exposure of # certain paths in `/proc` by the container runtime. Setting to `Default` # uses the runtime defaults, where `Unmasked` bypasses the default # behavior. # Allowed Values: Default, Unmasked procMount: <string> Esempi
psp-proc-mount
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: procMount: Default
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Default
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Unmasked
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
File system di root di sola lettura versione 1.0.1
Richiede l'utilizzo di un file system principale di sola lettura da parte dei container pod. Corrisponde al campo readOnlyRootFilesystem in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
psp-readonlyrootfilesystem
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-allowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: true
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
K8sPSPSELinuxV2
SELinux V2 v1.0.3
Definisce una lista consentita di configurazioni seLinuxOptions per i container dei pod. Corrisponde a un PodSecurityPolicy che richiede configurazioni SELinux. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSELinuxOptions <array>: An allow-list of SELinux options # configurations. allowedSELinuxOptions: # <list item: object>: An allowed configuration of SELinux options for a # pod container. - # level <string>: An SELinux level. level: <string> # role <string>: An SELinux role. role: <string> # type <string>: An SELinux type. type: <string> # user <string>: An SELinux user. user: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
psp-selinux-v2
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-allowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
K8sPSPSeccomp
Seccomp v1.0.1
Controlla il profilo seccomp utilizzato dai container. Corrisponde all'annotazione seccomp.security.alpha.kubernetes.io/allowedProfileNames in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedLocalhostFiles <array>: When using securityContext naming scheme # for seccomp and including `Localhost` this array holds the allowed # profile JSON files. Putting a `*` in this array will allows all JSON # files to be used. This field is required to allow `Localhost` in # securityContext as with an empty list it will block. allowedLocalhostFiles: - <string> # allowedProfiles <array>: An array of allowed profile values for seccomp # on Pods/Containers. Can use the annotation naming scheme: # `runtime/default`, `docker/default`, `unconfined` and/or # `localhost/some-profile.json`. The item `localhost/*` will allow any # localhost based profile. Can also use the securityContext naming scheme: # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the # allowed profile JSON files. The policy code will translate between the # two schemes so it is not necessary to use both. Putting a `*` in this # array allows all Profiles to be used. This field is required since with # an empty list this policy will block all workloads. allowedProfiles: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Esempi
psp-seccomp
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default - docker/default
Consentito
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed2 spec: containers: - image: nginx name: nginx
Operazione non consentita
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed2 spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPVolumeTypes
Tipi di volume v1.0.2
Limita i tipi di volumi montabili a quelli specificati dall'utente. Corrisponde al campo volumes in un PodSecurityPolicy. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # volumes <array>: `volumes` is an array of volume types. All volume types # can be enabled using `*`. volumes: - <string> Esempi
psp-volume-types
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - flexVolume
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - emptyDir: {} name: cache-volume - emptyDir: {} name: demo-vol
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - hostPath: path: /tmp name: cache-volume - emptyDir: {} name: demo-vol
K8sPSPWindowsHostProcess
Limita i container / pod HostProcess di Windows. v1.0.0
Limita l'esecuzione di container / pod HostProcess Windows. Per ulteriori informazioni, consulta la pagina https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
restrict-windows-hostprocess
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: restrict-windows-hostprocess spec: match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-loop nodeSelector: kubernetes.io/os: windows
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-container spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM hostNetwork: true nodeSelector: kubernetes.io/os: windows
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-pod spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test hostNetwork: true nodeSelector: kubernetes.io/os: windows securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM
K8sPSSRunAsNonRoot
Richiede che i container vengano eseguiti come utenti non root. v1.0.0
Richiede l'esecuzione dei container come utenti non root. Per ulteriori informazioni, consulta https://kubernetes.io/docs/concepts/security/pod-security-standards/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
restrict-runasnonroot
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata: name: restrict-runasnonroot spec: match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-allowed spec: containers: - image: nginx name: nginx-allowed securityContext: runAsNonRoot: true
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: false
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false
K8sPodDisruptionBudget
Budget di interruzione dei pod (PDB) v1.0.3
Non consentire i seguenti scenari durante il deployment di PodDisruptionBudget o risorse che implementano la risorsa secondaria replica (ad es. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment di PodDisruptionBudget con .spec.maxUnavailable == 0 2. Deployment di PodDisruptionBudget con .spec.minAvailable == .spec.replicas della risorsa con risorsa secondaria replica. In questo modo, i PodDisruptionBudget non bloccheranno le interruzioni volontarie come lo svuotamento dei nodi. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "policy" version: "v1" kind: "PodDisruptionBudget" Esempi
pod-distruption-budget
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: pod-distruption-budget spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - apiGroups: - policy kinds: - PodDisruptionBudget - apiGroups: - "" kinds: - ReplicationController
Consentito
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-allowed namespace: default spec: maxUnavailable: 1 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-1 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-1 template: metadata: labels: app: nginx example: allowed-deployment-1 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-1 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx example: allowed-deployment-1
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-2 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-2 template: metadata: labels: app: nginx example: allowed-deployment-2 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-2 namespace: default spec: maxUnavailable: 1 selector: matchLabels: app: nginx example: allowed-deployment-2
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-3 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-3 template: metadata: labels: app: nginx example: allowed-deployment-3 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx
apiVersion: apps/v1 kind: Deployment metadata: labels: app: non-matching-nginx name: nginx-deployment-allowed-4 namespace: default spec: replicas: 1 selector: matchLabels: app: non-matching-nginx example: allowed-deployment-4 template: metadata: labels: app: non-matching-nginx example: allowed-deployment-4 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-mongo-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: mongo example: non-matching-deployment-3
Operazione non consentita
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-disallowed namespace: default spec: maxUnavailable: 0 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-disallowed namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: disallowed-deployment template: metadata: labels: app: nginx example: disallowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-disallowed namespace: default spec: minAvailable: 3 selector: matchLabels: app: nginx example: disallowed-deployment
K8sPodResourcesBestPractices
I contenitori non devono essere di tipo Best Effort e devono seguire le best practice per i contenitori burstable v1.0.5
Richiede che i container non siano best effort (impostando le richieste di CPU e memoria) e che seguano le best practice per i burst (la richiesta di memoria deve essere esattamente uguale al limite). Se vuoi, puoi configurare le chiavi di annotazione in modo da saltare le varie convalide.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: A list of exempt Images. exemptImages: - <string> # skipBestEffortValidationAnnotationKey <string>: Optional annotation key # to skip best-effort container validation. skipBestEffortValidationAnnotationKey: <string> # skipBurstableValidationAnnotationKey <string>: Optional annotation key to # skip burstable container validation. skipBurstableValidationAnnotationKey: <string> # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional # annotation key to skip both best-effort and burstable validation. skipResourcesBestPracticesValidationAnnotationKey: <string> Esempi
gke-pod-resources-best-practices
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: gke-pod-resources-best-practices spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: skipBestEffortValidationAnnotationKey: skip_besteffort_validation skipBurstableValidationAnnotationKey: skip_burstable_validation skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
Consentito
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-limits-only spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: annotations: skip_besteffort_validation: "true" skip_burstable_validation: "true" skip_resources_best_practices_validation: "false" name: pod-skip-validation spec: containers: - image: nginx name: nginx
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-cpu-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-requests spec: containers: - image: nginx name: nginx restartPolicy: OnFailure
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-not-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-memory-requests-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 30m requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-requests spec: containers: - image: nginx name: nginx resources: requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu spec: containers: - image: nginx name: nginx resources: limits: cpu: 500m requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 250Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-requests spec: containers: - image: nginx name: nginx resources: requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: memory: 100Mi
K8sPodsRequireSecurityContext
I pod richiedono il contesto di sicurezza v1.1.1
Richiede che tutti i pod definiscano securityContext. Richiede che tutti i container definiti nei pod abbiano un SecurityContext definito a livello di pod o container.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: A list of exempt Images. exemptImages: - <string> Esempi
pods-require-security-context-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context-sample spec: enforcementAction: dryrun parameters: exemptImages: - nginix-exempt - alpine*
Consentito
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: nginx name: nginx securityContext: runAsUser: 2000
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage spec: containers: - image: nginix-exempt name: nginx
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage-wildcard spec: containers: - image: alpine17 name: alpine
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - image: nginx name: nginx
K8sProhibitRoleWildcardAccess
Prohibit Role Wildcard Access v1.0.5
Richiede che i ruoli e i clusterrole non imposti l'accesso alle risorse a un valore jolly "", tranne per i ruoli e i clusterrole esenti forniti come esenzioni. Non limita l'accesso con caratteri jolly alle risorse secondarie, ad esempio ""/status"".
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptions <object>: The list of exempted Roles and/or ClusterRoles name # that are allowed to set resource access to a wildcard. exemptions: clusterRoles: - # name <string>: The name of the ClusterRole to be exempted. name: <string> # regexMatch <boolean>: The flag to allow a regular expression # based match on the name. regexMatch: <boolean> roles: - # name <string>: The name of the Role to be exempted. name: <string> # namespace <string>: The namespace of the Role to be exempted. namespace: <string> Esempi
prohibit-role-wildcard-access-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-wildcard-except-exempted-cluster-role spec: enforcementAction: dryrun parameters: exemptions: clusterRoles: - name: cluster-role-allowed-example roles: - name: role-allowed-example namespace: role-ns-allowed-example
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Replica Limits v1.0.2
Richiede che gli oggetti con il campo spec.replicas (Deployment, ReplicaSet e così via) specifichino un numero di repliche all'interno di intervalli definiti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ranges <array>: Allowed ranges for numbers of replicas. Values are # inclusive. ranges: # <list item: object>: A range of allowed replicas. Values are # inclusive. - # max_replicas <integer>: The maximum number of replicas allowed, # inclusive. max_replicas: <integer> # min_replicas <integer>: The minimum number of replicas allowed, # inclusive. min_replicas: <integer> Esempi
replica-limits
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: replica-limits spec: match: kinds: - apiGroups: - apps kinds: - Deployment parameters: ranges: - max_replicas: 50 min_replicas: 3
Consentito
apiVersion: apps/v1 kind: Deployment metadata: name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
Operazione non consentita
apiVersion: apps/v1 kind: Deployment metadata: name: disallowed-deployment spec: replicas: 100 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sRequireAdmissionController
Richiedi Admission Controller v1.0.0
Richiede l'ammissione in base ai criteri di sicurezza dei pod o un sistema di controllo dei criteri esterno
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # permittedValidatingWebhooks <array>: List of permitted validating # webhooks which are valid external policy control systems permittedValidatingWebhooks: - <string> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "admissionregistration.k8s.io" version: "v1" OR "v1beta1" kind: "ValidatingWebhookConfiguration" Esempi
require-admission-controller
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata: name: require-admission-controller spec: match: kinds: - apiGroups: - "" kinds: - Namespace
Consentito
apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/enforce-version: v1.28 name: allowed-namespace
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequireBinAuthZ
Richiede Autorizzazione binaria 1.0.2
Richiede l'webhook di ammissione con convalida di Autorizzazione binaria. I vincoli che utilizzano questo ConstraintTemplate verranno sottoposti a controllo indipendentemente dal valore di enforcementAction.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "admissionregistration.k8s.io" version: "v1" OR "v1beta1" kind: "ValidatingWebhookConfiguration" Esempi
require-binauthz
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: require-binauthz spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace
Consentito
apiVersion: v1 kind: Namespace metadata: name: default --- # Referential Data apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: binauthz-admission-controller webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview name: imagepolicywebhook.image-policy.k8s.io rules: - operations: - CREATE - UPDATE - apiVersion: - v1 sideEffects: None
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: default
K8sRequireCosNodeImage
Richiedi l'immagine del nodo COS 1.1.1
Impone l'utilizzo di Container-Optimized OS di Google sui nodi.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptOsImages <array>: A list of exempt OS Images. exemptOsImages: - <string> Esempi
nodes-have-consistent-time
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: nodes-have-consistent-time spec: enforcementAction: dryrun parameters: exemptOsImages: - Debian - Ubuntu*
Consentito
apiVersion: v1 kind: Node metadata: name: allowed-example status: nodeInfo: osImage: Container-Optimized OS from Google
apiVersion: v1 kind: Node metadata: name: example-exempt status: nodeInfo: osImage: Debian
apiVersion: v1 kind: Node metadata: name: example-exempt-wildcard status: nodeInfo: osImage: Ubuntu 18.04.5 LTS
Operazione non consentita
apiVersion: v1 kind: Node metadata: name: disallowed-example status: nodeInfo: osImage: Debian GNUv1.0
K8sRequireDaemonsets
Daemonset obbligatori v1.1.2
Richiede la presenza dell'elenco dei daemonset specificati.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # requiredDaemonsets <array>: A list of names and namespaces of the # required daemonsets. requiredDaemonsets: - # name <string>: The name of the required daemonset. name: <string> # namespace <string>: The namespace for the required daemonset. namespace: <string> # restrictNodeSelector <boolean>: The daemonsets cannot include # `NodeSelector`. restrictNodeSelector: <boolean> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "DaemonSet" OR - group: "apps" version: "v1beta2" OR "v1" kind: "DaemonSet" Esempi
require-daemonset
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: require-daemonset spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace parameters: requiredDaemonsets: - name: clamav namespace: pci-dss-av restrictNodeSelector: true
Consentito
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: clamav-host-scanner name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: metadata: labels: name: clamav spec: containers: - image: us.gcr.io/{your-project-id}/clamav:latest livenessProbe: exec: command: - /health.sh initialDelaySeconds: 60 periodSeconds: 30 name: clamav-scanner resources: limits: memory: 3Gi requests: cpu: 500m memory: 2Gi volumeMounts: - mountPath: /data name: data-vol - mountPath: /host-fs name: host-fs readOnly: true - mountPath: /logs name: logs terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master volumes: - emptyDir: {} name: data-vol - hostPath: path: / name: host-fs - hostPath: path: /var/log/clamav name: logs
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: clamav nodeSelector: cloud.google.com/gke-spot: "true"
K8sRequireDefaultDenyEgressPolicy
Richiedi criterio in uscita di rifiuto predefinito 1.0.3
Richiede che ogni spazio dei nomi definito nel cluster abbia una policy NetworkPolicy predefinita per il traffico in uscita.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "NetworkPolicy" OR - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" Esempi
require-default-deny-network-policies
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
Consentito
apiVersion: v1 kind: Namespace metadata: name: example-namespace --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1 kind: Namespace metadata: name: example-namespace2 --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
K8sRequireNamespaceNetworkPolicies
Richiedi criteri di rete dello spazio dei nomi 1.0.6
Richiede che ogni spazio dei nomi definito nel cluster abbia una NetworkPolicy.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "NetworkPolicy" OR - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" Esempi
require-namespace-network-policies-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
Consentito
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Richiedi intervalli validi per le reti v1.0.2
Applica i blocchi CIDR consentiti per il traffico in entrata e in uscita della rete.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are # allowed for egress. allowedEgress: - <string> # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are # allowed for ingress. allowedIngress: - <string> Esempi
require-valid-network-ranges
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: require-valid-network-ranges spec: enforcementAction: dryrun parameters: allowedEgress: - 10.0.0.0/32 allowedIngress: - 10.0.0.0/24
Consentito
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 10.0.0.0/32 ingress: - from: - ipBlock: cidr: 10.0.0.0/29 - ipBlock: cidr: 10.0.0.100/29 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
Operazione non consentita
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy-disallowed namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 1.1.2.0/31 ingress: - from: - ipBlock: cidr: 1.1.2.0/24 - ipBlock: cidr: 2.1.2.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
K8sRequiredAnnotations
Annotazioni obbligatorie v1.0.1
Richiede che le risorse contengano annotazioni specificate, con valori corrispondenti alle espressioni regolari fornite.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # annotations <array>: A list of annotations and values the object must # specify. annotations: - # allowedRegex <string>: If specified, a regular expression the # annotation's value must match. The value must contain at least one # match for the regular expression. allowedRegex: <string> # key <string>: The required annotation. key: <string> message: <string> Esempi
all-must-have-certain-set-of-annotations
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: annotations: - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ key: a8r.io/owner - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$ key: a8r.io/runbook message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Consentito
apiVersion: v1 kind: Service metadata: annotations: a8r.io/owner: [email protected] a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks name: allowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
Operazione non consentita
apiVersion: v1 kind: Service metadata: name: disallowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
K8sRequiredLabels
Etichette obbligatorie v1.0.1
Richiede che le risorse contengano etichette specificate, con valori corrispondenti alle espressioni regolari fornite.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # labels <array>: A list of labels and values the object must specify. labels: - # allowedRegex <string>: If specified, a regular expression the # annotation's value must match. The value must contain at least one # match for the regular expression. allowedRegex: <string> # key <string>: The required label. key: <string> message: <string> Esempi
all-must-have-owner
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username
Consentito
apiVersion: v1 kind: Namespace metadata: labels: owner: user.agilebank.demo name: allowed-namespace
Operazione non consentita
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Required Probes v1.0.1
Richiede che i pod dispongano di probe di idoneità e/o di attività.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # probeTypes <array>: The probe must define a field listed in `probeType` # in order to satisfy the constraint (ex. `tcpSocket` satisfies # `['tcpSocket', 'exec']`) probeTypes: - <string> # probes <array>: A list of probes that are required (ex: `readinessProbe`) probes: - <string> Esempi
must-have-probes
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: probeTypes: - tcpSocket - httpGet - exec probes: - readinessProbe - livenessProbe
Consentito
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: tomcat livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: nginx:1.7.9 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
apiVersion: v1 kind: Pod metadata: name: test-pod2 spec: containers: - image: nginx:1.7.9 livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
K8sRequiredResources
Risorse richieste v1.0.1
Richiede che i container abbiano risorse definite. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # limits <array>: A list of limits that should be enforced (`cpu`, # `memory`, or both). limits: # Allowed Values: cpu, memory - <string> # requests <array>: A list of requests that should be enforced (`cpu`, # `memory`, or both). requests: # Allowed Values: cpu, memory - <string> Esempi
container-must-have-limits-and-requests
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - cpu - memory requests: - cpu - memory
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-cpu-requests-memory-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - memory requests: - cpu - memory
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m memory: 2Gi
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
no-enforcements
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: no-enforcements spec: match: kinds: - apiGroups: - "" kinds: - Pod
Consentito
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
K8sRestrictAdmissionController
Restrict Admission Controller v1.0.0
Limita i controller di ammissione dinamica a quelli consentiti
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # permittedMutatingWebhooks <array>: List of permitted mutating webhooks # (mutating admission controllers) permittedMutatingWebhooks: - <string> # permittedValidatingWebhooks <array>: List of permitted validating # webhooks (validating admission controllers) permittedValidatingWebhooks: - <string> Esempi
restrict-admission-controller
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata: name: restrict-admission-controller spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration parameters: permittedMutatingWebhooks: - allowed-mutating-webhook permittedValidatingWebhooks: - allowed-validating-webhook
Consentito
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: allowed-validating-webhook
Operazione non consentita
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: disallowed-validating-webhook
K8sRestrictAutomountServiceAccountTokens
Restrict Service Account Tokens v1.0.1
Limita l'utilizzo dei token degli account di servizio.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
restrict-serviceaccounttokens
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: restrict-serviceaccounttokens spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod - ServiceAccount
Consentito
apiVersion: v1 kind: Pod metadata: name: allowed-example-pod spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: ServiceAccount metadata: name: disallowed-example-serviceaccount
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: disallowed-example-pod spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: name: allowed-example-serviceaccount
K8sRestrictLabels
Restrict Labels v1.0.2
Non consente alle risorse di contenere etichette specificate, a meno che non esista un'eccezione per la risorsa specifica.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exceptions <array>: Objects listed here are exempt from enforcement of # this constraint. All fields must be provided. exceptions: # <list item: object>: A single object's identification, based on group, # kind, namespace, and name. - # group <string>: The Kubernetes group of the exempt object. group: <string> # kind <string>: The Kubernetes kind of the exempt object. kind: <string> # name <string>: The name of the exempt object. name: <string> # namespace <string>: The namespace of the exempt object. For # cluster-scoped resources, use the empty string `""`. namespace: <string> # restrictedLabels <array>: A list of label keys strings. restrictedLabels: - <string> Esempi
restrict-label-example
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: exceptions: - group: "" kind: Pod name: allowed-example namespace: default restrictedLabels: - label-example
Consentito
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNamespaces
Restrict Namespaces v1.0.1
Impedisce alle risorse di utilizzare gli spazi dei nomi elencati nel parametro restrictedNamespaces.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # restrictedNamespaces <array>: A list of Namespaces to restrict. restrictedNamespaces: - <string> Esempi
restrict-default-namespace-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: restrict-default-namespace-sample spec: enforcementAction: dryrun parameters: restrictedNamespaces: - default
Consentito
apiVersion: v1 kind: Pod metadata: name: allowed-example namespace: test-namespace spec: containers: - image: nginx name: nginx
Operazione non consentita
apiVersion: v1 kind: Pod metadata: name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNfsUrls
Restrict NFS URLs v1.0.1
Non consente alle risorse di contenere URL NFS, a meno che non sia specificato.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedNfsUrls <array>: A list of allowed NFS URLs allowedNfsUrls: - <string> Esempi
restrict-label-example
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: allowedNfsUrls: - my-nfs-server.example.com/my-nfs-volume - my-nfs-server.example.com/my-wildcard-nfs-volume/*
Consentito
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume server: my-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs-wildcard namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path server: my-nfs-server.example.com
Operazione non consentita
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs-mixed namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume-allowed nfs: path: /my-nfs-volume server: my-nfs-server.example.com - name: test-volume-disallowed nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
K8sRestrictRbacSubjects
Restrict RBAC Subjects v1.0.3
Limita l'utilizzo dei nomi negli oggetti RBAC ai valori consentiti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSubjects <array>: The list of names permitted in RBAC subjects. allowedSubjects: - # name <string>: The exact-name or the pattern of the allowed subject name: <string> # regexMatch <boolean>: The flag to allow a regular expression based # match on the name. regexMatch: <boolean> Esempi
restrict-rbac-subjects
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: restrict-rbac-subjects spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding - ClusterRoleBinding parameters: allowedSubjects: - name: system:masters - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$ regexMatch: true - name: ^[email protected]$ regexMatch: true - name: ^[email protected]$ regexMatch: true
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected] - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected]
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected] - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected]
K8sRestrictRoleBindings
Restrict Role Bindings v1.0.3
Limita gli oggetti specificati in ClusterRoleBindings e RoleBinding a un elenco di oggetti consentiti.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSubjects <array>: The list of subjects that are allowed to bind to # the restricted role. allowedSubjects: - # apiGroup <string>: The Kubernetes API group of the subject. apiGroup: <string> # kind <string>: The Kubernetes kind of the subject. kind: <string> # name <string>: The name of the subject which is matched exactly as # provided as well as based on a regular expression. name: <string> # regexMatch <boolean>: The flag to allow a regular expression based # match on the name. regexMatch: <boolean> # restrictedRole <object>: The role that cannot be bound to unless # expressly allowed. restrictedRole: # apiGroup <string>: The Kubernetes API group of the role. apiGroup: <string> # kind <string>: The Kubernetes kind of the role. kind: <string> # name <string>: The name of the role. name: <string> Esempi
restrict-clusteradmin-rolebindings-sample
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-sample spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-regex spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ^service-[0-9][email protected]$ regexMatch: true restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sRestrictRoleRules
Limita le regole di Role e ClusterRole. v1.0.4
Limita le regole che possono essere impostate sugli oggetti Role e ClusterRole.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedRules <array>: AllowedRules is the list of rules that are allowed # on Role or ClusterRole objects. If set, any item off this list will be # rejected. allowedRules: - # apiGroups <array>: APIGroups is the name of the APIGroup that # contains the resources. If multiple API groups are specified, any # action requested against one of the enumerated resources in any API # group will be allowed. "" represents the core API group and "*" # represents all API groups. apiGroups: - <string> # resources <array>: Resources is a list of resources this rule # applies to. '*' represents all resources. resources: - <string> # verbs <array>: Verbs is a list of Verbs that apply to ALL the # ResourceKinds contained in this rule. '*' represents all verbs. verbs: - <string> # disallowedRules <array>: DisallowedRules is the list of rules that are # NOT allowed on Role or ClusterRole objects. If set, any item on this list # will be rejected. disallowedRules: - # apiGroups <array>: APIGroups is the name of the APIGroup that # contains the resources. If multiple API groups are specified, any # action requested against one of the enumerated resources in any API # group will be disallowed. "" represents the core API group and "*" # represents all API groups. apiGroups: - <string> # resources <array>: Resources is a list of resources this rule # applies to. '*' represents all resources. resources: - <string> # verbs <array>: Verbs is a list of Verbs that apply to ALL the # ResourceKinds contained in this rule. '*' represents all verbs. verbs: - <string> # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles # names that are allowed to violate this policy. exemptions: clusterRoles: - # name <string>: Name is the name or a pattern of the ClusterRole # to be exempted. name: <string> # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs # regex match of the ClusterRole name. regexMatch: <boolean> roles: - # name <string>: Name is the name of the Role to be exempted. name: <string> # namespace <string>: Namespace is the namespace of the Role to be # exempted. namespace: <string> Esempi
restrict-pods-exec
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: restrict-pods-exec spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - Role - ClusterRole parameters: disallowedRules: - apiGroups: - "" resources: - pods/exec verbs: - create
Consentito
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allowed-role-example rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
Operazione non consentita
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: disallowed-cluster-role-example rules: - apiGroups: - "" resources: - pods/exec verbs: - '*'
K8sStorageClass
Classe di archiviazione v1.1.2
Richiede la specifica delle classi di archiviazione quando viene utilizzato. Sono supportati solo Gatekeeper 3.9 e versioni successive e i contenitori non effimeri.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedStorageClasses <array>: An optional allow-list of storage classes. # If specified, any storage class not in the `allowedStorageClasses` # parameter is disallowed. allowedStorageClasses: - <string> includeStorageClassesInMessage: <boolean> Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "storage.k8s.io" version: "v1" kind: "StorageClass" Esempi
storageclass
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: includeStorageClassesInMessage: true
Consentito
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ok spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: somestorageclass volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
apiVersion: apps/v1 kind: StatefulSet metadata: name: volumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: volumeclaimstorageclass serviceName: volumeclaimstorageclass template: metadata: labels: app: volumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: somestorageclass --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
Operazione non consentita
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: badstorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: badstorageclass volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: badvolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: badvolumeclaimstorageclass serviceName: badvolumeclaimstorageclass template: metadata: labels: app: badvolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: badstorageclass
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nostorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: novolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: novolumeclaimstorageclass serviceName: novolumeclaimstorageclass template: metadata: labels: app: novolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi
allowed-storageclass
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: allowed-storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: allowedStorageClasses: - allowed-storage-class includeStorageClassesInMessage: true
Consentito
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: allowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: allowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
Operazione non consentita
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disallowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: disallowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
K8sUniqueIngressHost
Host Ingress univoco v1.0.4
Richiede che tutti gli host delle regole di ingresso siano univoci. Non gestisce i caratteri jolly per i nomi host: https://kubernetes.io/docs/concepts/services-networking/ingress/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "Ingress" OR - group: "networking.k8s.io" version: "v1beta1" OR "v1" kind: "Ingress" Esempi
unique-ingress-host
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: unique-ingress-host spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Consentito
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-allowed namespace: default spec: rules: - host: example-allowed-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-allowed-host1.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-host3.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sUniqueServiceSelector
Selettore di servizi univoci 1.0.2
Richiede che i servizi abbiano selettori univoci all'interno di uno spazio dei nomi. I selettori sono considerati uguali se hanno chiavi e valori identici. I selettori possono condividere una coppia chiave/valore purché esista almeno una coppia chiave/valore distinta tra di loro. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Vincolo referenziale
Questo vincolo è referenziale. Prima dell'utilizzo, devi abilitare le limitazioni referenziali e creare una configurazione che indichi a Policy Controller quali tipi di oggetti monitorare.
Il tuo Policy Controller Config richiederà una voce syncOnly simile alla seguente:
spec: sync: syncOnly: - group: "" version: "v1" kind: "Service" Esempi
unique-service-selector
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: labels: owner: admin.agilebank.demo name: unique-service-selector
Consentito
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: other-value
Operazione non consentita
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: value --- # Referential Data apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-example namespace: default spec: ports: - port: 443 selector: key: value
NoUpdateServiceAccount
Bloccare l'aggiornamento dell'account di servizio v1.0.1
Blocca l'aggiornamento dell'account di servizio nelle risorse che eseguono l'astrazione dei pod. Questo criterio viene ignorato in modalità di controllo.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedGroups <array>: Groups that should be allowed to bypass the # policy. allowedGroups: - <string> # allowedUsers <array>: Users that should be allowed to bypass the policy. allowedUsers: - <string> Esempi
no-update-kube-system-service-account
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: no-update-kube-system-service-account spec: match: kinds: - apiGroups: - "" kinds: - ReplicationController - apiGroups: - apps kinds: - ReplicaSet - Deployment - StatefulSet - DaemonSet - apiGroups: - batch kinds: - CronJob namespaces: - kube-system parameters: allowedGroups: [] allowedUsers: []
Consentito
apiVersion: apps/v1 kind: Deployment metadata: labels: app: policy-test name: policy-test namespace: kube-system spec: replicas: 1 selector: matchLabels: app: policy-test-deploy template: metadata: labels: app: policy-test-deploy spec: containers: - command: - /bin/bash - -c - sleep 99999 image: ubuntu name: policy-test serviceAccountName: policy-test-sa-1
PolicyStrictOnly
Richiedi la versione 1.0.4 del criterio mTLS Istio STRICT
Richiede che STRICT TLS reciproco Istio sia sempre specificato quando si utilizza PeerAuthentication. Questo vincolo garantisce inoltre che le risorse Policy e MeshPolicy ritirate applichino TLS reciproco STRICT. Vedi: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
peerauthentication-strict-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: peerauthentication-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication namespaces: - default
Consentito
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict namespace: default spec: mtls: mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-level namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-unset namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: UNSET
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: empty-mtls namespace: default spec: mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-null namespace: default spec: mtls: mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-permissive namespace: default spec: mtls: mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE "8081": mode: STRICT
deprecated-policy-strict-constraint
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: deprecated-policy-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - authentication.istio.io kinds: - Policy namespaces: - default
Consentito
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mode-strict namespace: default spec: peers: - mtls: mode: STRICT
Operazione non consentita
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-empty namespace: default spec: peers: - mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-permissive namespace: default spec: peers: - mtls: mode: PERMISSIVE
RestrictNetworkExclusions
Restrict Network Exclusions v1.0.2
Controlla quali porte in entrata, porte in uscita e intervalli IP in uscita possono essere esclusi dalla cattura della rete Istio. Le porte e gli intervalli IP che aggirano la cattura di rete di Istio non sono gestite dal proxy Istio e non sono soggette all'autenticazione mTLS di Istio, ai criteri di autorizzazione e ad altre funzionalità di Istio. Questo vincolo può essere utilizzato per applicare limitazioni all'uso delle seguenti annotazioni:
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
Consulta la pagina https://istio.io/latest/docs/reference/config/annotations/.
Quando limiti gli intervalli IP in uscita, il vincolo calcola se gli intervalli IP esclusi corrispondono o sono un sottoinsieme delle esclusioni di intervalli IP consentite.
Quando utilizzi questo vincolo, tutte le porte in entrata, le porte in uscita e gli intervalli IP in uscita devono essere sempre inclusi impostando le annotazioni "include" corrispondenti su "*" o lasciandole non impostate. Non è consentito impostare una delle seguenti annotazione su un valore diverso da "*":
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
Questo vincolo consente sempre di escludere la porta 15020 perché l'iniettore sidecar Istio la aggiunge sempre all'annotazione traffic.sidecar.istio.io/excludeInboundPorts in modo che possa essere utilizzata per il controllo di integrità.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedInboundPortExclusions <array>: A list of ports that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeInboundPorts` annotation. allowedInboundPortExclusions: - <string> # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The # constraint calculates whether excluded IP ranges match or are a subset of # the ranges in this list. allowedOutboundIPRangeExclusions: - <string> # allowedOutboundPortExclusions <array>: A list of ports that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation. allowedOutboundPortExclusions: - <string> Esempi
restrict-network-exclusions
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: restrict-network-exclusions spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedInboundPortExclusions: - "80" allowedOutboundIPRangeExclusions: - 169.254.169.254/32 allowedOutboundPortExclusions: - "8888"
Consentito
apiVersion: v1 kind: Pod metadata: labels: app: nginx name: nothing-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "80" traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/excludeOutboundPorts: "8888" labels: app: nginx name: allowed-port-and-ip-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundIPRanges: '*' labels: app: nginx name: all-ip-ranges-included-with-one-allowed-ip-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: '*' traffic.sidecar.istio.io/includeOutboundIPRanges: '*' traffic.sidecar.istio.io/includeOutboundPorts: '*' labels: app: nginx name: everything-included-with-no-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
Operazione non consentita
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24 labels: app: nginx name: disallowed-ip-range-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24 labels: app: nginx name: one-disallowed-ip-exclusion-and-one-allowed-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: 80,443 traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundPorts: "8888" labels: app: nginx name: disallowed-specific-port-and-ip-inclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
SourceNotAllAuthz
Richiedi l'origine AuthorizationPolicy di Istio non tutte le versioni 1.0.1
Richiede che le regole AuthorizationPolicy di Istio abbiano entità di origine impostate su un valore diverso da "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Esempi
vincolo-authz-sourcenotall
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: sourcenotall-authz-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Consentito
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
Operazione non consentita
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-dne namespace: foo spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-all namespace: foo spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-someall namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
VerifyDeprecatedAPI
Verifica API deprecate v1.0.0
Verifica le API Kubernetes deprecate per assicurarti che tutte le versioni dell'API siano aggiornate. Questo modello non si applica al controllo, in quanto quest'ultimo esamina le risorse già presenti nel cluster con versioni API non ritirate.
Schema del vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # k8sVersion <number>: kubernetes version k8sVersion: <number> # kvs <array>: Deprecated api versions and corresponding kinds kvs: - # deprecatedAPI <string>: deprecated api deprecatedAPI: <string> # kinds <array>: impacted list of kinds kinds: - <string> # targetAPI <string>: target api targetAPI: <string> Esempi
verify-1.16
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.16 spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - DaemonSet - apiGroups: - extensions kinds: - PodSecurityPolicy - ReplicaSet - Deployment - DaemonSet - NetworkPolicy parameters: k8sVersion: 1.16 kvs: - deprecatedAPI: apps/v1beta1 kinds: - Deployment - ReplicaSet - StatefulSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - ReplicaSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - PodSecurityPolicy targetAPI: policy/v1beta1 - deprecatedAPI: apps/v1beta2 kinds: - ReplicaSet - StatefulSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - NetworkPolicy targetAPI: networking.k8s.io/v1
Consentito
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
Operazione non consentita
apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: nginx name: disallowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
verify-1.22
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.22 spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration - apiGroups: - apiextensions.k8s.io kinds: - CustomResourceDefinition - apiGroups: - apiregistration.k8s.io kinds: - APIService - apiGroups: - authentication.k8s.io kinds: - TokenReview - apiGroups: - authorization.k8s.io kinds: - SubjectAccessReview - apiGroups: - certificates.k8s.io kinds: - CertificateSigningRequest - apiGroups: - coordination.k8s.io kinds: - Lease - apiGroups: - extensions - networking.k8s.io kinds: - Ingress - apiGroups: - networking.k8s.io kinds: - IngressClass - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding - apiGroups: - scheduling.k8s.io kinds: - PriorityClass - apiGroups: - storage.k8s.io kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment parameters: k8sVersion: 1.22 kvs: - deprecatedAPI: admissionregistration.k8s.io/v1beta1 kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration targetAPI: admissionregistration.k8s.io/v1 - deprecatedAPI: apiextensions.k8s.io/v1beta1 kinds: - CustomResourceDefinition targetAPI: apiextensions.k8s.io/v1 - deprecatedAPI: apiregistration.k8s.io/v1beta1 kinds: - APIService targetAPI: apiregistration.k8s.io/v1 - deprecatedAPI: authentication.k8s.io/v1beta1 kinds: - TokenReview targetAPI: authentication.k8s.io/v1 - deprecatedAPI: authorization.k8s.io/v1beta1 kinds: - SubjectAccessReview targetAPI: authorization.k8s.io/v1 - deprecatedAPI: certificates.k8s.io/v1beta1 kinds: - CertificateSigningRequest targetAPI: certificates.k8s.io/v1 - deprecatedAPI: coordination.k8s.io/v1beta1 kinds: - Lease targetAPI: coordination.k8s.io/v1 - deprecatedAPI: extensions/v1beta1 kinds: - Ingress targetAPI: networking.k8s.io/v1 - deprecatedAPI: networking.k8s.io/v1beta1 kinds: - Ingress - IngressClass targetAPI: networking.k8s.io/v1 - deprecatedAPI: rbac.authorization.k8s.io/v1beta1 kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding targetAPI: rbac.authorization.k8s.io/v1 - deprecatedAPI: scheduling.k8s.io/v1beta1 kinds: - PriorityClass targetAPI: scheduling.k8s.io/v1 - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment targetAPI: storage.k8s.io/v1
Consentito
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: allowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
Operazione non consentita
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: disallowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
verify-1.25
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.25 spec: match: kinds: - apiGroups: - batch kinds: - CronJob - apiGroups: - discovery.k8s.io kinds: - EndpointSlice - apiGroups: - events.k8s.io kinds: - Event - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler - apiGroups: - policy kinds: - PodDisruptionBudget - PodSecurityPolicy - apiGroups: - node.k8s.io kinds: - RuntimeClass parameters: k8sVersion: 1.25 kvs: - deprecatedAPI: batch/v1beta1 kinds: - CronJob targetAPI: batch/v1 - deprecatedAPI: discovery.k8s.io/v1beta1 kinds: - EndpointSlice targetAPI: discovery.k8s.io/v1 - deprecatedAPI: events.k8s.io/v1beta1 kinds: - Event targetAPI: events.k8s.io/v1 - deprecatedAPI: autoscaling/v2beta1 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2 - deprecatedAPI: policy/v1beta1 kinds: - PodDisruptionBudget targetAPI: policy/v1 - deprecatedAPI: policy/v1beta1 kinds: - PodSecurityPolicy targetAPI: None - deprecatedAPI: node.k8s.io/v1beta1 kinds: - RuntimeClass targetAPI: node.k8s.io/v1
Consentito
apiVersion: batch/v1 kind: CronJob metadata: name: allowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
Operazione non consentita
apiVersion: batch/v1beta1 kind: CronJob metadata: name: disallowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
verify-1.26
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.26 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: k8sVersion: 1.26 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3 - deprecatedAPI: autoscaling/v2beta2 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2
Consentito
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
Operazione non consentita
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
verify-1.27
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.27 spec: match: kinds: - apiGroups: - storage.k8s.io kinds: - CSIStorageCapacity parameters: k8sVersion: 1.27 kvs: - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIStorageCapacity targetAPI: storage.k8s.io/v1
Consentito
apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity storageClassName: standard
Operazione non consentita
apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity namespace: default storageClassName: standard
verify-1.29
Vincolo
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.29 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration parameters: k8sVersion: 1.29 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
Consentito
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
Operazione non consentita
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
Passaggi successivi
- Scopri di più su Policy Controller
- Installa Policy Controller
- Scopri come utilizzare i vincoli anziché i PodSecurityPolicy
- Visualizza la libreria open source dei modelli di vincolo nel repository gatekeeper-library