Os modelos de restrição permitem definir como uma restrição funciona, mas delegar a definição das especificidades da restrição a um indivíduo ou grupo com experiência no assunto. Além de separar as preocupações, isso também separa a lógica da restrição de sua definição.
Todas as restrições contêm uma seção match, que define os objetos aos quais uma restrição se aplica. Para detalhes sobre como configurar essa seção, consulte a seção de correspondência de restrição.
Nem todos os modelos de restrição estão disponíveis para todas as versões do Policy Controller, e os modelos podem mudar entre as versões. Use os links abaixo para comparar as restrições das versões com suporte:
Links para versões anteriores desta página
Para garantir que você receba suporte total, recomendamos usar modelos de restrição de uma versão com suporte do Policy Controller.
Para ajudar você a ver como os modelos de restrição funcionam, cada modelo inclui um exemplo de restrição e um recurso que viola a restrição.
Modelos de restrição disponíveis
| Modelo de restrição | Descrição | Referencial |
|---|---|---|
| AllowedServicePortName | Exige que os nomes das portas de serviço tenham um prefixo de uma lista especificada. | Não |
| AsmAuthzPolicyDefaultDeny | Aplique a política de negação de autorização padrão na malha. Consulte https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns. | Sim |
| AsmAuthzPolicyDisallowedPrefix | Requer que os principais e os namespaces nas regras "AuthorizationPolicy" do Istio não tenham o prefixo de uma lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Não |
| AsmAuthzPolicyEnforceSourcePrincipals | Requer que o campo "from" da AuthorizationPolicy do Istio, quando definido, tenha princípios de origem, que precisam ser definidos como algo diferente de "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Não |
| AsmAuthzPolicyNormalization | Aplicar a normalização de AuthorizationPolicy. Consulte https://istio.io/latest/docs/reference/config/security/normalization/. | Não |
| AsmAuthzPolicySafePattern | Aplicar os padrões seguros do AuthorizationPolicy. Consulte https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. | Não |
| AsmIngressgatewayLabel | Aplique o uso do rótulo ingressgateway do istio apenas nos pods do ingressgateway. | Não |
| AsmPeerAuthnMeshStrictMtls | Aplique o peering de mtls restrito na malha. Consulte https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | Sim |
| AsmPeerAuthnStrictMtls | A aplicação de todos os PeerAuthentications não pode substituir mtls rígidos. Consulte https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | Não |
| AsmRequestAuthnProhibitedOutputHeaders | Em RequestAuthentication, aplique o campo `jwtRules.outPayloadToHeader` para não conter cabeçalhos de solicitação HTTP conhecidos ou cabeçalhos proibidos personalizados. Referência a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. | Não |
| AsmSidecarInjection | Aplique o arquivo secundário do proxy do Istio que sempre foi injetado nos pods de carga de trabalho. | Não |
| DestinationRuleTLSEnabled | Proíbe a desativação do TLS para todos os hosts e subconjuntos de hosts no Istio DestinationRules. | Não |
| DisallowedAuthzPrefix | Requer que os principais e os namespaces nas regras "AuthorizationPolicy" do Istio não tenham o prefixo de uma lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Não |
| GCPStorageLocationConstraintV1 | Restringe o "locations" permitido para recursos do Storagebucket Config Connector à lista de locais fornecidos na restrição. Os nomes de bucket na lista "exemptions" estão isentos. | Não |
| GkeSpotVMTerminationGrace | Exige que pods e modelos de pod com "nodeSelector" ou "nodeAfffinty" de "gke-spot" tenham um "terminationGracePeriodSeconds" de 15s ou menos. | Sim |
| K8sAllowedRepos | Requer imagens de contêiner para começar com uma string da lista especificada. | Não |
| K8sAvoidUseOfSystemMastersGroup | Bloqueia o uso do grupo "system:masters". Não tem efeito durante a auditoria. | Não |
| K8sBlockAllIngress | Não permite a criação de objetos Ingress (tipos "Ingress", "Gateway" e "Serviço" de "NodePort" e "LoadBalancer"). | Não |
| K8sBlockCreationWithDefaultServiceAccount | Não permite a criação de recursos usando uma conta de serviço padrão. Não tem efeito durante a auditoria. | Não |
| K8sBlockEndpointEditDefaultRole | Por padrão, muitas instalações do Kubernetes têm um ClusterRole system:aggregate-to-edit que não restringe corretamente o acesso à edição do Endpoints. Esse ConstraintTemplate impede que o ClusterRole system:aggregate-to-edit conceda permissão para criar/patch/atualizar endpoints. ClusterRole/system:aggregate-to-edit não deve permitir permissões de edição de endpoint devido à CVE-2021-25740, que as permissões de Endpoint e EndpointSlice permitem encaminhamento de namespace https://github.com/kubernetes/kubernetes/issues/103675 | Não |
| K8sBlockLoadBalancer | Não permite todos os serviços com o tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | Não |
| K8sBlockNodePort | Não permite todos os Serviços do tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | Não |
| K8sBlockObjectsOfType | Não permite o objeto de tipos proibidos. | Não |
| K8sBlockProcessNamespaceSharing | Proíbe as especificações do pod com "shareProcessNamespace" definido como "true". Isso evita cenários em que todos os contêineres em um pod compartilham um namespace de PID e podem acessar o sistema de arquivos e a memória uns dos outros. | Não |
| K8sBlockWildcardIngress | Os usuários não devem criar entradas com um nome do host em branco ou curinga (*), porque isso permitiria a interceptação do tráfego de outros serviços no cluster, mesmo que eles não tenham acesso a esses serviços. | Não |
| K8sContainerEphemeralStorageLimit | Exige que os contêineres tenham um limite de armazenamento temporário definido e que o limite esteja dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Não |
| K8sContainerLimits | Requer que os limites da memória e da CPU sejam definidos e que os limites fiquem dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Não |
| K8sContainerRatios | Define uma proporção máxima de limites de recursos do contêiner para solicitações. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Não |
| K8sContainerRequests | Requer que os limites da memória e da CPU sejam definidos e que os limites fiquem dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Não |
| K8sCronJobAllowedRepos | Requer imagens de contêiner de CronJobs para começar com uma string da lista especificada. | Não |
| K8sDisallowAnonymous | Não permite associar recursos ClusterRole e Role ao usuário system:anonymous e ao grupo system:unauthenticated. | Não |
| K8sDisallowInteractiveTTY | Exige que os objetos tenham os campos "spec.tty" e "spec.stdin" definidos como "false" ou não definidos. | Não |
| K8sDisallowedRepos | Repositórios de contêiner não permitidos que começam com uma string da lista especificada. | Não |
| K8sDisallowedRoleBindingSubjects | Proíbe RoleBindings ou ClusterRoleBindings com assuntos correspondentes a qualquer "disallowedSubjects" transmitido como parâmetros. | Não |
| K8sDisallowedTags | Requer que as imagens de contêiner tenham uma tag de imagem diferente daquelas na lista especificada. https://kubernetes.io/docs/concepts/containers/images/#image-names | Não |
| K8sEmptyDirHasSizeLimit | Requer que qualquer volume `emptyDir` especifique um `sizeLimit`. Opcionalmente, um parâmetro `maxSizeLimit` pode ser fornecido na restrição para especificar um limite de tamanho máximo permitido. | Não |
| K8sEnforceCloudArmorBackendConfig | Aplica a configuração do Cloud Armor aos recursos do BackendConfig | Não |
| K8sEnforceConfigManagement | Requer a presença e operação do gerenciamento de configuração. As restrições que usam esse "ConstraintTemplate" serão auditadas somente, independentemente do valor de "enforcementAction". | Sim |
| K8sExternalIPs | Restringe os IPIPs de serviço a uma lista de endereços IP permitidos. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | Não |
| K8sHorizontalPodAutoscaler | Não permita os cenários a seguir ao implantar `HorizontalPodAutoscalers` 1. Implantação de HorizontalPodAutoscalers com `.spec.minReplicas` ou `.spec.maxReplicas` fora dos intervalos definidos na restrição 2. Implantação de HorizontalPodAutoscalers em que a diferença entre ".spec.minReplicas" e ".spec.maxReplicas" é menor que o "minimumReplicaSpread" configurado 3. Implantação de HorizontalPodAutoscalers que não fazem referência a um `scaleTargetRef` válido (por exemplo, Deployment, ReplicationController, ReplicaSet, StatefulSet). | Sim |
| K8sHttpsOnly | Exige que os recursos do Ingress sejam somente HTTPS. Os recursos de entrada precisam incluir a anotação "kubernetes.io/ingress.allow-http", definida como "false". Por padrão, uma configuração válida de {} TLS é necessária. Para tornar isso opcional, defina o parâmetro "tlsOptional" como "true". https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | Não |
| K8sImageDigests | Requer imagens de contêiner para conter um resumo. https://kubernetes.io/docs/concepts/containers/images/ | Não |
| K8sLocalStorageRequireSafeToEvict | Requer que os pods que usam armazenamento local ("emptyDir" ou "hostPath") tenham a anotação "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". O escalonador automático de cluster não excluirá pods sem essa anotação. | Não |
| K8sMemoryRequestEqualsLimit | Promove a estabilidade do pod ao exigir que a memória solicitada de todos os contêineres seja exatamente igual ao limite de memória. Assim, os pods nunca ficam em um estado em que o uso da memória excede a quantidade solicitada. Caso contrário, o Kubernetes poderá encerrar pods que solicitam memória extra se a memória for necessária no nó. | Não |
| K8sNoEnvVarSecrets | Proíbe secrets como variáveis de ambiente nas definições de contêiner do pod. Em vez disso, use arquivos secretos montados em volumes de dados: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod | Não |
| K8sNoExternalServices | Proíbe a criação de recursos conhecidos que expõem cargas de trabalho a IPs externos. Isso inclui os recursos de gateway do Istio e do Ingress do Kubernetes. Os serviços do Kubernetes também não são permitidos, a menos que atendam aos seguintes critérios: Qualquer serviço do tipo "LoadBalancer" no Google Cloud precisa ter uma anotação `"networking.gke.io/load-balancer-type": "Internal". Qualquer serviço do tipo "LoadBalancer" na AWS precisa ter uma anotação "service.beta.kubernetes.io/aws-load-balancer-internal: "true". Qualquer "IP externo" (externo ao cluster) vinculado ao Serviço precisa ser membro de um intervalo de CIDRs internos, conforme fornecido à restrição. | Não |
| K8sPSPAllowPrivilegeEscalationContainer | Controla a restrição do encaminhamento a privilégios de raiz. Corresponde ao campo "allowPrivilegeEscalation" em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged-escalation | Não |
| K8sPSPAllowedUsers | Controla os códigos do usuário e do grupo do contêiner e de alguns volumes. Corresponde aos campos `runAsUser`, `runAsGroup`, `supplementalGroups` e `fsGroup` em um PodSecurityPolicy. Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups | Não |
| K8sPSPAppArmor | Configura uma lista de permissões de perfis do AppArmor para uso por contêineres. Isso corresponde a anotações específicas aplicadas a uma PodSecurityPolicy Para saber mais sobre o AppArmor, consulte https://kubernetes.io/docs/tutorials/clusters/apparmor/ | Não |
| K8sPSPAutomountServiceAccountTokenPod | Controla a capacidade de qualquer pod de ativar automountServiceAccountToken. | Não |
| K8sPSPCapabilities | Controla os recursos do Linux em contêineres. Corresponde aos campos "allowedCapabilities" e "requiredDropCapabilities" em um PodSecurityPolicy. Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#features | Não |
| K8sPSPFSGroup | Controla a alocação de um FSGroup que é proprietário dos volumes do pod. Corresponde ao campo "fsGroup" em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês) | Não |
| K8sPSPFlexVolumes | Controla a lista de permissões de drivers FlexVolume. Corresponde ao campo "allowedFlexVolumes" em PodSecurityPolicy. Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers | Não |
| K8sPSPForbiddenSysctls | Controla o perfil de sysctl usado pelos contêineres. Corresponde aos campos "allowedUnsafeSysctls" e "forbiddenSysctls" em um PodSecurityPolicy. Quando especificado, qualquer sysctl que não esteja no parâmetro "allowedSysctls" é considerado proibido. O parâmetro "forbiddenSysctls" tem precedência sobre o parâmetro "allowedSysctls". Para saber mais, consulte https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | Não |
| K8sPSPHostFilesystem | Controla o uso do sistema de arquivos do host. Corresponde ao campo "allowedHostPaths" em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês) | Não |
| K8sPSPHostNamespace | Não permite o compartilhamento de namespaces PID de host e IPC por contêineres de pod. Corresponde aos campos "hostPID" e "hostIPC" em um PodSecurityPolicy. Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | Não |
| K8sPSPHostNetworkingPorts | Controla o uso de namespace da rede do host por contêineres de pod. As portas precisam ser especificadas. Corresponde aos campos "hostNetwork" e "hostPorts" em um PodSecurityPolicy. Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | Não |
| K8sPSPPrivilegedContainer | Controla a capacidade de qualquer contêiner de ativar o modo privilegiado. Corresponde ao campo "privileged" em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged | Não |
| K8sPSPProcMount | Controla os tipos "procMount" permitidos para o contêiner. Corresponde ao campo "allowedProcMountTypes" em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes | Não |
| K8sPSPReadOnlyRootFilesystem | Exige o uso de um sistema de arquivos raiz somente leitura por contêineres de pod. Corresponde ao campo "readOnlyRootFilesystem" em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês) | Não |
| K8sPSPSELinuxV2 | Define uma lista de permissões de configurações seLinuxOptions para contêineres de pod. Corresponde a um PodSecurityPolicy que requer configurações do SELinux. Saiba mais em https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux | Não |
| K8sPSPSeccomp | Controla o perfil seccomp usado pelos contêineres. Corresponde à anotação "seccomp.security.alpha.kubernetes.io/allowedProfileNames" em um PodSecurityPolicy. Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp | Não |
| K8sPSPVolumeTypes | Restringe os tipos de volume montáveis para aqueles especificados pelo usuário. Corresponde ao campo "volumes" em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês) | Não |
| K8sPSPWindowsHostProcess | Restringe a execução de contêineres / pods do HostProcess do Windows. Para mais informações, consulte https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/. | Não |
| K8sPSSRunAsNonRoot | Requer que contêineres sejam executados como usuários não raiz. Para mais informações, consulte https://kubernetes.io/docs/concepts/security/pod-security-standards/ | Não |
| K8sPodDisruptionBudget | Não permita os seguintes cenários ao implantar PodDisruptionBudgets ou recursos que implementam o sub-recurso de réplica (por exemplo, Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Implantação de PodDisruptionBudgets com .spec.maxUnavailable == 0 2. Implantação de PodDisruptionBudgets com .spec.minAvailable == .spec.replicas do recurso com sub-recurso de réplica. Isso impedirá que PodDisruptionBudgets bloqueie interrupções voluntárias, como a drenagem de nós. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | Sim |
| K8sPodResourcesBestPractices | Requer que os contêineres não estejam configurados para o melhor esforço (configurando solicitações de CPU e memória) e sigam as práticas recomendadas de burst (a solicitação de memória precisa ter o mesmo limite). Como opção, as chaves de anotação podem ser configuradas para permitir que várias validações sejam puladas. | Não |
| K8sPodsRequireSecurityContext | Requer que todos os pods definam securityContext. Requer que todos os contêineres definidos em pods tenham um SecurityContext definido no nível do pod ou do contêiner. | Não |
| K8sProhibitRoleWildcardAccess | Requer que Roles e ClusterRoles não definam o acesso a recursos com um caractere curinga ("*"), exceto os Roles e ClusterRoles isentos fornecidos como isenções. Não restringe o acesso do caractere curinga a sub-recursos, como "*/status". | Não |
| K8sReplicaLimits | Requer que objetos com o campo "spec.replicas" (implantações, ReplicaSets etc.) especifiquem várias réplicas dentro dos intervalos definidos. | Não |
| K8sRequireAdmissionController | Requer admissão de segurança de pods ou um sistema de controle de política externo | Sim |
| K8sRequireBinAuthZ | Requer a autorização binária que valida o webhook de admissão. As restrições que usam esse "ConstraintTemplate" serão auditadas somente, independentemente do valor de "enforcementAction". | Sim |
| K8sRequireCosNodeImage | Aplica o uso do SO Container-Optimized do Google em nós. | Não |
| K8sRequireDaemonsets | Exige a lista de daemonsets especificados como presente. | Sim |
| K8sRequireDefaultDenyEgressPolicy | Exige que cada namespace definido no cluster tenha uma NetworkPolicy de negação padrão para saída. | Sim |
| K8sRequireNamespaceNetworkPolicies | Requer que cada namespace definido no cluster tenha uma NetworkPolicy. | Sim |
| K8sRequireValidRangesForNetworks | Aplica quais blocos CIDR são permitidos para entrada e saída de rede. | Não |
| K8sRequiredAnnotations | Exige recursos para conter anotações especificadas, com valores correspondentes às expressões regulares fornecidas. | Não |
| K8sRequiredLabels | Exige recursos com rótulos especificados, com valores correspondentes às expressões regulares fornecidas. | Não |
| K8sRequiredProbes | Requer que os pods tenham sondagens de preparo e/ou atividade. | Não |
| K8sRequiredResources | Requer que os contêineres tenham recursos definidos. https://kubernetes.io/docs/Escolhas/configuration/manage-resources-containers/ | Não |
| K8sRestrictAdmissionController | Restringir os controladores de admissão dinâmica aos permitidos | Não |
| K8sRestrictAutomountServiceAccountTokens | Restringe o uso de tokens de contas de serviço. | Não |
| K8sRestrictLabels | Não permite que os recursos contenham rótulos especificados, a menos que haja uma exceção para o recurso específico. | Não |
| K8sRestrictNamespaces | Restringe o uso de namespaces listados no parâmetro restrictedNamespaces. | Não |
| K8sRestrictNfsUrls | Não permite que os recursos contenham URLs NFS, a menos que especificado de outra forma. | Não |
| K8sRestrictRbacSubjects | Restringe o uso de nomes nos assuntos do RBAC a valores permitidos. | Não |
| K8sRestrictRoleBindings | Restringe os assuntos especificados em ClusterRoleBindings e RoleBindings para uma lista de assuntos permitidos. | Não |
| K8sRestrictRoleRules | Restringe regras que podem ser definidas em objetos Role e ClusterRole. | Não |
| K8sStorageClass | Requer que as classes de armazenamento sejam especificadas quando usadas. Apenas contêineres não temporários e do Gatekeeper 3.9+ são compatíveis. | Sim |
| K8sUniqueIngressHost | Exige que todos os hosts de regra de entrada sejam exclusivos. Não lida com caracteres curinga de nome do host: https://kubernetes.io/docs/concepts/services-networking/ingress/ | Sim |
| K8sUniqueServiceSelector | Requer que os Serviços tenham seletores exclusivos em um namespace. Os seletores são considerados os mesmos se tiverem chaves e valores idênticos. Os seletores podem compartilhar um par de chave-valor, desde que haja pelo menos um par de chave-valor diferente entre eles. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a- serviço | Sim |
| NoUpdateServiceAccount | Bloqueia a atualização da conta de serviço em recursos que abstraem os pods. Esta política é ignorada no modo de auditoria. | Não |
| PolicyStrictOnly | Exige que o TLS mútuo "STRICT" do Istio seja sempre especificado ao usar [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). Essa restrição também garante que os recursos obsoletos [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) e MeshPolicy apliquem o TLS mútuo "STRICT". Consulte: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh | Não |
| RestrictNetworkExclusions | Controla quais portas de entrada, portas de saída e intervalos de IP de saída podem ser excluídos da captura de rede do Istio. As portas e os intervalos de IP que ignoram a captura de rede do Istio não são processados pelo proxy do Istio e não estão sujeitos à autenticação mTLS do Istio, política de autorização e outros recursos do Istio. Essa restrição pode ser usada para aplicar restrições ao uso destas anotações:
Consulte https://istio.io/latest/docs/reference/config/annotations/. Ao restringir os intervalos de IP de saída, a restrição calcula se os intervalos de IP excluídos correspondem ou são um subconjunto das exclusões de intervalos de IP permitidos. Ao usar essa restrição, todas as portas de entrada e intervalos de IP de saída sempre precisarão ser incluídos com a definição das anotações "include" correspondentes como "*" ou sem definição. Não é permitido definir qualquer uma das anotações abaixo como algo diferente de `"*"`:
Essa restrição sempre permite que a porta 15020 seja excluída porque o injetor do sidecar do Istio sempre a adiciona à anotação | Não |
| SourceNotAllAuthz | Requer que as regras de autorização de Istio tenham principais de origem definidas para algo diferente de "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/ | Não |
| Verificar API descontinuada | Verifica as APIs descontinuadas do Kubernetes para garantir que todas as versões da API estejam atualizadas. Esse modelo não se aplica à auditoria, porque a auditoria analisa os recursos que já estão presentes no cluster com versões não descontinuadas da API. | Não |
AllowedServicePortName
Nomes de porta de serviço permitidos na v1.0.1
Exige que os nomes das portas de serviço tenham um prefixo de uma lista especificada.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # prefixes <array>: Prefixes of allowed service port names. prefixes: - <string> Exemplos
port-name-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: port-name-constraint spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Service parameters: prefixes: - http- - http2- - grpc- - mongo- - redis- - tcp-
Permitido
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-http spec: ports: - name: http-helloport port: 5000 selector: app: helloworld
Não permitido
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-tcp spec: ports: - name: foo-helloport port: 5000 selector: app: helloworld
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-bad spec: ports: - name: helloport port: 5000 selector: app: helloworld
AsmAuthzPolicyDefaultDeny
Negação padrão de AuthorizationPolicy do ASM v1.0.4
Aplique a política de negação de autorização padrão na malha. Consulte https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # rootNamespace <string>: Anthos Service Mesh root namespace, default value # is "istio-system" if not specified. rootNamespace: <string> # strictnessLevel <string>: Level of AuthorizationPolicy strictness. # Allowed Values: Low, High strictnessLevel: <string> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "security.istio.io" version: "v1beta1" kind: "AuthorizationPolicy" Exemplos
asm-authz-policy-default-deny-with-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
Não permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
asm-authz-policy-default-deny-no-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
Não permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
AsmAuthzPolicyDisallowedPrefix
Prefixos não permitidos de AuthorizationPolicy do ASM v1.0.2
Requer que os principais e os namespaces nas regras AuthorizationPolicy do Istio não tenham o prefixo de uma lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces. disallowedNamespacePrefixes: - <string> # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals. disallowedPrincipalPrefixes: - <string> Exemplos
asm-authz-policy-disallowed-prefix-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: asm-authz-policy-disallowed-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedNamespacePrefixes: - bad-ns-prefix - worse-ns-prefix disallowedPrincipalPrefixes: - bad-principal-prefix - worse-principal-prefix
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test selector: matchLabels: app: httpbin
Não permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/worse-principal-prefix-sleep - source: namespaces: - test selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - bad-ns-prefix-test selector: matchLabels: app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
Principais de aplicação de AuthorizationPolicy do ASM v1.0.2
Requer que o campo "from" da AuthorizationPolicy do Istio, quando definido, tenha princípios de origem, que precisam ser definidos como algo diferente de "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
asm-authz-policy-enforce-source-principals-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: asm-authz-policy-enforce-source-principals-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
Não permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: no-source-principals spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-wildcard spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-contains-wildcard spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
AsmAuthzPolicyNormalization
Normalização de AuthorizationPolicy do ASM v1.0.2
Aplicar a normalização de AuthorizationPolicy. Consulte https://istio.io/latest/docs/reference/config/security/normalization/.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
asm-authz-policy-normalization-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: asm-authz-policy-normalization-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
Não permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-method-lowercase spec: action: ALLOW rules: - to: - operation: methods: - get selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-request-header-whitespace spec: action: ALLOW rules: - to: - operation: methods: - GET - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Ag ent] values: - Mozilla/* selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: path-unnormalized spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test\/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
AsmAuthzPolicySafePattern
Padrões seguros de AuthorizationPolicy do ASM v1.0.4
Aplicar os padrões seguros do AuthorizationPolicy. Consulte https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of AuthorizationPolicy strictness. # Allowed Values: Low, High strictnessLevel: <string> Exemplos
asm-authz-policy-safe-pattern-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: asm-authz-policy-safe-pattern-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-istio-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-asm-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: asm: ingressgateway
Não permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: hosts-on-noningress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: invalid-hosts spec: action: ALLOW rules: - to: - operation: hosts: - test.com methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-negative-match spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* notMethods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-positive-match spec: action: DENY rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
AsmIngressgatewayLabel
Rótulo do gateway de entrada do ASM v1.0.3
Aplique o uso do rótulo ingressgateway do istio apenas nos pods do ingressgateway.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
asm-ingressgateway-label-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: asm-ingressgateway-label-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: istio name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: istio-ingressgateway istio: ingressgateway name: istio-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: asm-ingressgateway asm: ingressgateway name: asm-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep asm: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
AsmPeerAuthnMeshStrictMtls
mTLS rigorosa da malha de autenticação de par do ASM v1.0.4
Aplique o peering de mtls restrito na malha. Consulte https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # rootNamespace <string>: Anthos Service Mesh root namespace, default value # is "istio-system" if not specified. rootNamespace: <string> # strictnessLevel <string>: Level of PeerAuthentication strictness. # Allowed Values: Low, High strictnessLevel: <string> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "security.istio.io" version: "v1beta1" kind: "PeerAuthentication" Exemplos
asm-peer-authn-mesh-strict-mtls-with-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: asm-root spec: mtls: mode: STRICT
Não permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: asm-root spec: mtls: mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: istio-system spec: mtls: mode: STRICT
Não permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: istio-system spec: mtls: mode: PERMISSIVE
AsmPeerAuthnStrictMtls
mTLS rigorosa de autenticação de par do ASM v1.0.3
A aplicação de todos os PeerAuthentications não pode substituir mtls rígidos. Consulte https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of PeerAuthentication strictness. # Allowed Values: Low, High strictnessLevel: <string> Exemplos
asm-peer-authn-strict-mtls-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: asm-peer-authn-strict-mtls-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication parameters: strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: valid-strict-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
Não permitido
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-permissive-mtls-pa namespace: foo spec: mtls: mode: PERMISSIVE portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-port-disable-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: DISABLE "443": mode: STRICT selector: matchLabels: app: bar
AsmRequestAuthnProhibitedOutputHeaders
Cabeçalhos de saída proibidos de RequestAuthentication do ASM v1.0.2
Em RequestAuthentication, aplique o campo jwtRules.outPayloadToHeader para não conter cabeçalhos de solicitação HTTP conhecidos ou cabeçalhos proibidos personalizados. Referência a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # prohibitedHeaders <array>: User predefined prohibited headers. prohibitedHeaders: - <string> Exemplos
asm-request-authn-prohibited-output-headers-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: asm-request-authn-prohibited-output-headers-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - RequestAuthentication parameters: prohibitedHeaders: - Bad-Header - X-Bad-Header
Permitido
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: valid-request-authn namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Good-Header selector: matchLabels: app: istio-ingressgateway
Não permitido
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Host selector: matchLabels: app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: X-Bad-Header selector: matchLabels: app: istio-ingressgateway
AsmSidecarInjection
Injeção de arquivo secundário do ASM v1.0.2
Aplique o arquivo secundário do proxy do Istio que sempre foi injetado nos pods de carga de trabalho.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of sidecar injection strictness. # Allowed Values: Low, High strictnessLevel: <string> Exemplos
asm-sidecar-injection-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: asm-sidecar-injection-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: strictnessLevel: High
Permitido
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "true" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: annotations: "false": "false" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
Não permitido
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "false" name: sleep spec: containers: - image: curlimages/curl name: sleep
DestinationRuleTLSEnabled
TLS de regra de destino ativado v1.0.1
Proíbe a desativação do TLS para todos os hosts e subconjuntos de hosts no Istio DestinationRules.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
dr-tls-enabled
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: dr-tls-enabled spec: enforcementAction: dryrun match: kinds: - apiGroups: - networking.istio.io kinds: - DestinationRule
Não permitido
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-subset-tls-disable namespace: default spec: host: myservice subsets: - name: v1 trafficPolicy: tls: mode: DISABLE - name: v2 trafficPolicy: tls: mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-traffic-tls-disable namespace: default spec: host: myservice trafficPolicy: tls: mode: DISABLE
DisallowedAuthzPrefix
Não permitir os prefixos de AuthorizationPolicy do Istio v1.0.2
Requer que os principais e os namespaces nas regras AuthorizationPolicy do Istio não tenham o prefixo de uma lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedprefixes <array>: Disallowed prefixes of principals and # namespaces. disallowedprefixes: - <string> Exemplos
disallowed-authz-prefix-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: disallowed-authz-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedprefixes: - badprefix - reallybadprefix
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
Não permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/badprefix-sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - badprefix-test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
GCPStorageLocationConstraintV1
Restrição de local de armazenamento do GCP v1.0.3
Restringe o locations permitido para recursos do Storagebucket Config Connector à lista de locais fornecidos na restrição. Os nomes de bucket na lista exemptions estão isentos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptions <array>: A list of bucket names that are exempt from this # constraint. exemptions: - <string> # locations <array>: A list of locations that a bucket is permitted to # have. locations: - <string> Exemplos
singapore-and-jakarta-only
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: singapore-and-jakarta-only spec: enforcementAction: deny match: kinds: - apiGroups: - storage.cnrm.cloud.google.com kinds: - StorageBucket parameters: exemptions: - my_project_id_cloudbuild locations: - asia-southeast1 - asia-southeast2
Permitido
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
Não permitido
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
GkeSpotVMTerminationGrace
Restringe terminationGracePeriodSeconds para VMs spot do GKE v1.1.3
Exige que pods e modelos de pod com nodeSelector ou nodeAfffinty de gke-spot tenham um terminationGracePeriodSeconds de 15 segundos ou menos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds` # of 15s or less for all `Pod` on a `gke-spot` Node. includePodOnSpotNodes: <boolean> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "" version: "v1" kind: "Node" Exemplos
spotvm-termination-grace
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: spotvm-termination-grace spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: includePodOnSpotNodes: true
Permitido
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
Não permitido
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
K8sAllowedRepos
Repositórios permitidos v1.0.1
Requer imagens de contêiner para começar com uma string da lista especificada.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is allowed to have. repos: - <string> Exemplos
repo-is-openpolicyagent
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: repo-is-openpolicyagent spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: repos: - openpolicyagent/
Permitido
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi
Não permitido
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi ephemeralContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
K8sAvoidUseOfSystemMastersGroup
Proibir o uso do grupo "system:masters" v1.0.0
Bloqueia o uso do grupo "system:masters". Não tem efeito durante a auditoria.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowlistedUsernames <array>: allowlistedUsernames is the list of # usernames that are allowed to use system:masters group. allowlistedUsernames: - <string> Exemplos
avoid-use-of-system-masters-group
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: avoid-use-of-system-masters-group
Permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockAllIngress
Bloquear todo o Ingress v1.0.4
Não permite a criação de objetos do Ingress (tipos de Ingress, Gateway e Service de NodePort e LoadBalancer).
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowList <array>: A list of regular expressions for the Ingress object # names that are exempt from the constraint. allowList: - <string> Exemplos
block-all-ingress
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: block-all-ingress spec: enforcementAction: dryrun parameters: allowList: - name1 - name2 - name3 - my-*
Permitido
apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: allowed-clusterip-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: ClusterIP
Não permitido
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: disallowed-gateway-example spec: gatewayClassName: istio listeners: - allowedRoutes: namespaces: from: All hostname: '*.example.com' name: default port: 80 protocol: HTTP
K8sBlockCreationWithDefaultServiceAccount
Bloquear a criação com a conta de serviço padrão v1.0.2
Não permite a criação de recursos usando uma conta de serviço padrão. Não tem efeito durante a auditoria.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
block-creation-with-default-serviceaccount
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockEndpointEditDefaultRole
Bloquear a função padrão de edição de endpoints v1.0.0
Por padrão, muitas instalações do Kubernetes têm um ClusterRole system:aggregate-to-edit que não restringe corretamente o acesso à edição do Endpoints. Esse ConstraintTemplate impede que o ClusterRole system:aggregate-to-edit conceda permissão para criar/patch/atualizar endpoints. ClusterRole/system:aggregate-to-edit não deve permitir permissões de edição de endpoint devido à CVE-2021-25740, que as permissões de Endpoint e EndpointSlice permitem encaminhamento de namespace https://github.com/kubernetes/kubernetes/issues/103675
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
block-endpoint-edit-default-role
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: block-endpoint-edit-default-role spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - endpoints - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update
K8sBlockLoadBalancer
Bloquear serviços com o tipo LoadBalancer v1.0.0
Não permite todos os serviços com o tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
block-load-balancer
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: - "" kinds: - Service
Permitido
apiVersion: v1 kind: Service metadata: name: my-service-allowed spec: ports: - port: 80 targetPort: 80 type: ClusterIP
Não permitido
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: LoadBalancer
K8sBlockNodePort
Bloquear o NodePort v1.0.0
Não permite todos os Serviços do tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
block-node-port
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: - "" kinds: - Service
Não permitido
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: NodePort
K8sBlockObjectsOfType
Bloquear objetos do tipo v1.0.1
Não permite o objeto de tipos proibidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: forbiddenTypes: - <string> Exemplos
block-secrets-of-type-basic-auth
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: block-secrets-of-type-basic-auth spec: match: kinds: - apiGroups: - "" kinds: - Secret parameters: forbiddenTypes: - kubernetes.io/basic-auth
Permitido
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
Não permitido
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
K8sBlockProcessNamespaceSharing
Bloquear o compartilhamento de namespace do processo v1.0.1
Proíbe as especificações do pod com shareProcessNamespace definido como true. Isso evita cenários em que todos os contêineres em um pod compartilham o namespace PID e podem acessar o sistema de arquivos e a memória uns dos outros.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
block-process-namespace-sharing
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Permitido
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx
Não permitido
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx shareProcessNamespace: true
K8sBlockWildcardIngress
Bloquear a entrada de caractere curinga v1.0.1
Os usuários não devem criar entradas com um nome do host em branco ou curinga (*), porque isso permitiria a interceptação do tráfego de outros serviços no cluster, mesmo que eles não tenham acesso a esses serviços.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
block-wildcard-ingress
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: block-wildcard-ingress spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: non-wildcard-ingress spec: rules: - host: myservice.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
Não permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: "" http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: '*.example.com' http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix - host: valid.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
K8sContainerEphemeralStorageLimit
Limite de armazenamento temporário do contêiner v1.0.2
Exige que os contêineres tenham um limite de armazenamento temporário definido e que o limite esteja dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ephemeral-storage <string>: The maximum allowed ephemeral storage limit # on a Pod, exclusive. ephemeral-storage: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
container-ephemeral-storage-limit
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: container-ephemeral-storage-limit spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ephemeral-storage: 500Mi
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
K8sContainerLimits
Limites de contêiner v1.0.1
Requer que os limites da memória e da CPU sejam definidos e que os limites fiquem dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive. cpu: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # memory <string>: The maximum allowed memory limit on a Pod, exclusive. memory: <string> Exemplos
container-must-have-limits
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
K8sContainerRatios
Proporções de contêiner v1.0.1
Define uma proporção máxima de limites de recursos do contêiner para solicitações. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to # `resources.requests.cpu` on a container. If not specified, equal to # `ratio`. cpuRatio: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # ratio <string>: The maximum allowed ratio of `resources.limits` to # `resources.requests` on a container. ratio: <string> Exemplos
container-must-meet-ratio
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ratio: "2"
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 200m memory: 200Mi requests: cpu: 100m memory: 100Mi
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 800m memory: 2Gi requests: cpu: 100m memory: 100Mi
container-must-meet-memory-and-cpu-ratio
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-memory-and-cpu-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpuRatio: "10" ratio: "1"
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: "1" memory: 2Gi
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: 100m memory: 2Gi
K8sContainerRequests
Solicitações de contêiner v1.0.1
Requer que os limites da memória e da CPU sejam definidos e que os limites fiquem dentro dos valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpu <string>: The maximum allowed cpu request on a Pod, exclusive. cpu: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # memory <string>: The maximum allowed memory request on a Pod, exclusive. memory: <string> Exemplos
container-must-have-requests
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: container-must-have-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 1Gi
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
K8sCronJobAllowedRepos
Repositórios permitidos do CronJob v1.0.1
Requer imagens de contêiner de CronJobs para começar com uma string da lista especificada.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is allowed to have. repos: - <string> Exemplos
cronjob-restrict-repos
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata: name: cronjob-restrict-repos spec: match: kinds: - apiGroups: - batch kinds: - CronJob parameters: repos: - gke.gcr.io/
Permitido
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: gke.gcr.io/busybox:1.28 name: hello schedule: '* * * * *'
Não permitido
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: busybox:1.28 name: hello schedule: '* * * * *'
K8sDisallowAnonymous
Não permitir acesso anônimo v1.0.0
Não permite associar recursos ClusterRole e Role ao usuário system:anonymous e ao grupo system:unauthenticated.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedRoles <array>: The list of ClusterRoles and Roles that may be # associated with the `system:unauthenticated` group and `system:anonymous` # user. allowedRoles: - <string> Exemplos
no-anonymous
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: no-anonymous spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRoleBinding - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding parameters: allowedRoles: - cluster-role-1
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowInteractiveTTY
Não permitir contêineres TTD interativos v1.0.0
Exige que os objetos tenham os campos spec.tty e spec.stdin definidos como falsos ou não definidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
no-interactive-tty-containers
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata: name: no-interactive-tty-containers spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-interactive-tty name: nginx-interactive-tty-allowed spec: containers: - image: nginx name: nginx stdin: false tty: false
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx stdin: true tty: true
K8sDisallowedRepos
Repositórios não permitidos v1.0.0
Repositórios de contêiner não permitidos que começam com uma string da lista especificada.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is not allowed to # have. repos: - <string> Exemplos
repo-must-not-be-k8s-gcr-io
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: repo-must-not-be-k8s-gcr-io spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: repos: - k8s.gcr.io/
Permitido
apiVersion: v1 kind: Pod metadata: name: kustomize-allowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize
Não permitido
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize ephemeralContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
K8sDisallowedRoleBindingSubjects
Assuntos de Rolebinding não permitidos v1.0.1
Proíbe RoleBindings ou ClusterRoleBindings com assuntos correspondentes a qualquer disallowedSubjects transmitido como parâmetros.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedSubjects <array>: A list of subjects that cannot appear in a # RoleBinding. disallowedSubjects: - # apiGroup <string>: The Kubernetes API group of the disallowed role # binding subject. Currently ignored. apiGroup: <string> # kind <string>: The kind of the disallowed role binding subject. kind: <string> # name <string>: The name of the disallowed role binding subject. name: <string> Exemplos
disallowed-rolebinding-subjects
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: disallowed-rolebinding-subjects spec: parameters: disallowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
Não permitir tags v1.0.1
Requer que as imagens de contêiner tenham uma tag de imagem diferente daquelas na lista especificada. https://kubernetes.io/docs/concepts/containers/images/#image-names
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # tags <array>: Disallowed container image tags. tags: - <string> Exemplos
container-image-must-not-have-latest-tag
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: container-image-must-not-have-latest-tag spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: exemptImages: - openpolicyagent/opa-exp:latest - openpolicyagent/opa-exp2:latest tags: - latest
Permitido
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa
apiVersion: v1 kind: Pod metadata: name: opa-exempt-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa-exp - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:v1 name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2
Não permitido
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-2 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-ephemeral spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-3 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:latest name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2 - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/monitor:latest name: opa-monitor
K8sEmptyDirHasSizeLimit
O diretório vazio tem limite de tamanho v1.0.5
Requer que qualquer volume emptyDir especifique um sizeLimit. Opcionalmente, um parâmetro maxSizeLimit pode ser fornecido na restrição para especificar um limite máximo de tamanho permitido.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptVolumesRegex <array>: Exempt Volume names as regex match. exemptVolumesRegex: - <string> # maxSizeLimit <string>: When set, the declared size limit for each volume # must be less than `maxSizeLimit`. maxSizeLimit: <string> Exemplos
empty-dir-has-size-limit
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: empty-dir-has-size-limit spec: match: excludedNamespaces: - istio-system - kube-system - gatekeeper-system parameters: exemptVolumesRegex: - ^istio-[a-z]+$ maxSizeLimit: 4Gi
Permitido
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: sizeLimit: 2Gi name: good-pod-volume
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: istio-envoy
Não permitido
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: bad-pod-volume
K8sEnforceCloudArmorBackendConfig
Aplicar o Cloud Armor nos recursos de BackendConfig v1.0.2
Aplica a configuração do Cloud Armor aos recursos do BackendConfig
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
enforce-cloudarmor-backendconfig
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
Permitido
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: example-security-policy
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: second-backendconfig spec: securityPolicy: name: my-security-policy
Não permitido
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: null
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: ""
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig spec: logging: enable: true sampleRate: 0.5
K8sEnforceConfigManagement
Impor o gerenciamento de configurações v1.1.6
Requer a presença e operação do gerenciamento de configuração. As restrições que usam esse ConstraintTemplate serão auditadas somente, independentemente do valor enforcementAction.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # requireDriftPrevention <boolean>: Require Config Sync drift prevention to # prevent config drift. requireDriftPrevention: <boolean> # requireRootSync <boolean>: Require a Config Sync `RootSync` object for # cluster config management. requireRootSync: <boolean> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "configsync.gke.io" version: "v1beta1" kind: "RootSync" Exemplos
enforce-config-management
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: enforce-config-management spec: enforcementAction: dryrun match: kinds: - apiGroups: - configmanagement.gke.io kinds: - ConfigManagement
Permitido
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: proxy: {} syncRepo: [email protected]:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2 healthy: true
Não permitido
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: syncRepo: [email protected]:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2
K8sExternalIPs
IPs externos v1.0.0
Restringe os IPIPs de serviço a uma lista de endereços IP permitidos. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedIPs <array>: An allow-list of external IP addresses. allowedIPs: - <string> Exemplos
external-ips
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: allowedIPs: - 203.0.113.0
Permitido
apiVersion: v1 kind: Service metadata: name: allowed-external-ip spec: externalIPs: - 203.0.113.0 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
Não permitido
apiVersion: v1 kind: Service metadata: name: disallowed-external-ip spec: externalIPs: - 1.1.1.1 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
K8sHorizontalPodAutoscaler
Escalonador automático horizontal de pods v1.0.1
Não permita os cenários a seguir ao implantar o HorizontalPodAutoscalers 1. Implantação de HorizontalPodAutoscalers com .spec.minReplicas ou .spec.maxReplicas fora dos intervalos definidos na restrição 2. Implantação de HorizontalPodAutoscalers em que a diferença entre .spec.minReplicas e .spec.maxReplicas é menor que o minimumReplicaSpread 3 configurado. Implantação de HorizontalPodAutoscalers que não fazem referência a um scaleTargetRef válido (por exemplo, Deployment, ReplicationController, ReplicaSet, StatefulSet).
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # enforceScaleTargetRef <boolean>: If set to true it validates the HPA # scaleTargetRef exists enforceScaleTargetRef: <boolean> # minimumReplicaSpread <integer>: If configured it enforces the minReplicas # and maxReplicas in an HPA must have a spread of at least this many # replicas minimumReplicaSpread: <integer> # ranges <array>: Allowed ranges for numbers of replicas. Values are # inclusive. ranges: # <list item: object>: A range of allowed replicas. Values are # inclusive. - # max_replicas <integer>: The maximum number of replicas allowed, # inclusive. max_replicas: <integer> # min_replicas <integer>: The minimum number of replicas allowed, # inclusive. min_replicas: <integer> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "apps" version: "v1" kind: "Deployment" OR - group: "apps" version: "v1" kind: "StatefulSet" Exemplos
horizontal-pod-autoscaler
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: horizontal-pod-autoscaler spec: enforcementAction: deny match: kinds: - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: enforceScaleTargetRef: true minimumReplicaSpread: 1 ranges: - max_replicas: 6 min_replicas: 3
Permitido
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-allowed namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
Não permitido
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicas namespace: default spec: maxReplicas: 7 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 2 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicaspread namespace: default spec: maxReplicas: 4 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 4 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-scaletarget namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment-missing --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sHttpsOnly
Somente HTTPS v1.0.2
Exige que os recursos do Ingress sejam somente HTTPS. Os recursos de entrada precisam incluir a anotação kubernetes.io/ingress.allow-http, definida como false. Por padrão, é necessário ter uma configuração de TLS válida no {}, isso pode ser opcional definindo o parâmetro tlsOptional como true. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # tlsOptional <boolean>: When set to `true` the TLS {} is optional, # defaults to false. tlsOptional: <boolean> Exemplos
ingress-https-only
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix tls: - {}
Não permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
ingress-https-only-tls-optional
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only-tls-optional spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress parameters: tlsOptional: true
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
Não permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sImageDigests
Imagem Digests v1.0.1
Requer imagens de contêiner para conter um resumo. https://kubernetes.io/docs/concepts/containers/images/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
container-image-must-have-digest
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default
Permitido
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a name: opa
Não permitido
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
K8sLocalStorageRequireSafeToEvict
O armazenamento local requer remoção segura da v1.0.1
Requer que os pods que usam o armazenamento local (emptyDir ou hostPath) tenham a anotação "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". O escalonador automático de cluster não excluirá pods sem essa anotação.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
local-storage-require-safe-to-evict
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: excludedNamespaces: - kube-system - istio-system - gatekeeper-system
Permitido
apiVersion: v1 kind: Pod metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" name: good-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
Não permitido
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
K8sMemoryRequestEqualsLimit
Solicitação de memória é igual ao limite v1.0.4
Promove a estabilidade do pod ao exigir que a memória solicitada de todos os contêineres seja exatamente igual ao limite de memória. Assim, os pods nunca ficam em um estado em que o uso da memória excede a quantidade solicitada. Caso contrário, o Kubernetes poderá encerrar pods que solicitam memória extra se a memória for necessária no nó.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptContainersRegex <array>: Exempt Container names as regex match. exemptContainersRegex: - <string> Exemplos
container-must-request-limit
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit spec: match: excludedNamespaces: - kube-system - resource-group-system - asm-system - istio-system - config-management-system - config-management-monitoring parameters: exemptContainersRegex: - ^istio-[a-z]+$
Permitido
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 4Gi
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: auto name: istio-proxy resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
Não permitido
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
K8sNoEnvVarSecrets
Nenhum secret de variável de ambiente v1.0.1
Proíbe secrets como variáveis de ambiente nas definições de contêiner do pod. Em vez disso, use arquivos secretos montados em volumes de dados: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
no-secrets-as-env-vars-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: redis name: test volumeMounts: - mountPath: /etc/test name: test readOnly: true volumes: - name: test secret: secretName: mysecret
Não permitido
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - env: - name: MY_PASSWORD valueFrom: secretKeyRef: key: password name: mysecret image: redis name: test
K8sNoExternalServices
Nenhum serviço externo v1.0.3
Proíbe a criação de recursos conhecidos que expõem cargas de trabalho a IPs externos. Isso inclui os recursos de gateway do Istio e do Ingress do Kubernetes. Os serviços do Kubernetes também não são permitidos, a menos que atendam aos seguintes critérios: qualquer serviço do tipo LoadBalancer no Google Cloud precisa ter uma anotação "networking.gke.io/load-balancer-type": "Internal". Qualquer serviço do tipo LoadBalancer na AWS precisa ter uma anotação service.beta.kubernetes.io/aws-load-balancer-internal: "true. Qualquer "IP externo" (externo ao cluster) vinculado ao Serviço precisa ser membro de um intervalo de CIDRs internos, conforme fornecido à restrição.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS` # are supported currently. cloudPlatform: <string> # internalCIDRs <array>: A list of CIDRs that are only accessible # internally, for example: `10.3.27.0/24`. Which IP ranges are # internal-only is determined by the underlying network infrastructure. internalCIDRs: - <string> Exemplos
no-external
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external spec: parameters: internalCIDRs: - 10.0.0.1/32
Permitido
apiVersion: v1 kind: Service metadata: name: good-service namespace: default spec: externalIPs: - 10.0.0.1 ports: - port: 8888 protocol: TCP targetPort: 8888
apiVersion: v1 kind: Service metadata: annotations: networking.gke.io/load-balancer-type: Internal name: allowed-internal-load-balancer namespace: default spec: type: LoadBalancer
Não permitido
apiVersion: v1 kind: Service metadata: name: bad-service namespace: default spec: externalIPs: - 10.0.0.2 ports: - port: 8888 protocol: TCP targetPort: 8888
no-external-aws
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external-aws spec: parameters: cloudPlatform: AWS
Permitido
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" name: good-aws-service namespace: default spec: type: LoadBalancer
Não permitido
apiVersion: v1 kind: Service metadata: annotations: cloud.google.com/load-balancer-type: Internal name: bad-aws-service namespace: default spec: type: LoadBalancer
K8sPSPAllowPrivilegeEscalationContainer
Permitir escalonamento de privilégios no contêiner v1.0.1
Controla a restrição do encaminhamento a privilégios de raiz. Corresponde ao campo allowPrivilegeEscalation em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged-escalation
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
psp-allow-privilege-escalation-container-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-allowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: false
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Usuários permitidos v1.0.2
Controla os códigos do usuário e do grupo do contêiner e de alguns volumes. Corresponde aos campos runAsUser, runAsGroup, supplementalGroups e fsGroup em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod # or container-level SecurityContext. fsGroup: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the fsGroup restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> # runAsGroup <object>: Controls which group ID values are allowed in a Pod # or container-level SecurityContext. runAsGroup: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the runAsGroup restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> # runAsUser <object>: Controls which user ID values are allowed in a Pod or # container-level SecurityContext. runAsUser: # ranges <array>: A list of user ID ranges affected by the rule. ranges: # <list item: object>: The range of user IDs affected by the rule. - # max <integer>: The maximum user ID in the range, inclusive. max: <integer> # min <integer>: The minimum user ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the runAsUser restriction. # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny rule: <string> # supplementalGroups <object>: Controls the supplementalGroups values that # are allowed in a Pod or container-level SecurityContext. supplementalGroups: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the supplementalGroups # restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> Exemplos
psp-pods-allowed-user-ranges
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: fsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsUser: ranges: - max: 200 min: 100 rule: MustRunAs supplementalGroups: ranges: - max: 200 min: 100 rule: MustRunAs
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-allowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 199 runAsUser: 199 securityContext: fsGroup: 199 supplementalGroups: - 199
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
K8sPSPAppArmor
App Armor v1.0.0
Configura uma lista de permissões de perfis do AppArmor para uso por contêineres. Isso corresponde a anotações específicas aplicadas a uma PodSecurityPolicy Para saber mais sobre o AppArmor, consulte https://kubernetes.io/docs/tutorials/clusters/apparmor/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedProfiles <array>: An array of AppArmor profiles. Examples: # `runtime/default`, `unconfined`. allowedProfiles: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
psp-apparmor
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default
Permitido
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor name: nginx-apparmor-allowed spec: containers: - image: nginx name: nginx
Não permitido
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPAutomountServiceAccountTokenPod
Token de conta de serviço do Automount para Pod v1.0.1
Controla a capacidade de qualquer pod de ativar automountServiceAccountToken.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: <object> Exemplos
psp-automount-serviceaccount-token-pod
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: psp-automount-serviceaccount-token-pod spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-not-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-allowed spec: automountServiceAccountToken: false containers: - image: nginx name: nginx
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-disallowed spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
K8sPSPCapabilities
Recursos v1.0.2
Controla os recursos do Linux em contêineres. Corresponde aos campos allowedCapabilities e requiredDropCapabilities em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#features
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedCapabilities <array>: A list of Linux capabilities that can be # added to a container. allowedCapabilities: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # requiredDropCapabilities <array>: A list of Linux capabilities that are # required to be dropped from a container. requiredDropCapabilities: - <string> Exemplos
capabilities-demo
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: capabilities-demo spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: allowedCapabilities: - something requiredDropCapabilities: - must_drop
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - something drop: - must_drop - another_one
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
K8sPSPFSGroup
Grupo FS v1.0.2
Controla a alocação de um FSGroup que é proprietário dos volumes do pod. Corresponde ao campo fsGroup em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ranges <array>: GID ranges affected by the rule. ranges: - # max <integer>: The maximum GID in the range, inclusive. max: <integer> # min <integer>: The minimum GID in the range, inclusive. min: <integer> # rule <string>: An FSGroup rule name. # Allowed Values: MayRunAs, MustRunAs, RunAsAny rule: <string> Exemplos
psp-fsgroup
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ranges: - max: 1000 min: 1 rule: MayRunAs
Permitido
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 500 volumes: - emptyDir: {} name: fsgroup-demo-vol
Não permitido
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 2000 volumes: - emptyDir: {} name: fsgroup-demo-vol
K8sPSPFlexVolumes
FlexVolumes v1.0.1
Controla a lista de permissões de drivers FlexVolume. Corresponde ao campo allowedFlexVolumes em PodSecurityPolicy. Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects. allowedFlexVolumes: - # driver <string>: The name of the FlexVolume driver. driver: <string> Exemplos
psp-flexvolume-drivers
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedFlexVolumes: - driver: example/lvm - driver: example/cifs
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/lvm name: test-volume
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/testdriver name: test-volume
K8sPSPForbiddenSysctls
Sysctls proibidos v1.1.3
Controla o perfil sysctl usado pelos contêineres. Corresponde aos campos allowedUnsafeSysctls e forbiddenSysctls em um PodSecurityPolicy. Quando especificado, qualquer sysctl que não esteja no parâmetro allowedSysctls é considerado proibido. O parâmetro forbiddenSysctls tem prioridade sobre o allowedSysctls. Para saber mais, consulte https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls # not listed in the `forbiddenSysctls` parameter. allowedSysctls: - <string> # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all # sysctls. forbiddenSysctls: - <string> Exemplos
psp-forbidden-sysctls
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSysctls: - '*' forbiddenSysctls: - kernel.*
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: net.core.somaxconn value: "1024"
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536" - name: net.core.somaxconn value: "1024"
K8sPSPHostFilesystem
Sistema de arquivos de host v1.0.2
Controla o uso do sistema de arquivos do host. Corresponde ao campo allowedHostPaths em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedHostPaths <array>: An array of hostpath objects, representing # paths and read/write configuration. allowedHostPaths: - # pathPrefix <string>: The path prefix that the host volume must # match. pathPrefix: <string> # readOnly <boolean>: when set to true, any container volumeMounts # matching the pathPrefix must include `readOnly: true`. readOnly: <boolean> Exemplos
psp-host-filesystem
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedHostPaths: - pathPrefix: /foo readOnly: true
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /foo/bar name: cache-volume
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: ephemeralContainers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
K8sPSPHostNamespace
Namespace do host v1.0.1
Não permite o compartilhamento de namespaces PID de host e IPC por contêineres de pod. Corresponde aos campos hostPID e hostIPC em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: <object> Exemplos
psp-host-namespace-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: psp-host-namespace-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-allowed spec: containers: - image: nginx name: nginx hostIPC: false hostPID: false
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-disallowed spec: containers: - image: nginx name: nginx hostIPC: true hostPID: true
K8sPSPHostNetworkingPorts
Portas de rede do host v1.0.2
Controla o uso de namespace da rede do host por contêineres de pod. As portas precisam ser especificadas. Corresponde aos campos hostNetwork e hostPorts em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # hostNetwork <boolean>: Determines if the policy allows the use of # HostNetwork in the pod spec. hostNetwork: <boolean> # max <integer>: The end of the allowed port range, inclusive. max: <integer> # min <integer>: The start of the allowed port range, inclusive. min: <integer> Exemplos
psp-host-network-ports-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: psp-host-network-ports-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: hostNetwork: true max: 9000 min: 80
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-allowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9000 hostPort: 80 hostNetwork: false
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: ephemeralContainers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
K8sPSPPrivilegedContainer
Contêiner privilegiado v1.0.1
Controla a capacidade de qualquer contêiner de ativar o modo privilegiado. Corresponde ao campo privileged em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
psp-privileged-container-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container-sample spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-allowed spec: containers: - image: nginx name: nginx securityContext: privileged: false
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: containers: - image: nginx name: nginx securityContext: privileged: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: privileged: true
K8sPSPProcMount
Proc Mount v1.0.3
Controla os tipos procMount permitidos para o contêiner. Corresponde ao campo allowedProcMountTypes em um PodSecurityPolicy Para saber mais, acesse https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # procMount <string>: Defines the strategy for the security exposure of # certain paths in `/proc` by the container runtime. Setting to `Default` # uses the runtime defaults, where `Unmasked` bypasses the default # behavior. # Allowed Values: Default, Unmasked procMount: <string> Exemplos
psp-proc-mount
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: procMount: Default
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Default
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Unmasked
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Sistema de arquivos raiz somente leitura v1.0.1
Exige o uso de um sistema de arquivos raiz somente leitura por contêineres de pod. Corresponde ao campo readOnlyRootFilesystem em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
psp-readonlyrootfilesystem
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-allowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: true
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
K8sPSPSELinuxV2
SELinux V2 v1.0.3
Define uma lista de permissões de configurações seLinuxOptions para contêineres de pod. Corresponde a um PodSecurityPolicy que requer configurações do SELinux. Saiba mais em https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSELinuxOptions <array>: An allow-list of SELinux options # configurations. allowedSELinuxOptions: # <list item: object>: An allowed configuration of SELinux options for a # pod container. - # level <string>: An SELinux level. level: <string> # role <string>: An SELinux role. role: <string> # type <string>: An SELinux type. type: <string> # user <string>: An SELinux user. user: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
psp-selinux-v2
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-allowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
K8sPSPSeccomp
Seccomp v1.0.1
Controla o perfil seccomp usado pelos contêineres. Corresponde à anotação seccomp.security.alpha.kubernetes.io/allowedProfileNames em um PodSecurityPolicy. Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedLocalhostFiles <array>: When using securityContext naming scheme # for seccomp and including `Localhost` this array holds the allowed # profile JSON files. Putting a `*` in this array will allows all JSON # files to be used. This field is required to allow `Localhost` in # securityContext as with an empty list it will block. allowedLocalhostFiles: - <string> # allowedProfiles <array>: An array of allowed profile values for seccomp # on Pods/Containers. Can use the annotation naming scheme: # `runtime/default`, `docker/default`, `unconfined` and/or # `localhost/some-profile.json`. The item `localhost/*` will allow any # localhost based profile. Can also use the securityContext naming scheme: # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the # allowed profile JSON files. The policy code will translate between the # two schemes so it is not necessary to use both. Putting a `*` in this # array allows all Profiles to be used. This field is required since with # an empty list this policy will block all workloads. allowedProfiles: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Exemplos
psp-seccomp
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default - docker/default
Permitido
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed2 spec: containers: - image: nginx name: nginx
Não permitido
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed2 spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPVolumeTypes
Tipos de volume v1.0.2
Restringe os tipos de volume montáveis para aqueles especificados pelo usuário. Corresponde ao campo volumes em um PodSecurityPolicy Para saber mais, consulte https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems (em inglês)
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # volumes <array>: `volumes` is an array of volume types. All volume types # can be enabled using `*`. volumes: - <string> Exemplos
psp-volume-types
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - flexVolume
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - emptyDir: {} name: cache-volume - emptyDir: {} name: demo-vol
Não permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - hostPath: path: /tmp name: cache-volume - emptyDir: {} name: demo-vol
K8sPSPWindowsHostProcess
Restringe contêineres / pods do HostProcess do Windows. v1.0.0
Restringe a execução de contêineres / pods do HostProcess do Windows. Para mais informações, consulte https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
restrict-windows-hostprocess
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: restrict-windows-hostprocess spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-loop nodeSelector: kubernetes.io/os: windows
Não permitido
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-container spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM hostNetwork: true nodeSelector: kubernetes.io/os: windows
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-pod spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test hostNetwork: true nodeSelector: kubernetes.io/os: windows securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM
K8sPSSRunAsNonRoot
Requer que contêineres sejam executados como usuários não raiz. v1.0.0
Requer que contêineres sejam executados como usuários não raiz. Para mais informações, consulte https://kubernetes.io/docs/concepts/security/pod-security-standards/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
restrict-runasnonroot
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata: name: restrict-runasnonroot spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-allowed spec: containers: - image: nginx name: nginx-allowed securityContext: runAsNonRoot: true
Não permitido
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: false
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false
K8sPodDisruptionBudget
Orçamento de interrupção de pods v1.0.3
Não permita os seguintes cenários ao implantar PodDisruptionBudgets ou recursos que implementam o sub-recurso de réplica (por exemplo, Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Implantação de PodDisruptionBudgets com .spec.maxUnavailable == 0 2. Implantação de PodDisruptionBudgets com .spec.minAvailable == .spec.replicas do recurso com sub-recurso de réplica. Isso impedirá que PodDisruptionBudgets bloqueie interrupções voluntárias, como a drenagem de nós. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "policy" version: "v1" kind: "PodDisruptionBudget" Exemplos
pod-distruption-budget
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: pod-distruption-budget spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - apiGroups: - policy kinds: - PodDisruptionBudget - apiGroups: - "" kinds: - ReplicationController
Permitido
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-allowed namespace: default spec: maxUnavailable: 1 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-1 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-1 template: metadata: labels: app: nginx example: allowed-deployment-1 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-1 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx example: allowed-deployment-1
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-2 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-2 template: metadata: labels: app: nginx example: allowed-deployment-2 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-2 namespace: default spec: maxUnavailable: 1 selector: matchLabels: app: nginx example: allowed-deployment-2
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-3 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-3 template: metadata: labels: app: nginx example: allowed-deployment-3 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx
apiVersion: apps/v1 kind: Deployment metadata: labels: app: non-matching-nginx name: nginx-deployment-allowed-4 namespace: default spec: replicas: 1 selector: matchLabels: app: non-matching-nginx example: allowed-deployment-4 template: metadata: labels: app: non-matching-nginx example: allowed-deployment-4 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-mongo-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: mongo example: non-matching-deployment-3
Não permitido
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-disallowed namespace: default spec: maxUnavailable: 0 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-disallowed namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: disallowed-deployment template: metadata: labels: app: nginx example: disallowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-disallowed namespace: default spec: minAvailable: 3 selector: matchLabels: app: nginx example: disallowed-deployment
K8sPodResourcesBestPractices
Requer que os contêineres não estejam configurados para o melhor esforço e sigam as práticas recomendadas de burst v1.0.5.
Requer que os contêineres não estejam configurados para o melhor esforço (configurando solicitações de CPU e memória) e sigam as práticas recomendadas de burst (a solicitação de memória precisa ter o mesmo limite). Como opção, as chaves de anotação podem ser configuradas para permitir que várias validações sejam puladas.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: A list of exempt Images. exemptImages: - <string> # skipBestEffortValidationAnnotationKey <string>: Optional annotation key # to skip best-effort container validation. skipBestEffortValidationAnnotationKey: <string> # skipBurstableValidationAnnotationKey <string>: Optional annotation key to # skip burstable container validation. skipBurstableValidationAnnotationKey: <string> # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional # annotation key to skip both best-effort and burstable validation. skipResourcesBestPracticesValidationAnnotationKey: <string> Exemplos
gke-pod-resources-best-practices
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: gke-pod-resources-best-practices spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: skipBestEffortValidationAnnotationKey: skip_besteffort_validation skipBurstableValidationAnnotationKey: skip_burstable_validation skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
Permitido
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-limits-only spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: annotations: skip_besteffort_validation: "true" skip_burstable_validation: "true" skip_resources_best_practices_validation: "false" name: pod-skip-validation spec: containers: - image: nginx name: nginx
Não permitido
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-cpu-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-requests spec: containers: - image: nginx name: nginx restartPolicy: OnFailure
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-not-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-memory-requests-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 30m requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-requests spec: containers: - image: nginx name: nginx resources: requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu spec: containers: - image: nginx name: nginx resources: limits: cpu: 500m requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 250Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-requests spec: containers: - image: nginx name: nginx resources: requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: memory: 100Mi
K8sPodsRequireSecurityContext
Os pods exigem o contexto de segurança v1.1.1
Requer que todos os pods definam securityContext. Requer que todos os contêineres definidos em pods tenham um SecurityContext definido no nível do pod ou do contêiner.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: A list of exempt Images. exemptImages: - <string> Exemplos
pods-require-security-context-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context-sample spec: enforcementAction: dryrun parameters: exemptImages: - nginix-exempt - alpine*
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: nginx name: nginx securityContext: runAsUser: 2000
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage spec: containers: - image: nginix-exempt name: nginx
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage-wildcard spec: containers: - image: alpine17 name: alpine
Não permitido
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - image: nginx name: nginx
K8sProhibitRoleWildcardAccess
Proibir o acesso de caractere curinga de Roles v1.0.5
Requer que Roles e ClusterRoles não definam o acesso a recursos com um caractere curinga "", exceto os Roles e ClusterRoles isentos fornecidos como isenções. Não restringe o acesso de caractere curinga a sub-recursos, como "/status".
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptions <object>: The list of exempted Roles and/or ClusterRoles name # that are allowed to set resource access to a wildcard. exemptions: clusterRoles: - # name <string>: The name of the ClusterRole to be exempted. name: <string> # regexMatch <boolean>: The flag to allow a regular expression # based match on the name. regexMatch: <boolean> roles: - # name <string>: The name of the Role to be exempted. name: <string> # namespace <string>: The namespace of the Role to be exempted. namespace: <string> Exemplos
prohibit-role-wildcard-access-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-wildcard-except-exempted-cluster-role spec: enforcementAction: dryrun parameters: exemptions: clusterRoles: - name: cluster-role-allowed-example roles: - name: role-allowed-example namespace: role-ns-allowed-example
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Limites de réplica v1.0.2
Requer que objetos com o campo spec.replicas (Implantações, ReplicaSets etc.) especifiquem um número de réplicas em intervalos definidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ranges <array>: Allowed ranges for numbers of replicas. Values are # inclusive. ranges: # <list item: object>: A range of allowed replicas. Values are # inclusive. - # max_replicas <integer>: The maximum number of replicas allowed, # inclusive. max_replicas: <integer> # min_replicas <integer>: The minimum number of replicas allowed, # inclusive. min_replicas: <integer> Exemplos
replica-limits
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: replica-limits spec: match: kinds: - apiGroups: - apps kinds: - Deployment parameters: ranges: - max_replicas: 50 min_replicas: 3
Permitido
apiVersion: apps/v1 kind: Deployment metadata: name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
Não permitido
apiVersion: apps/v1 kind: Deployment metadata: name: disallowed-deployment spec: replicas: 100 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sRequireAdmissionController
Exige o controlador de admissão v1.0.0
Requer admissão de segurança de pods ou um sistema de controle de política externo
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # permittedValidatingWebhooks <array>: List of permitted validating # webhooks which are valid external policy control systems permittedValidatingWebhooks: - <string> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "admissionregistration.k8s.io" version: "v1" OR "v1beta1" kind: "ValidatingWebhookConfiguration" Exemplos
require-admission-controller
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata: name: require-admission-controller spec: match: kinds: - apiGroups: - "" kinds: - Namespace
Permitido
apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/enforce-version: v1.28 name: allowed-namespace
Não permitido
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequireBinAuthZ
Exige autorização binária v1.0.2
Requer a autorização binária que valida o webhook de admissão. As restrições que usam esse ConstraintTemplate serão auditadas somente, independentemente do valor enforcementAction.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "admissionregistration.k8s.io" version: "v1" OR "v1beta1" kind: "ValidatingWebhookConfiguration" Exemplos
require-binauthz
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: require-binauthz spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace
Permitido
apiVersion: v1 kind: Namespace metadata: name: default --- # Referential Data apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: binauthz-admission-controller webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview name: imagepolicywebhook.image-policy.k8s.io rules: - operations: - CREATE - UPDATE - apiVersion: - v1 sideEffects: None
Não permitido
apiVersion: v1 kind: Namespace metadata: name: default
K8sRequireCosNodeImage
Exigir a imagem de nó do COS v1.1.1
Aplica o uso do SO Container-Optimized do Google em nós.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptOsImages <array>: A list of exempt OS Images. exemptOsImages: - <string> Exemplos
nodes-have-consistent-time
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: nodes-have-consistent-time spec: enforcementAction: dryrun parameters: exemptOsImages: - Debian - Ubuntu*
Permitido
apiVersion: v1 kind: Node metadata: name: allowed-example status: nodeInfo: osImage: Container-Optimized OS from Google
apiVersion: v1 kind: Node metadata: name: example-exempt status: nodeInfo: osImage: Debian
apiVersion: v1 kind: Node metadata: name: example-exempt-wildcard status: nodeInfo: osImage: Ubuntu 18.04.5 LTS
Não permitido
apiVersion: v1 kind: Node metadata: name: disallowed-example status: nodeInfo: osImage: Debian GNUv1.0
K8sRequireDaemonsets
Daemonsets v1.1.2 obrigatórios
Exige a lista de daemonsets especificados como presente.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # requiredDaemonsets <array>: A list of names and namespaces of the # required daemonsets. requiredDaemonsets: - # name <string>: The name of the required daemonset. name: <string> # namespace <string>: The namespace for the required daemonset. namespace: <string> # restrictNodeSelector <boolean>: The daemonsets cannot include # `NodeSelector`. restrictNodeSelector: <boolean> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "DaemonSet" OR - group: "apps" version: "v1beta2" OR "v1" kind: "DaemonSet" Exemplos
require-daemonset
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: require-daemonset spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace parameters: requiredDaemonsets: - name: clamav namespace: pci-dss-av restrictNodeSelector: true
Permitido
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: clamav-host-scanner name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: metadata: labels: name: clamav spec: containers: - image: us.gcr.io/{your-project-id}/clamav:latest livenessProbe: exec: command: - /health.sh initialDelaySeconds: 60 periodSeconds: 30 name: clamav-scanner resources: limits: memory: 3Gi requests: cpu: 500m memory: 2Gi volumeMounts: - mountPath: /data name: data-vol - mountPath: /host-fs name: host-fs readOnly: true - mountPath: /logs name: logs terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master volumes: - emptyDir: {} name: data-vol - hostPath: path: / name: host-fs - hostPath: path: /var/log/clamav name: logs
Não permitido
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: clamav nodeSelector: cloud.google.com/gke-spot: "true"
K8sRequireDefaultDenyEgressPolicy
Exigir a política de saída de negação padrão v1.0.3
Exige que cada namespace definido no cluster tenha uma NetworkPolicy de negação padrão para saída.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "NetworkPolicy" OR - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" Exemplos
require-default-deny-network-policies
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
Não permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1 kind: Namespace metadata: name: example-namespace2 --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
K8sRequireNamespaceNetworkPolicies
Exigir políticas de rede de namespace v1.0.6
Requer que cada namespace definido no cluster tenha uma NetworkPolicy.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "NetworkPolicy" OR - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" Exemplos
require-namespace-network-policies-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
Não permitido
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Exigir intervalos válidos para redes v1.0.2
Aplica quais blocos CIDR são permitidos para entrada e saída de rede.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are # allowed for egress. allowedEgress: - <string> # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are # allowed for ingress. allowedIngress: - <string> Exemplos
require-valid-network-ranges
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: require-valid-network-ranges spec: enforcementAction: dryrun parameters: allowedEgress: - 10.0.0.0/32 allowedIngress: - 10.0.0.0/24
Permitido
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 10.0.0.0/32 ingress: - from: - ipBlock: cidr: 10.0.0.0/29 - ipBlock: cidr: 10.0.0.100/29 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
Não permitido
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy-disallowed namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 1.1.2.0/31 ingress: - from: - ipBlock: cidr: 1.1.2.0/24 - ipBlock: cidr: 2.1.2.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
K8sRequiredAnnotations
Anotações necessárias v1.0.1
Exige recursos para conter anotações especificadas, com valores correspondentes às expressões regulares fornecidas.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # annotations <array>: A list of annotations and values the object must # specify. annotations: - # allowedRegex <string>: If specified, a regular expression the # annotation's value must match. The value must contain at least one # match for the regular expression. allowedRegex: <string> # key <string>: The required annotation. key: <string> message: <string> Exemplos
all-must-have-certain-set-of-annotations
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: annotations: - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ key: a8r.io/owner - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$ key: a8r.io/runbook message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Permitido
apiVersion: v1 kind: Service metadata: annotations: a8r.io/owner: [email protected] a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks name: allowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
Não permitido
apiVersion: v1 kind: Service metadata: name: disallowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
K8sRequiredLabels
Rótulos necessários v1.0.1
Exige recursos com rótulos especificados, com valores correspondentes às expressões regulares fornecidas.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # labels <array>: A list of labels and values the object must specify. labels: - # allowedRegex <string>: If specified, a regular expression the # annotation's value must match. The value must contain at least one # match for the regular expression. allowedRegex: <string> # key <string>: The required label. key: <string> message: <string> Exemplos
all-must-have-owner
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username
Permitido
apiVersion: v1 kind: Namespace metadata: labels: owner: user.agilebank.demo name: allowed-namespace
Não permitido
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Sondagens necessárias v1.0.1
Requer que os pods tenham sondagens de preparo e/ou atividade.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # probeTypes <array>: The probe must define a field listed in `probeType` # in order to satisfy the constraint (ex. `tcpSocket` satisfies # `['tcpSocket', 'exec']`) probeTypes: - <string> # probes <array>: A list of probes that are required (ex: `readinessProbe`) probes: - <string> Exemplos
must-have-probes
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: probeTypes: - tcpSocket - httpGet - exec probes: - readinessProbe - livenessProbe
Permitido
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: tomcat livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
Não permitido
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: nginx:1.7.9 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
apiVersion: v1 kind: Pod metadata: name: test-pod2 spec: containers: - image: nginx:1.7.9 livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
K8sRequiredResources
Recursos necessários v1.0.1
Requer que os contêineres tenham recursos definidos. https://kubernetes.io/docs/Escolhas/configuration/manage-resources-containers/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # limits <array>: A list of limits that should be enforced (`cpu`, # `memory`, or both). limits: # Allowed Values: cpu, memory - <string> # requests <array>: A list of requests that should be enforced (`cpu`, # `memory`, or both). requests: # Allowed Values: cpu, memory - <string> Exemplos
container-must-have-limits-and-requests
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - cpu - memory requests: - cpu - memory
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-cpu-requests-memory-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - memory requests: - cpu - memory
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m memory: 2Gi
Não permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
no-enforcements
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: no-enforcements spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
K8sRestrictAdmissionController
Controlador de admissão restrita v1.0.0
Restringir os controladores de admissão dinâmica aos permitidos
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # permittedMutatingWebhooks <array>: List of permitted mutating webhooks # (mutating admission controllers) permittedMutatingWebhooks: - <string> # permittedValidatingWebhooks <array>: List of permitted validating # webhooks (validating admission controllers) permittedValidatingWebhooks: - <string> Exemplos
restrict-admission-controller
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata: name: restrict-admission-controller spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration parameters: permittedMutatingWebhooks: - allowed-mutating-webhook permittedValidatingWebhooks: - allowed-validating-webhook
Permitido
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: allowed-validating-webhook
Não permitido
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: disallowed-validating-webhook
K8sRestrictAutomountServiceAccountTokens
Restringir tokens de conta de serviço v1.0.1
Restringe o uso de tokens de contas de serviço.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
restrict-serviceaccounttokens
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: restrict-serviceaccounttokens spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod - ServiceAccount
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example-pod spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: ServiceAccount metadata: name: disallowed-example-serviceaccount
Não permitido
apiVersion: v1 kind: Pod metadata: name: disallowed-example-pod spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: name: allowed-example-serviceaccount
K8sRestrictLabels
Restringir rótulos v1.0.2
Não permite que os recursos contenham rótulos especificados, a menos que haja uma exceção para o recurso específico.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exceptions <array>: Objects listed here are exempt from enforcement of # this constraint. All fields must be provided. exceptions: # <list item: object>: A single object's identification, based on group, # kind, namespace, and name. - # group <string>: The Kubernetes group of the exempt object. group: <string> # kind <string>: The Kubernetes kind of the exempt object. kind: <string> # name <string>: The name of the exempt object. name: <string> # namespace <string>: The namespace of the exempt object. For # cluster-scoped resources, use the empty string `""`. namespace: <string> # restrictedLabels <array>: A list of label keys strings. restrictedLabels: - <string> Exemplos
restrict-label-example
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: exceptions: - group: "" kind: Pod name: allowed-example namespace: default restrictedLabels: - label-example
Permitido
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
Não permitido
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNamespaces
Restringir namespaces v1.0.1
Restringe o uso de namespaces listados no parâmetro restrictedNamespaces.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # restrictedNamespaces <array>: A list of Namespaces to restrict. restrictedNamespaces: - <string> Exemplos
restrict-default-namespace-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: restrict-default-namespace-sample spec: enforcementAction: dryrun parameters: restrictedNamespaces: - default
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example namespace: test-namespace spec: containers: - image: nginx name: nginx
Não permitido
apiVersion: v1 kind: Pod metadata: name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNfsUrls
Restringir URLs de NFS v1.0.1
Não permite que os recursos contenham URLs NFS, a menos que especificado de outra forma.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedNfsUrls <array>: A list of allowed NFS URLs allowedNfsUrls: - <string> Exemplos
restrict-label-example
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: allowedNfsUrls: - my-nfs-server.example.com/my-nfs-volume - my-nfs-server.example.com/my-wildcard-nfs-volume/*
Permitido
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume server: my-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs-wildcard namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path server: my-nfs-server.example.com
Não permitido
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs-mixed namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume-allowed nfs: path: /my-nfs-volume server: my-nfs-server.example.com - name: test-volume-disallowed nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
K8sRestrictRbacSubjects
Restringir assuntos do RBAC v1.0.3
Restringe o uso de nomes nos assuntos do RBAC a valores permitidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSubjects <array>: The list of names permitted in RBAC subjects. allowedSubjects: - # name <string>: The exact-name or the pattern of the allowed subject name: <string> # regexMatch <boolean>: The flag to allow a regular expression based # match on the name. regexMatch: <boolean> Exemplos
restrict-rbac-subjects
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: restrict-rbac-subjects spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding - ClusterRoleBinding parameters: allowedSubjects: - name: system:masters - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$ regexMatch: true - name: ^[email protected]$ regexMatch: true - name: ^[email protected]$ regexMatch: true
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected] - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected]
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected] - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected]
K8sRestrictRoleBindings
Restringir vinculações de papéis v1.0.3
Restringe os assuntos especificados em ClusterRoleBindings e RoleBindings para uma lista de assuntos permitidos.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSubjects <array>: The list of subjects that are allowed to bind to # the restricted role. allowedSubjects: - # apiGroup <string>: The Kubernetes API group of the subject. apiGroup: <string> # kind <string>: The Kubernetes kind of the subject. kind: <string> # name <string>: The name of the subject which is matched exactly as # provided as well as based on a regular expression. name: <string> # regexMatch <boolean>: The flag to allow a regular expression based # match on the name. regexMatch: <boolean> # restrictedRole <object>: The role that cannot be bound to unless # expressly allowed. restrictedRole: # apiGroup <string>: The Kubernetes API group of the role. apiGroup: <string> # kind <string>: The Kubernetes kind of the role. kind: <string> # name <string>: The name of the role. name: <string> Exemplos
restrict-clusteradmin-rolebindings-sample
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-sample spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-regex spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ^service-[0-9][email protected]$ regexMatch: true restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sRestrictRoleRules
Restringir regras de Role e ClusterRole. v1.0.4
Restringe regras que podem ser definidas em objetos Role e ClusterRole.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedRules <array>: AllowedRules is the list of rules that are allowed # on Role or ClusterRole objects. If set, any item off this list will be # rejected. allowedRules: - # apiGroups <array>: APIGroups is the name of the APIGroup that # contains the resources. If multiple API groups are specified, any # action requested against one of the enumerated resources in any API # group will be allowed. "" represents the core API group and "*" # represents all API groups. apiGroups: - <string> # resources <array>: Resources is a list of resources this rule # applies to. '*' represents all resources. resources: - <string> # verbs <array>: Verbs is a list of Verbs that apply to ALL the # ResourceKinds contained in this rule. '*' represents all verbs. verbs: - <string> # disallowedRules <array>: DisallowedRules is the list of rules that are # NOT allowed on Role or ClusterRole objects. If set, any item on this list # will be rejected. disallowedRules: - # apiGroups <array>: APIGroups is the name of the APIGroup that # contains the resources. If multiple API groups are specified, any # action requested against one of the enumerated resources in any API # group will be disallowed. "" represents the core API group and "*" # represents all API groups. apiGroups: - <string> # resources <array>: Resources is a list of resources this rule # applies to. '*' represents all resources. resources: - <string> # verbs <array>: Verbs is a list of Verbs that apply to ALL the # ResourceKinds contained in this rule. '*' represents all verbs. verbs: - <string> # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles # names that are allowed to violate this policy. exemptions: clusterRoles: - # name <string>: Name is the name or a pattern of the ClusterRole # to be exempted. name: <string> # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs # regex match of the ClusterRole name. regexMatch: <boolean> roles: - # name <string>: Name is the name of the Role to be exempted. name: <string> # namespace <string>: Namespace is the namespace of the Role to be # exempted. namespace: <string> Exemplos
restrict-pods-exec
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: restrict-pods-exec spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - Role - ClusterRole parameters: disallowedRules: - apiGroups: - "" resources: - pods/exec verbs: - create
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allowed-role-example rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
Não permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: disallowed-cluster-role-example rules: - apiGroups: - "" resources: - pods/exec verbs: - '*'
K8sStorageClass
Classe de armazenamento v1.1.2
Requer que as classes de armazenamento sejam especificadas quando usadas. Apenas contêineres não temporários e do Gatekeeper 3.9+ são compatíveis.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedStorageClasses <array>: An optional allow-list of storage classes. # If specified, any storage class not in the `allowedStorageClasses` # parameter is disallowed. allowedStorageClasses: - <string> includeStorageClassesInMessage: <boolean> Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "storage.k8s.io" version: "v1" kind: "StorageClass" Exemplos
storageclass
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: includeStorageClassesInMessage: true
Permitido
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ok spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: somestorageclass volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
apiVersion: apps/v1 kind: StatefulSet metadata: name: volumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: volumeclaimstorageclass serviceName: volumeclaimstorageclass template: metadata: labels: app: volumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: somestorageclass --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
Não permitido
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: badstorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: badstorageclass volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: badvolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: badvolumeclaimstorageclass serviceName: badvolumeclaimstorageclass template: metadata: labels: app: badvolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: badstorageclass
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nostorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: novolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: novolumeclaimstorageclass serviceName: novolumeclaimstorageclass template: metadata: labels: app: novolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi
allowed-storageclass
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: allowed-storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: allowedStorageClasses: - allowed-storage-class includeStorageClassesInMessage: true
Permitido
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: allowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: allowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
Não permitido
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disallowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: disallowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
K8sUniqueIngressHost
Host de Ingress exclusivo v1.0.4
Exige que todos os hosts de regra de entrada sejam exclusivos. Não lida com caracteres curinga de nome do host: https://kubernetes.io/docs/concepts/services-networking/ingress/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "Ingress" OR - group: "networking.k8s.io" version: "v1beta1" OR "v1" kind: "Ingress" Exemplos
unique-ingress-host
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: unique-ingress-host spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-allowed namespace: default spec: rules: - host: example-allowed-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-allowed-host1.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix
Não permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-host3.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sUniqueServiceSelector
Seletor de serviço exclusivo v1.0.2
Requer que os Serviços tenham seletores exclusivos em um namespace. Os seletores são considerados os mesmos se tiverem chaves e valores idênticos. Os seletores podem compartilhar um par de chave-valor, desde que haja pelo menos um par de chave-valor diferente entre eles. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a- serviço
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restrição referencial
Essa restrição é referencial. Antes de usar, você precisa ativar as restrições referenciais e criar uma configuração que informe ao Policy Controller quais tipos de objetos devem ser observados.
Seu controlador de política Config exigirá uma entrada syncOnly semelhante a:
spec: sync: syncOnly: - group: "" version: "v1" kind: "Service" Exemplos
unique-service-selector
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: labels: owner: admin.agilebank.demo name: unique-service-selector
Permitido
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: other-value
Não permitido
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: value --- # Referential Data apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-example namespace: default spec: ports: - port: 443 selector: key: value
NoUpdateServiceAccount
Bloquear a atualização da conta de serviço v1.0.1
Bloqueia a atualização da conta de serviço em recursos que abstraem os pods. Esta política é ignorada no modo de auditoria.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedGroups <array>: Groups that should be allowed to bypass the # policy. allowedGroups: - <string> # allowedUsers <array>: Users that should be allowed to bypass the policy. allowedUsers: - <string> Exemplos
no-update-kube-system-service-account
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: no-update-kube-system-service-account spec: match: kinds: - apiGroups: - "" kinds: - ReplicationController - apiGroups: - apps kinds: - ReplicaSet - Deployment - StatefulSet - DaemonSet - apiGroups: - batch kinds: - CronJob namespaces: - kube-system parameters: allowedGroups: [] allowedUsers: []
Permitido
apiVersion: apps/v1 kind: Deployment metadata: labels: app: policy-test name: policy-test namespace: kube-system spec: replicas: 1 selector: matchLabels: app: policy-test-deploy template: metadata: labels: app: policy-test-deploy spec: containers: - command: - /bin/bash - -c - sleep 99999 image: ubuntu name: policy-test serviceAccountName: policy-test-sa-1
PolicyStrictOnly
Exigir a política de mTLS RIGOROSA do Istio v1.0.4
Exige que o TLS mútuo do Istio STRICT seja sempre especificado ao usar o PeerAuthentication. Essa restrição também garante que os recursos obsoletos Policy e MeshPolicy apliquem o TLS mútuo STRICT. Consulte: https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
peerauthentication-strict-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: peerauthentication-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication namespaces: - default
Permitido
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict namespace: default spec: mtls: mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-level namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-unset namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: UNSET
Não permitido
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: empty-mtls namespace: default spec: mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-null namespace: default spec: mtls: mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-permissive namespace: default spec: mtls: mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE "8081": mode: STRICT
deprecated-policy-strict-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: deprecated-policy-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - authentication.istio.io kinds: - Policy namespaces: - default
Permitido
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mode-strict namespace: default spec: peers: - mtls: mode: STRICT
Não permitido
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-empty namespace: default spec: peers: - mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-permissive namespace: default spec: peers: - mtls: mode: PERMISSIVE
RestrictNetworkExclusions
Restringir exclusões de rede v1.0.2
Controla quais portas de entrada, portas de saída e intervalos de IP de saída podem ser excluídos da captura de rede do Istio. As portas e os intervalos de IP que ignoram a captura de rede do Istio não são processados pelo proxy do Istio e não estão sujeitos à autenticação mTLS do Istio, política de autorização e outros recursos do Istio. Essa restrição pode ser usada para aplicar restrições ao uso destas anotações:
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
Consulte https://istio.io/latest/docs/reference/config/annotations/.
Ao restringir os intervalos de IP de saída, a restrição calcula se os intervalos de IP excluídos correspondem ou são um subconjunto das exclusões de intervalos de IP permitidos.
Ao usar essa restrição, todas as portas de entrada e intervalos de IP de saída sempre precisarão ser incluídos com a definição das anotações "include" correspondentes como "*" ou sem definição. Não é permitido definir nenhuma das anotações a seguir como algo diferente de "*":
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
Essa restrição sempre permite que a porta 15020 seja excluída porque o injetor do sidecar do Istio sempre a adiciona à anotação traffic.sidecar.istio.io/excludeInboundPorts para que ela possa ser usada para verificação de integridade.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedInboundPortExclusions <array>: A list of ports that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeInboundPorts` annotation. allowedInboundPortExclusions: - <string> # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The # constraint calculates whether excluded IP ranges match or are a subset of # the ranges in this list. allowedOutboundIPRangeExclusions: - <string> # allowedOutboundPortExclusions <array>: A list of ports that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation. allowedOutboundPortExclusions: - <string> Exemplos
restrict-network-exclusions
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: restrict-network-exclusions spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedInboundPortExclusions: - "80" allowedOutboundIPRangeExclusions: - 169.254.169.254/32 allowedOutboundPortExclusions: - "8888"
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx name: nothing-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "80" traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/excludeOutboundPorts: "8888" labels: app: nginx name: allowed-port-and-ip-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundIPRanges: '*' labels: app: nginx name: all-ip-ranges-included-with-one-allowed-ip-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: '*' traffic.sidecar.istio.io/includeOutboundIPRanges: '*' traffic.sidecar.istio.io/includeOutboundPorts: '*' labels: app: nginx name: everything-included-with-no-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
Não permitido
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24 labels: app: nginx name: disallowed-ip-range-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24 labels: app: nginx name: one-disallowed-ip-exclusion-and-one-allowed-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: 80,443 traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundPorts: "8888" labels: app: nginx name: disallowed-specific-port-and-ip-inclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
SourceNotAllAuthz
Exigir a origem de AuthorizationPolicy do Istio, não todas as origens v1.0.1
Requer que as regras de autorização de Istio tenham principais de origem definidas para algo diferente de "*". https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Exemplos
sourcenotall-authz-constraint
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: sourcenotall-authz-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
Não permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-dne namespace: foo spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-all namespace: foo spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-someall namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
Verificar API descontinuada
Verificar APIs obsoletas v1.0.0
Verifica as APIs descontinuadas do Kubernetes para garantir que todas as versões da API estejam atualizadas. Esse modelo não se aplica à auditoria, porque a auditoria analisa os recursos que já estão presentes no cluster com versões não descontinuadas da API.
Esquema de restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # k8sVersion <number>: kubernetes version k8sVersion: <number> # kvs <array>: Deprecated api versions and corresponding kinds kvs: - # deprecatedAPI <string>: deprecated api deprecatedAPI: <string> # kinds <array>: impacted list of kinds kinds: - <string> # targetAPI <string>: target api targetAPI: <string> Exemplos
verify-1.16
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.16 spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - DaemonSet - apiGroups: - extensions kinds: - PodSecurityPolicy - ReplicaSet - Deployment - DaemonSet - NetworkPolicy parameters: k8sVersion: 1.16 kvs: - deprecatedAPI: apps/v1beta1 kinds: - Deployment - ReplicaSet - StatefulSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - ReplicaSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - PodSecurityPolicy targetAPI: policy/v1beta1 - deprecatedAPI: apps/v1beta2 kinds: - ReplicaSet - StatefulSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - NetworkPolicy targetAPI: networking.k8s.io/v1
Permitido
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
Não permitido
apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: nginx name: disallowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
verify-1.22
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.22 spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration - apiGroups: - apiextensions.k8s.io kinds: - CustomResourceDefinition - apiGroups: - apiregistration.k8s.io kinds: - APIService - apiGroups: - authentication.k8s.io kinds: - TokenReview - apiGroups: - authorization.k8s.io kinds: - SubjectAccessReview - apiGroups: - certificates.k8s.io kinds: - CertificateSigningRequest - apiGroups: - coordination.k8s.io kinds: - Lease - apiGroups: - extensions - networking.k8s.io kinds: - Ingress - apiGroups: - networking.k8s.io kinds: - IngressClass - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding - apiGroups: - scheduling.k8s.io kinds: - PriorityClass - apiGroups: - storage.k8s.io kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment parameters: k8sVersion: 1.22 kvs: - deprecatedAPI: admissionregistration.k8s.io/v1beta1 kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration targetAPI: admissionregistration.k8s.io/v1 - deprecatedAPI: apiextensions.k8s.io/v1beta1 kinds: - CustomResourceDefinition targetAPI: apiextensions.k8s.io/v1 - deprecatedAPI: apiregistration.k8s.io/v1beta1 kinds: - APIService targetAPI: apiregistration.k8s.io/v1 - deprecatedAPI: authentication.k8s.io/v1beta1 kinds: - TokenReview targetAPI: authentication.k8s.io/v1 - deprecatedAPI: authorization.k8s.io/v1beta1 kinds: - SubjectAccessReview targetAPI: authorization.k8s.io/v1 - deprecatedAPI: certificates.k8s.io/v1beta1 kinds: - CertificateSigningRequest targetAPI: certificates.k8s.io/v1 - deprecatedAPI: coordination.k8s.io/v1beta1 kinds: - Lease targetAPI: coordination.k8s.io/v1 - deprecatedAPI: extensions/v1beta1 kinds: - Ingress targetAPI: networking.k8s.io/v1 - deprecatedAPI: networking.k8s.io/v1beta1 kinds: - Ingress - IngressClass targetAPI: networking.k8s.io/v1 - deprecatedAPI: rbac.authorization.k8s.io/v1beta1 kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding targetAPI: rbac.authorization.k8s.io/v1 - deprecatedAPI: scheduling.k8s.io/v1beta1 kinds: - PriorityClass targetAPI: scheduling.k8s.io/v1 - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment targetAPI: storage.k8s.io/v1
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: allowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
Não permitido
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: disallowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
verify-1.25
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.25 spec: match: kinds: - apiGroups: - batch kinds: - CronJob - apiGroups: - discovery.k8s.io kinds: - EndpointSlice - apiGroups: - events.k8s.io kinds: - Event - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler - apiGroups: - policy kinds: - PodDisruptionBudget - PodSecurityPolicy - apiGroups: - node.k8s.io kinds: - RuntimeClass parameters: k8sVersion: 1.25 kvs: - deprecatedAPI: batch/v1beta1 kinds: - CronJob targetAPI: batch/v1 - deprecatedAPI: discovery.k8s.io/v1beta1 kinds: - EndpointSlice targetAPI: discovery.k8s.io/v1 - deprecatedAPI: events.k8s.io/v1beta1 kinds: - Event targetAPI: events.k8s.io/v1 - deprecatedAPI: autoscaling/v2beta1 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2 - deprecatedAPI: policy/v1beta1 kinds: - PodDisruptionBudget targetAPI: policy/v1 - deprecatedAPI: policy/v1beta1 kinds: - PodSecurityPolicy targetAPI: None - deprecatedAPI: node.k8s.io/v1beta1 kinds: - RuntimeClass targetAPI: node.k8s.io/v1
Permitido
apiVersion: batch/v1 kind: CronJob metadata: name: allowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
Não permitido
apiVersion: batch/v1beta1 kind: CronJob metadata: name: disallowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
verify-1.26
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.26 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: k8sVersion: 1.26 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3 - deprecatedAPI: autoscaling/v2beta2 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
Não permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
verify-1.27
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.27 spec: match: kinds: - apiGroups: - storage.k8s.io kinds: - CSIStorageCapacity parameters: k8sVersion: 1.27 kvs: - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIStorageCapacity targetAPI: storage.k8s.io/v1
Permitido
apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity storageClassName: standard
Não permitido
apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity namespace: default storageClassName: standard
verify-1.29
Restrição
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.29 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration parameters: k8sVersion: 1.29 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
Não permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
A seguir
- Saiba mais sobre o Policy Controller
- Instale o Policy Controller.
- Saiba mais sobre como usar restrições em vez de PodSecurityPolicies
- Visualize a biblioteca de código aberto de modelos de restrição no repositório gatekeeper-library