Updated on 2024-02-01 GMT+08:00

k8spspselinuxv2

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter

    allowedSELinuxOptions: Object array, including four string objects: level, role, type, and user.

    exemptImages: String array

Function

This policy restricts the SELinux configurations in a pod.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect. allowedSELinuxOptions in parameters defines the allowed parameters.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
  name: psp-selinux-v2
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    allowedSELinuxOptions:
      - level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

Resource Definition That Complies with the Policy

In the example, the parameters of seLinuxOptions are displayed in the parameter list and complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
    name: nginx-selinux-allowed
    labels:
        app: nginx-selinux
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      seLinuxOptions:
        level: s0:c123,c456
        role: object_r
        type: svirt_sandbox_file_t
        user: system_u

Resource Definition That Does Not Comply with the Policy

In the example, the parameters of seLinuxOptions are not displayed in the parameter list and does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
    name: nginx-selinux-disallowed
    labels:
        app: nginx-selinux
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      seLinuxOptions:
        level: s1:c234,c567
        user: sysadm_u
        role: sysadm_r
        type: svirt_lxc_net_t