Container Cluster Protection Policy Templates
To protect container clusters, configure protection policies to ensure that cluster resources meet your security and compliance requirements.
HSS provides security, compliance, and image blocking policy templates. You simply need to select a policy template and configure its parameters.
This section describes the types, applicable resources, functions, and parameters of policy templates, and provides policy examples.
Policy Template Description
|
Policy Type |
Policy Name |
Applicable Resource Type |
Level of Recommendation |
Policy Description |
Policy Parameter |
|---|---|---|---|---|---|
|
Security |
Pod |
|
Restrict pods from starting privileged containers. |
exemptImages |
|
|
Security |
Pod |
|
Restrict the range of server host directories that can be mounted to a pod. |
allowedHostPaths |
|
|
Security |
Pod |
|
Restrict the range of Sysctls that are not allowed in a pod. |
|
|
|
Security |
Pod |
|
Restrict the Linux capabilities configured for a pod. |
|
|
|
Security |
Pod |
|
Restrict Pod fsGroup. |
|
|
|
Security |
Pod |
|
Make pods use specified ports on the server network. |
|
|
|
Security |
Pod |
|
Restrict the FlexVolume driver configuration of a pod. |
allowedFlexVolumes |
|
|
Security |
Pod |
|
Restrict the proc types that can be mounted to a pod. |
|
|
|
Security |
Pod |
|
Restrict the user, group, supplementalGroups, and fsGroup configurations during pod startup. |
|
|
|
Security |
Pod |
|
Make a pod use a specified Seccomp configuration file. |
|
|
|
Security |
Pod |
|
Only allow pods to use the read-only root file system. |
exemptImages |
|
|
Security |
Pod |
|
Specify whether pods can share the host namespace of servers. |
None |
|
|
Security |
Pod |
|
Make pods use the SELinux configuration specified in the AllowedSELinuxOptions parameter. |
|
|
|
Security |
Pod |
|
Restrict the volume mounting type used by a pod. |
volumes |
|
|
Security |
Pod |
|
Restrict AppArmor configuration for pods. |
|
|
|
Security |
Pod |
|
Restrict the configuration of the allowPrivilegeEscalation parameter in a pod. |
exemptImages |
|
|
Compliance |
Pod |
|
Require that the CPU and memory requests must be configured and be less than the configured maximum. |
|
|
|
Compliance |
Pod |
|
Require that the CPU and memory limits must be configured and be less than the configured maximum. |
|
|
|
Compliance |
Pod |
|
Require that a resource must contain the specified label whose value matches the provided regular expression. |
|
|
|
Compliance |
Deployment, ReplicaSet, and CronJob |
|
Restrict the objects with the replicas field within the defined range. |
ranges |
|
|
Compliance |
Service |
|
Do not allow services of the NodePort type. |
None |
|
|
Image blocking |
Deployment, pod |
|
Block malicious images. |
|
K8sPSPPrivilegedcontainer
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
exemptImages: It is an array of strings. It specifies a list of images that do not need to be managed. |
Policy Description
This policy restricts privileged container startup by preventing the privileged field from being set to true.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPPrivilegedContainer
metadata:
name: psp-privileged-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
excludedNamespaces: ["kube-system"]
Resource definition that complies with the policy instance: In the following example, privileged is set to false, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-allowed
labels:
app: nginx-privileged
spec:
containers:
- name: nginx
image: nginx
securityContext:
privileged: false
Resource definition that does not comply with the policy instance: In the following example, privileged is set to true, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-privileged-allowed
labels:
app: nginx-privileged
spec:
containers:
- name: nginx
image: nginx
securityContext:
privileged: true
K8sPSPHostFilesystem
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
allowedHostPaths: It is an object parameter. It specifies the whitelist of server paths that can be mounted. Options:
|
Policy Description
Restrict the range of server host directories that can be mounted to a pod.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. allowedHostPaths in parameters specifies the paths that can be accessed in read-only mode on the server with the prefix /foo.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedHostPaths:
- readOnly: true #Set the mounting mode to read-only to prevent writing to the host file system.
pathPrefix: "/foo" # Only the server path with the prefix /foo can be mounted.
Resource definition that complies with the policy instance: In the following example, pathPrefix in hostPath starts with /foo, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /foo/bar
Resource definition that does not comply with the policy instance: In the following example, pathPrefix in hostPath is set to /tmp, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /tmp # directory location on host
K8sPSPForbiddenSysctls
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Restrict the range of Sysctls that are not allowed in a pod.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. forbiddenSysctls in parameters defines that the parameters starting with kernel. cannot be used in sysctls.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: psp-forbidden-sysctls
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
forbiddenSysctls:
# - "*" # The asterisk (*) can be used to disable all sysctls.
- kernel.* # sysctls parameters starting with kernel. are not allowed.
Resource definition that complies with the policy instance: In the following example, the name of sysctls complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
labels:
app: nginx-forbidden-sysctls
spec:
containers:
- name: nginx
image: nginx
securityContext:
sysctls:
- name: net.core.somaxconn
value: "1024"
Resource definition that does not comply with the policy instance: In the following example, the name (kernel.msgmax) of sysctls does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-forbidden-sysctls-disallowed
labels:
app: nginx-forbidden-sysctls
spec:
containers:
- name: nginx
image: nginx
securityContext:
sysctls:
- name: kernel.msgmax
value: "65536"
- name: net.core.somaxconn
value: "1024"
K8sPSPCapabilities
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Restrict the Linux capabilities configured for a pod.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. parameters defines the lists of allowedCapabilities and requiredDropCapabilities.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: capabilities-demo
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "default"
parameters:
allowedCapabilities: ["CHOWN"] # List of kernel capabilities that can be enabled by pods. The kernel capabilities that are not included are forbidden by default.
requiredDropCapabilities: ["NET_ADMIN"] # List of kernel capabilities that must be discarded by pods, regardless of whether they are declared.
Resource definition that complies with the policy instance: In the following example, the parameters of capabilities comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
securityContext:
capabilities:
add: ["CHOWN"]
drop: ["NET_ADMIN", "SYS_ADMIN"]
resources:
limits:
cpu: "100m"
memory: "30Mi"
Resource definition that does not comply with the policy instance: In the following example, the parameters of capabilities do not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
securityContext:
capabilities:
add: ["NET_RAW"]
resources:
limits:
cpu: "100m"
memory: "30Mi"
K8sPSPFSGroup
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Restrict Pod fsGroup.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. The allowed fsGroup range is 1 to 1000.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
name: psp-fsgroup
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
ranges:
- min: 1
max: 1000
Resource definition that complies with the policy instance: In the following example, fsGroup is set to 500, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
securityContext:
fsGroup: 500 # The directory will have the fsGroup whose ID is 500.
volumes:
- name: fsgroup-demo-vol
emptyDir: {}
containers:
- name: fsgroup-demo
image: busybox
command: ["sh", "-c", "sleep 1h"]
volumeMounts:
- name: fsgroup-demo-vol
mountPath: /data/demo
Resource definition that does not comply with the policy instance: In the following example, fsGroup is set to 2000, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: fsgroup-disallowed
spec:
securityContext:
fsGroup: 2000 # The directory will have the fsGroup whose ID is 2000.
volumes:
- name: fsgroup-demo-vol
emptyDir: {}
containers:
- name: fsgroup-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: fsgroup-demo-vol
mountPath: /data/demo
K8sPSPHostNetworkingPorts
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Make pods use specified ports on the server network.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. If hostNetwork in parameters is set to true, the used port must be within the specified port range (80 to 9000).
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNetworkingPorts
metadata:
name: psp-host-network-ports
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
hostNetwork: bool
min: 80
max: 9000
Resource definition that complies with the policy instance: In the following example, hostNetwork is set to false, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-networking-ports-allowed
labels:
app: nginx-host-networking-ports
spec:
hostNetwork: false
containers:
- name: nginx
image: nginx
ports:
- containerPort: 9000
hostPort: 80
Resource definition that does not comply with the policy instance: In the following example, hostNetwork is set to true, but port 9001 is not within the specified range, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-networking-ports-disallowed
labels:
app: nginx-host-networking-ports
spec:
hostNetwork: true
containers:
- name: nginx
image: nginx
ports:
- containerPort: 9001
hostPort: 9001
K8sPSPFlexVolumes
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
allowedFlexVolumes: It is an array. It specifies the list of FlexVolume drivers that can be configured. |
Policy Description
Restrict the FlexVolume driver configuration of a pod.
Example
Policy instance: The following policy instance shows the types of resources for which the policy definition takes effect. The allowedFlexVolumes field in parameters defines the allowed driver types.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFlexVolumes
metadata:
name: psp-flexvolume-drivers
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedFlexVolumes: #[]
- driver: "example/lvm" # Specify the FlexVolume driver type that can be used. LVM is used as an example.
- driver: "example/cifs" # Specify the FlexVolume driver type that can be used. CIFS is used as an example.
Resource definition that complies with the policy instance: In the following example, the type in flexVolume is within the allowed range defined above, and complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-flexvolume-driver-allowed
labels:
app: nginx-flexvolume-driver
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- name: test-volume
flexVolume:
driver: "example/lvm"
Resource definition that does not comply with the policy instance: In the following example, the type in flexVolume is not in the allowed range defined above, and does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-flexvolume-driver-disallowed
labels:
app: nginx-flexvolume-driver
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /test
name: test-volume
readOnly: true
volumes:
- name: test-volume
flexVolume:
driver: "example/testdriver" #"example/lvm"
K8sPSPProcMount
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Restrict the proc types that can be mounted to a pod.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. In parameters, the value of procMount is Default, and the /proc directory is masked by default.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPProcMount
metadata:
name: psp-proc-mount
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
procMount: Default
Resource definition that complies with the policy instance: In the following example, procMount in the securityContext field is set to Default, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-proc-mount-disallowed
labels:
app: nginx-proc-mount
spec:
containers:
- name: nginx
image: nginx
securityContext:
procMount: Default
Resource definition that does not comply with the policy instance: In the following example, procMount in the securityContext field is set to Unmasked, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-proc-mount-disallowed
labels:
app: nginx-proc-mount
spec:
containers:
- name: nginx
image: nginx
securityContext:
procMount: Unmasked
K8sPSPAllowedUsers
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Restrict the user, group, supplementalGroups, and fsGroup configurations during pod startup.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. parameters defines constraints on fields such as runAsUser, runAsGroup, supplementalGroups, and fsGroup.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
runAsUser: # A container can only be run with an UID in the range 100 to 200.
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup: # A container can only be run with an GID in the range 100 to 200.
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups: # A container can only be run with a supplementary group ID in the range 100 to 200.
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup: # A container can only be run with an fsGroup ID in the range 100 to 200.
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
Resource definition that complies with the policy instance: In the following example, runAsUser and other parameters are within the range, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-allowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 199
fsGroup: 199
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 199
runAsGroup: 199
Resource definition that does not comply with the policy instance: In the following example, runAsUser and other parameters are not in the range, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-disallowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 250
fsGroup: 250
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 250
runAsGroup: 250
K8sPSPSeccomp
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Make a pod use a specified Seccomp configuration file.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. allowedProfiles in parameters specifies the scope of the Seccomp configuration file that can be used.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSeccomp
metadata:
name: psp-seccomp
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedProfiles:
- runtime/default # The default Seccomp configuration file of the runtime can be used. It is usually the default configuration provided by the container runtime (such as containerd or CRI-O).
- docker/default # The default Seccomp configuration file of Docker can be used. This file restricts certain system calls to enhance container security.
Resource definition that comply with the policy instance: In the following example, the value of the container.seccomp.security.alpha.kubernetes.io/nginx annotation is in the specified value list, which complies with the policy definition.
apiVersion: v1
kind: Pod
metadata:
name: nginx-seccomp-allowed
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default
labels:
app: nginx-seccomp
spec:
containers:
- name: nginx
image: nginx
Resource definition that does not comply with the policy instance: In the following example, the value of the container.seccomp.security.alpha.kubernetes.io/nginx annotation is not in the specified value list, which does not comply with the policy definition.
apiVersion: v1
kind: Pod
metadata:
name: nginx-seccomp-disallowed
annotations:
container.seccomp.security.alpha.kubernetes.io/nginx: unconfined
labels:
app: nginx-seccomp
spec:
containers:
- name: nginx
image: nginx
K8sPSPReadOnlyRootFilesystem
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
exemptImages: It is an array of strings. It specifies a list of images that do not need to be managed. |
Policy Description
Only allow pods to use the read-only root file system.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPReadOnlyRootFilesystem
metadata:
name: psp-readonlyrootfilesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
Resource definition that complies with the policy instance: In the following example, readOnlyRootFilesystem is set to true, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-readonlyrootfilesystem-allowed
labels:
app: nginx-readonlyrootfilesystem
spec:
containers:
- name: nginx
image: nginx
securityContext:
readOnlyRootFilesystem: true
Resource definition that does not comply with the policy instance: In the following example, readOnlyRootFilesystem is set to false, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-readonlyrootfilesystem-disallowed
labels:
app: nginx-readonlyrootfilesystem
spec:
containers:
- name: nginx
image: nginx
securityContext:
readOnlyRootFilesystem: false
K8sPSPHostNamespace
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
None |
Policy Description
Restrict pods from sharing the host namespace of servers.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostNamespace
metadata:
name: psp-host-namespace
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
Resource definition that complies with the policy instance: In the following example, hostPID and hostIPC are set to false, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-namespace-allowed
labels:
app: nginx-host-namespace
spec:
hostPID: false
hostIPC: false
containers:
- name: nginx
image: nginx
Resource definition that does not comply with the policy instance: In the following example, hostPID and hostIPC are set to true, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-namespace-disallowed
labels:
app: nginx-host-namespace
spec:
hostPID: true
hostIPC: true
containers:
- name: nginx
image: nginx
K8sPSPSELinuxV2
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Make pods use the SELinux configuration specified in the AllowedSELinuxOptions parameter.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. allowedSELinuxOptions in parameters defines the SELinux configuration whitelist.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPSELinuxV2
metadata:
name: psp-selinux-v2
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedSELinuxOptions:
- level: s0:c123,c456 # Define the sensitivity level as s0:c123,c456.
role: object_r # Allow the use of the object_r role.
type: svirt_sandbox_file_t # Allow the type svirt_sandbox_file_t.
user: system_u # Allow the user system_u.
Resource definition that complies with the policy instance: In the following example, seLinuxoptions parameters are in the whitelist, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-selinux-allowed
labels:
app: nginx-selinux
spec:
containers:
- name: nginx
image: nginx
securityContext:
seLinuxOptions:
level: s0:c123,c456
role: object_r
type: svirt_sandbox_file_t
user: system_u
Resource definition that does not comply with the policy instance: In the following example, seLinuxOptions parameters are not in the whitelist, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-selinux-disallowed
labels:
app: nginx-selinux
spec:
containers:
- name: nginx
image: nginx
securityContext:
seLinuxOptions:
level: s1:c234,c567
user: sysadm_u
role: sysadm_r
type: svirt_lxc_net_t
K8sPSPVolumeTypes
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
volumes: It is an array. It specifies the list of allowed volume mounting types. |
Policy Description
Restrict the volume mounting type used by a pod.
Example
Policy instance: The following policy instance shows the types of resources for which the policy definition takes effect. The volumes field in parameters defines the allowed type list.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
volumes:
# - "*" # * may be used to allow all volume types
- configMap # Allow volumes of the ConfigMap type to be used.
- emptyDir # Allow volumes of the emptyDir type to be used.
- projected # Allow volumes of the projected type to be used.
- secret # Allow volumes of the Secret type to be used.
- downwardAPI # Allow volumes of the DownwardAPI type to be used.
- persistentVolumeClaim # Allow volumes of the PersistentVolumeClaim type to be used.
#- hostPath #required for allowedHostPaths
- flexVolume #required for allowedFlexVolumes # Allow flexVolume to be used.
Resource definition that complies with the policy instance: In the following example, the types in volumes are within the allowed range defined above and comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-volume-types-allowed
labels:
app: nginx-volume-types
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- name: nginx2
image: nginx
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- name: cache-volume
emptyDir: {}
- name: demo-vol
emptyDir: {}
Resource definition that does not comply with the policy instance: In the following example, the type (hostPath) in volumes is not in the allowed range defined above and does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-volume-types-disallowed
labels:
app: nginx-volume-types
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- name: nginx2
image: nginx
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- name: cache-volume
hostPath:
path: /tmp # directory location on host
- name: demo-vol
emptyDir: {}
K8sPSPAppArmor
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Restrict AppArmor configuration for pods.
Example
Policy instance: The following policy instance shows the types of resources for which the policy definition takes effect. The allowedProfiles field in parameters defines the allowed value list.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAppArmor
metadata:
name: psp-apparmor
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedProfiles:
- runtime/default # Allow the default configuration file of AppArmor to be used.
Resource definition that complies with the policy instance: In the following example, the value in apparmor is within the allowed range defined above, and complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-apparmor-allowed
annotations:
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
labels:
app: nginx-apparmor
spec:
containers:
- name: nginx
image: nginx
Resource definition that does not comply with the policy instance: In the following example, privileged is set to true, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-apparmor-disallowed
annotations:
# apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
container.apparmor.security.beta.kubernetes.io/nginx: unconfined
labels:
app: nginx-apparmor
spec:
containers:
- name: nginx
image: nginx
K8sPSPAllowPrivilegeEscalationContainer
|
Policy Type |
Security |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
exemptImages: It is an array of strings. It specifies a list of images that do not need to be managed. |
Policy Description
Restrict the configuration of the allowPrivilegeEscalation parameter in a pod.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowPrivilegeEscalationContainer
metadata:
name: psp-allow-privilege-escalation-container
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
Resource definition that complies with the policy instance: In the following example, allowPrivilegeEscalation is set to false, which complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-privilege-escalation-allowed
labels:
app: nginx-privilege-escalation
spec:
containers:
- name: nginx
image: nginx
securityContext:
allowPrivilegeEscalation: false
Resource definition that does not comply with the policy instance: In the following example, allowPrivilegeEscalation is not true, which does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: nginx-privilege-escalation-disallowed
labels:
app: nginx-privilege-escalation
spec:
containers:
- name: nginx
image: nginx
securityContext:
allowPrivilegeEscalation: true
K8sContainerRequests
|
Policy Type |
Compliance |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
The CPU and memory requests must be configured and be less than the configured maximum.
Example
Policy instance: The following policy instance contains the maximum CPU and memory requests. The maximum CPU request is 200m, and the maximum memory request is 1Gi.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
name: container-must-have-requests
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
cpu: "200m"
memory: "1Gi"
Resource definition that complies with the policy instance: In the following example, the CPU and memory request values are less than the configured maximum values and comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
requests:
cpu: "100m"
memory: "1Gi"
Resource definition that does not comply with the policy instance: In the following example, the CPU and memory request values are greater than the configured maximum values and do not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
requests:
cpu: "100m"
memory: "2Gi"
K8sContainerLimits
|
Policy Type |
Compliance |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
The CPU and memory limits must be configured and be less than the configured maximum.
Example
Policy instance: In the following policy instance, the maximum CPU usage of the matched object is 200m and the maximum memory usage is 1G.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
cpu: "200m"
memory: "1Gi"
Resource definition that complies with the policy instance: In the following example, the Limit of CPU and memory complies with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
Resource definition that does not comply with the policy instance: In the following example, the Limit of memory is greater than the maximum value and does not comply with the policy instance.
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "300m"
memory: "1Gi"
K8sRequiredLabels
|
Policy Type |
Compliance |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Pod |
|
Policy Parameter |
|
Policy Description
Require that a resource must contain the specified label whose value matches the provided regular expression.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. parameters specifies the restrictions for message and labels.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "All namespaces must have an `owner` label that points to your company username"
labels:
- key: owner # Define the mandatory label key as the owner.
allowedRegex: "^[a-zA-Z]+.agilebank.demo$" # The label value must comply with the regular expression.
Resource definition that complies with the policy instance: The following example contains the label defined in the policy instance.
apiVersion: v1
kind: Namespace
metadata:
name: allowed-namespace
labels:
owner: user.agilebank.demo
Resource definition that does not comply with the policy instance: The following example does not contain the label defined in the policy instance.
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sReplicaLimits
|
Policy Type |
Compliance |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Deployment, ReplicaSet, and CronJob |
|
Policy Parameter |
ranges: It is an object parameter. It specifies the object range of the replicas field. Options:
|
Policy Description
Restrict the objects with the replicas field within the defined range.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to. The value of replicas should be in the range 3 to 50, as defined in parameters.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sReplicaLimits
metadata:
name: replica-limits
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment"]
parameters:
ranges:
- min_replicas: 3 # Set the minimum number of replicas to 3.
max_replicas: 50 # Set the maximum number of replicas to 50.
Resource definition that complies with the policy instance: In the following example, Replicas is set to 3, which complies with the policy instance.
apiVersion: apps/v1
kind: Deployment
metadata:
name: allowed-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 3
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
Resource definition that does not comply with the policy instance: In the following example, Replicas is set to 100, which does not comply with the policy instance.
apiVersion: apps/v1
kind: Deployment
metadata:
name: disallowed-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 100
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
K8sBlockNodePort
|
Policy Type |
Compliance |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Service |
|
Policy Parameter |
None |
Policy Description
Do not allow services of the NodePort type.
Example
Policy instance: The following policy instance shows the resource types that the policy definition is applicable to.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
metadata:
name: block-node-port
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
Resource definition that complies with the policy instance: In the following example, Service is set to Nodeport, which complies with the policy instance.
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
ports:
- port: 80
targetPort: 80
nodePort: 30007
Resource definition that does not comply with the policy instance: In the following example, privileged is set to true, which does not comply with the policy instance.
apiVersion: v1
kind: Service
metadata:
name: my-service-disallowed
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 30007
K8sMaliciousImagePrevent
|
Policy Type |
Image blocking |
|---|---|
|
Level of Recommendation |
|
|
Applicable Resource Type |
Deployment, pod |
|
Policy Parameter |
|
Policy Description
Block malicious images.
Example
None. After an image blocking policy is configured, HSS will take the action (alarm, block, or allow) on the image corresponding to the specified cluster, image name, or label based on the container image security scan results.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
