Overview
UCS provides you with a preset policy definition library. With this library, you can create specific policy instances and delegate the task of defining policy instance details to individuals or teams with professional knowledge. This approach not only isolates concerns, but also separates the logic of policy instances from their definitions.
To help you better understand the working principle of a policy definition, each preset policy definition contains the following three parts: an example policy instance, which is used to show how to use the policy definition; a resource definition that violates the policy instance, which is used to describe the resource examples that do not meet the policy requirements; a resource definition that meets the policy instance, which is used to display resource examples that meet the policy requirements.
Each policy instance contains a match field, which defines the target object to which the policy instance is applied. The match field specifies the resource type, namespace, or other specific conditions to which the policy instance applies. This ensures that the policy instance takes effect only on the objects that meet these conditions.
Table 1 defines 16 security policies, which are used to ensure the security of clusters and resources. Table 2 defines 17 compliance policies, which are used to meet different compliance requirements.
Policy Definition |
Type |
Level of Recommendation |
Target Object |
Parameter |
|---|---|---|---|---|
Security |
L3 |
Pods |
volumes: Array |
|
Security |
L3 |
Pods |
exemptImages: String array runAsUser
runAsGroup
supplementalGroups
fsGroup
|
|
Security |
L3 |
Pods |
allowedSELinuxOptions: Object array, including four string objects: level, role, type, and user. exemptImages: String array |
|
Security |
L3 |
Pods |
allowedLocalhostFiles: Array allowedProfiles: Array exemptImages: String array |
|
Security |
L3 |
Pods |
exemptImages: String array |
|
Security |
L3 |
Pods |
exemptImages: String array procMount: String |
|
Security |
L3 |
Pods |
exemptImages: String array |
|
Security |
L3 |
Pods |
exemptImages: String array hostNetwork
|
|
Security |
L3 |
Pods |
None |
|
Security |
L3 |
Pods |
allowedHostPaths
|
|
Security |
L3 |
Pods |
rule: The value is a string. MayRunAs, MustRunAs, and RunAsAny are supported. ranges
|
|
Security |
L3 |
Pods |
allowedSysctls: Array forbiddenSysctls: Array |
|
Security |
L3 |
Pods |
allowedFlexVolumes: Array |
|
Security |
L3 |
Pods |
allowedCapabilities: Array exemptImages: String array requiredDropCapabilities: Array |
|
Security |
L3 |
Pods |
allowedProfiles: Array exemptImages: String array |
|
Security |
L3 |
Pods |
exemptImages: String array |
Policy Definition |
Type |
Level of Recommendation |
Target Object |
Parameter |
|---|---|---|---|---|
Compliance |
L1 |
Pods |
probes: Array probeTypes: Array |
|
Compliance |
L1 |
Deployment |
labels
message: String |
|
Compliance |
L1 |
Pods |
annotations
message: String |
|
Compliance |
L1 |
Deployment, ReplicaSet, and CronJob |
ranges
|
|
Compliance |
L1 |
Pods |
allowedGroups: Array allowedUsers: Array |
|
Compliance |
L1 |
Pods |
exemptImages: String array |
|
Compliance |
L1 |
Service |
allowedIPs: String array |
|
Compliance |
L1 |
Pods |
tags: String array exemptImages: String array |
|
Compliance |
L1 |
Pods |
exemptImages: String array limits
requests
|
|
Compliance |
L1 |
Pods |
ratio: String cpuRatio: String exemptImages: String array |
|
Compliance |
L1 |
Pods |
cpu: String memory: String exemptImages: String array |
|
Compliance |
L1 |
Pods |
cpu: String memory: String exemptImages: String array |
|
Compliance |
L1 |
Ingress |
None |
|
Compliance |
L1 |
Service |
None |
|
Compliance |
L1 |
Pods |
None |
|
Compliance |
L1 |
Pods |
None |
|
Compliance |
L1 |
Pods |
repos: String array |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
