Help Center> Ubiquitous Cloud Native Service> User Guide> Policy Center> Policy Definition Library> k8spspallowedusers
Updated on 2024-02-01 GMT+08:00
View PDF

k8spspallowedusers

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter
    exemptImages: String array
runAsUser:
  rule: String
  ranges:
    - min: Integer
      max: Integer
runAsGroup:
  rule: String
  ranges:
    - min: Integer
      max: Integer
supplementalGroups:
  rule: String
  ranges:
    - min: Integer
      max: Integer
fsGroup:
  rule: String
  ranges:
    - min: Integer
      max: Integer

Function

This policy restricts the runAsUser, runAsGroup, supplementalGroups, and fsGroup fields in PodSecurityPolicy.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect. parameters defines constraints on fields such as runAsUser, runAsGroup, supplementalGroups, and fsGroup.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    runAsUser:
      rule: MustRunAs # MustRunAsNonRoot # RunAsAny 
      ranges:
        - min: 100
          max: 200
    runAsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200
    supplementalGroups:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200
    fsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200

Resource Definition That Complies with the Policy

In the example, parameters such as runAsUser are within the range and comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-users-allowed
  labels:
    app: nginx-users
spec:
  securityContext:
    supplementalGroups:
      - 199
    fsGroup: 199
  containers:
    - name: nginx
      image: nginx
      securityContext:
        runAsUser: 199
        runAsGroup: 199

Resource Definition That Does Not Comply with the Policy

In the example, parameters such as runAsUser are not within the range and do not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-users-disallowed
  labels:
    app: nginx-users
spec:
  securityContext:
    supplementalGroups:
      - 250
    fsGroup: 250
  containers:
    - name: nginx
      image: nginx
      securityContext:
        runAsUser: 250
        runAsGroup: 250