k8spspfsgroup

Basic Information

Policy type: security
Recommended level: L3
Effective resource type: Pod

Parameter

rule: String. MayRunAs, MustRunAs, and RunAsAny are supported.
ranges
  max: Integer
  min: Integer

Function

This policy ensures that the value of the fsGroup field in PodSecurityPolicy is within a specified range.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
    ranges:
    - min: 1
      max: 1000

Resource Definition That Complies with the Policy

In the example, the value of fsGroup is set to 500, which complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  securityContext:
    fsGroup: 500 # directory will have group ID 500
  volumes:
    - name: fsgroup-demo-vol
      emptyDir: {}
  containers:
    - name: fsgroup-demo
      image: busybox
      command: ["sh", "-c", "sleep 1h"]
      volumeMounts:
        - name: fsgroup-demo-vol
          mountPath: /data/demo

Resource Definition That Does Not Comply with the Policy

In the example, the value of fsGroup is set to 2000, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  securityContext:
    fsGroup: 2000   # directory will have group ID 2000
  volumes:
  - name: fsgroup-demo-vol
    emptyDir: {}
  containers:
  - name: fsgroup-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: fsgroup-demo-vol
      mountPath: /data/demo

Parent topic: Policy Definition Library

Previous topic: k8spsphostfilesystem

Next topic: k8spspforbiddensysctls