Updated on 2024-02-01 GMT+08:00

k8spspallowedusers

Basic Information

  • Policy type: security
  • Recommended level: L3
  • Effective resource type: Pod
  • Parameter
    exemptImages: String array
    runAsUser:
      rule: String
      ranges:
        - min: Integer
          max: Integer
    runAsGroup:
      rule: String
      ranges:
        - min: Integer
          max: Integer
    supplementalGroups:
      rule: String
      ranges:
        - min: Integer
          max: Integer
    fsGroup:
      rule: String
      ranges:
        - min: Integer
          max: Integer

Function

This policy restricts the runAsUser, runAsGroup, supplementalGroups, and fsGroup fields in PodSecurityPolicy.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect. parameters defines constraints on fields such as runAsUser, runAsGroup, supplementalGroups, and fsGroup.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    runAsUser:
      rule: MustRunAs # MustRunAsNonRoot # RunAsAny 
      ranges:
        - min: 100
          max: 200
    runAsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200
    supplementalGroups:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200
    fsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200

Resource Definition That Complies with the Policy

In the example, parameters such as runAsUser are within the range and comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-users-allowed
  labels:
    app: nginx-users
spec:
  securityContext:
    supplementalGroups:
      - 199
    fsGroup: 199
  containers:
    - name: nginx
      image: nginx
      securityContext:
        runAsUser: 199
        runAsGroup: 199

Resource Definition That Does Not Comply with the Policy

In the example, parameters such as runAsUser are not within the range and do not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-users-disallowed
  labels:
    app: nginx-users
spec:
  securityContext:
    supplementalGroups:
      - 250
    fsGroup: 250
  containers:
    - name: nginx
      image: nginx
      securityContext:
        runAsUser: 250
        runAsGroup: 250