更新时间:2024-02-01 GMT+08:00
k8spspallowedusers
基本信息
- 策略类型:安全
- 推荐级别:L3
- 生效资源类型:Pod
- 参数:
exemptImages: 字符串数组 runAsUser: rule: 字符串 ranges: - min: 整型 max: 整型 runAsGroup: rule: 字符串 ranges: - min: 整型 max: 整型 supplementalGroups: rule: 字符串 ranges: - min: 整型 max: 整型 fsGroup: rule: 字符串 ranges: - min: 整型 max: 整型
作用
约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,parameters中定义了对runAsUser、runAsGroup、supplementalGroups和fsGroup等字段的约束。
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: runAsUser: rule: MustRunAs # MustRunAsNonRoot # RunAsAny ranges: - min: 100 max: 200 runAsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 supplementalGroups: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 fsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200
符合策略实例的资源定义
示例中runAsUser等参数均在范围内,符合策略实例。
apiVersion: v1 kind: Pod metadata: name: nginx-users-allowed labels: app: nginx-users spec: securityContext: supplementalGroups: - 199 fsGroup: 199 containers: - name: nginx image: nginx securityContext: runAsUser: 199 runAsGroup: 199
不符合策略实例的资源定义
示例中runAsUser等参数不在范围内,不符合策略实例。
apiVersion: v1 kind: Pod metadata: name: nginx-users-disallowed labels: app: nginx-users spec: securityContext: supplementalGroups: - 250 fsGroup: 250 containers: - name: nginx image: nginx securityContext: runAsUser: 250 runAsGroup: 250
父主题: 使用策略定义库