更新时间:2024-02-01 GMT+08:00

k8spspallowedusers

基本信息

  • 策略类型:安全
  • 推荐级别:L3
  • 生效资源类型:Pod
  • 参数:
    exemptImages: 字符串数组
    runAsUser:
      rule: 字符串
      ranges:
        - min: 整型
          max: 整型
    runAsGroup:
      rule: 字符串
      ranges:
        - min: 整型
          max: 整型
    supplementalGroups:
      rule: 字符串
      ranges:
        - min: 整型
          max: 整型
    fsGroup:
      rule: 字符串
      ranges:
        - min: 整型
          max: 整型

作用

约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段。

策略实例示例

以下策略实例展示了策略定义生效的资源类型,parameters中定义了对runAsUser、runAsGroup、supplementalGroups和fsGroup等字段的约束。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-pods-allowed-user-ranges
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    runAsUser:
      rule: MustRunAs # MustRunAsNonRoot # RunAsAny 
      ranges:
        - min: 100
          max: 200
    runAsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200
    supplementalGroups:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200
    fsGroup:
      rule: MustRunAs # MayRunAs # RunAsAny 
      ranges:
        - min: 100
          max: 200

符合策略实例的资源定义

示例中runAsUser等参数均在范围内,符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: nginx-users-allowed
  labels:
    app: nginx-users
spec:
  securityContext:
    supplementalGroups:
      - 199
    fsGroup: 199
  containers:
    - name: nginx
      image: nginx
      securityContext:
        runAsUser: 199
        runAsGroup: 199

不符合策略实例的资源定义

示例中runAsUser等参数不在范围内,不符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: nginx-users-disallowed
  labels:
    app: nginx-users
spec:
  securityContext:
    supplementalGroups:
      - 250
    fsGroup: 250
  containers:
    - name: nginx
      image: nginx
      securityContext:
        runAsUser: 250
        runAsGroup: 250