更新时间:2024-02-01 GMT+08:00
k8spspallowedusers
基本信息
- 策略类型:安全
- 推荐级别:L3
- 生效资源类型:Pod
- 参数:
exemptImages: 字符串数组 runAsUser: rule: 字符串 ranges: - min: 整型 max: 整型 runAsGroup: rule: 字符串 ranges: - min: 整型 max: 整型 supplementalGroups: rule: 字符串 ranges: - min: 整型 max: 整型 fsGroup: rule: 字符串 ranges: - min: 整型 max: 整型
作用
约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,parameters中定义了对runAsUser、runAsGroup、supplementalGroups和fsGroup等字段的约束。
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
name: psp-pods-allowed-user-ranges
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
runAsUser:
rule: MustRunAs # MustRunAsNonRoot # RunAsAny
ranges:
- min: 100
max: 200
runAsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
supplementalGroups:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
fsGroup:
rule: MustRunAs # MayRunAs # RunAsAny
ranges:
- min: 100
max: 200
符合策略实例的资源定义
示例中runAsUser等参数均在范围内,符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-allowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 199
fsGroup: 199
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 199
runAsGroup: 199
不符合策略实例的资源定义
示例中runAsUser等参数不在范围内,不符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: nginx-users-disallowed
labels:
app: nginx-users
spec:
securityContext:
supplementalGroups:
- 250
fsGroup: 250
containers:
- name: nginx
image: nginx
securityContext:
runAsUser: 250
runAsGroup: 250
父主题: 使用策略定义库
