更新时间:2024-02-01 GMT+08:00

k8spspfsgroup

基本信息

  • 策略类型:安全
  • 推荐级别:L3
  • 生效资源类型:Pod
  • 参数:
    rule: 字符串,支持MayRunAs、MustRunAs和RunAsAny
    ranges
      max: 整型
      min: 整型

作用

控制PodSecurityPolicy中的“fsGroup”字段在限制范围内。

策略实例示例

以下策略实例展示了策略定义生效的资源类型。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPFSGroup
metadata:
  name: psp-fsgroup
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny"
    ranges:
    - min: 1
      max: 1000

符合策略实例的资源定义

示例中fsGroup设为了500,符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  securityContext:
    fsGroup: 500 # directory will have group ID 500
  volumes:
    - name: fsgroup-demo-vol
      emptyDir: {}
  containers:
    - name: fsgroup-demo
      image: busybox
      command: ["sh", "-c", "sleep 1h"]
      volumeMounts:
        - name: fsgroup-demo-vol
          mountPath: /data/demo

不符合策略实例的资源定义

示例中fsGroup设为了2000,不符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: fsgroup-disallowed
spec:
  securityContext:
    fsGroup: 2000   # directory will have group ID 2000
  volumes:
  - name: fsgroup-demo-vol
    emptyDir: {}
  containers:
  - name: fsgroup-demo
    image: busybox
    command: [ "sh", "-c", "sleep 1h" ]
    volumeMounts:
    - name: fsgroup-demo-vol
      mountPath: /data/demo