更新时间:2024-02-01 GMT+08:00

k8sdisallowanonymous

基本信息

  • 策略类型:合规
  • 推荐级别:L1
  • 生效资源类型:RoleBinding、ClusterRoleBinding
  • 参数:

    allowedRoles:字符串数组

作用

不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group。

策略实例示例

示例展示了ClusterRole和Role资源仅能关联到allowedRoles中定义的Role。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: no-anonymous
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRoleBinding"]
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]
  parameters:
    allowedRoles: 
      - cluster-role-1

符合策略实例的资源定义

ClusterRole关联到cluster-role-1 Role中,符合策略实例。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-1
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

不符合策略实例的资源定义

ClusterRole关联到cluster-role-2 Role中,不符合策略实例。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-2
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated