更新时间:2024-02-01 GMT+08:00
k8sdisallowanonymous
作用
不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group。
策略实例示例
示例展示了ClusterRole和Role资源仅能关联到allowedRoles中定义的Role。
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: no-anonymous spec: match: kinds: - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["ClusterRoleBinding"] - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["RoleBinding"] parameters: allowedRoles: - cluster-role-1
符合策略实例的资源定义
ClusterRole关联到cluster-role-1 Role中,符合策略实例。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
不符合策略实例的资源定义
ClusterRole关联到cluster-role-2 Role中,不符合策略实例。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
父主题: 使用策略定义库