k8sblockendpointeditdefaultrole

基本信息

• 策略类型：合规
• 推荐级别：L1
• 生效资源类型：ClusterRole
• 参数：无

作用

默认情况下，许多Kubernetes都预定义了一个名为system:aggregate-to-edit的ClusterRole，k8sblockendpointeditdefaultrole策略定义禁止该ClusterRole对Endpoints进行create、patch和update操作。

策略实例示例

以下策略实例展示了策略定义生效的资源类型。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRole"]

符合策略实例的资源定义

示例中ClusterRole的生效对象中没有endpoints，符合策略实例。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch

不符合策略实例的资源定义

示例中ClusterRole的生效对象中有endpoints，不符合策略实例。

kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - apps
  resources:
  - endpoints
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update