更新时间:2024-01-05 GMT+08:00
k8spspvolumetypes
作用
约束PodSecurityPolicy中的“volumes”字段类型。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,parameters的volumes字段定义了允许的类型列表。
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
name: psp-volume-types
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
volumes:
# - "*" # * may be used to allow all volume types
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
#- hostPath #required for allowedHostPaths
- flexVolume #required for allowedFlexVolumes
符合策略实例的资源定义
示例中volumes中的类型均在上述定义的允许范围内,符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: nginx-volume-types-allowed
labels:
app: nginx-volume-types
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- name: nginx2
image: nginx
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- name: cache-volume
emptyDir: {}
- name: demo-vol
emptyDir: {}
不符合策略实例的资源定义
示例中volumes中的类型(hostPath)不在上述定义的允许范围内,不符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: nginx-volume-types-disallowed
labels:
app: nginx-volume-types
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
- name: nginx2
image: nginx
volumeMounts:
- mountPath: /cache2
name: demo-vol
volumes:
- name: cache-volume
hostPath:
path: /tmp # directory location on host
- name: demo-vol
emptyDir: {}
父主题: 使用策略定义库
