更新时间:2024-01-05 GMT+08:00
分享

k8spspvolumetypes

基本信息

  • 策略类型:安全
  • 推荐级别:L3
  • 生效资源类型:Pod
  • 参数:

    volumes:数组

作用

约束PodSecurityPolicy中的“volumes”字段类型。

策略实例示例

以下策略实例展示了策略定义生效的资源类型,parameters的volumes字段定义了允许的类型列表。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPVolumeTypes
metadata:
  name: psp-volume-types
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    volumes:
    # - "*" # * may be used to allow all volume types
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
    #- hostPath #required for allowedHostPaths
    - flexVolume #required for allowedFlexVolumes

符合策略实例的资源定义

示例中volumes中的类型均在上述定义的允许范围内,符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: nginx-volume-types-allowed
  labels:
    app: nginx-volume-types
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - name: nginx2
    image: nginx
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - name: cache-volume
    emptyDir: {}
  - name: demo-vol
    emptyDir: {}

不符合策略实例的资源定义

示例中volumes中的类型(hostPath)不在上述定义的允许范围内,不符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: nginx-volume-types-disallowed
  labels:
    app: nginx-volume-types
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  - name: nginx2
    image: nginx
    volumeMounts:
    - mountPath: /cache2
      name: demo-vol
  volumes:
  - name: cache-volume
    hostPath:
      path: /tmp # directory location on host
  - name: demo-vol
    emptyDir: {}

相关文档