华为云UCS
华为云UCS
- 最新动态
- 服务公告
- 产品介绍
- 计费说明
- 快速入门
-
用户指南
- UCS集群
- 容器舰队
- 集群联邦
- 镜像仓库
- 权限管理
-
策略中心
- 策略中心概述
- 策略定义与策略实例的基本概念
- 启用策略中心
- 创建和管理策略实例
- 示例:使用策略中心实现Kubernetes资源合规性治理
-
使用策略定义库
- 策略定义库概述
- k8spspvolumetypes
- k8spspallowedusers
- k8spspselinuxv2
- k8spspseccomp
- k8spspreadonlyrootfilesystem
- k8spspprocmount
- k8spspprivilegedcontainer
- k8spsphostnetworkingports
- k8spsphostnamespace
- k8spsphostfilesystem
- k8spspfsgroup
- k8spspforbiddensysctls
- k8spspflexvolumes
- k8spspcapabilities
- k8spspapparmor
- k8spspallowprivilegeescalationcontainer
- k8srequiredprobes
- k8srequiredlabels
- k8srequiredannotations
- k8sreplicalimits
- noupdateserviceaccount
- k8simagedigests
- k8sexternalips
- k8sdisallowedtags
- k8sdisallowanonymous
- k8srequiredresources
- k8scontainerratios
- k8scontainerrequests
- k8scontainerlimits
- k8sblockwildcardingress
- k8sblocknodeport
- k8sblockloadbalancer
- k8sblockendpointeditdefaultrole
- k8spspautomountserviceaccounttokenpod
- k8sallowedrepos
- 配置管理
- 服务网格
- 流量分发
- 可观测性
- 云原生服务中心
- 容器迁移
- 流水线
- 错误码
- 最佳实践
- API参考
- 常见问题
- 文档下载
- 通用参考
本文导读
链接复制成功!
k8spspallowedusers
基本信息
- 策略类型:安全
- 推荐级别:L3
- 生效资源类型:Pod
- 参数:
exemptImages: 字符串数组 runAsUser: rule: 字符串 ranges: - min: 整型 max: 整型 runAsGroup: rule: 字符串 ranges: - min: 整型 max: 整型 supplementalGroups: rule: 字符串 ranges: - min: 整型 max: 整型 fsGroup: rule: 字符串 ranges: - min: 整型 max: 整型
作用
约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,parameters中定义了对runAsUser、runAsGroup、supplementalGroups和fsGroup等字段的约束。
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: runAsUser: rule: MustRunAs # MustRunAsNonRoot # RunAsAny ranges: - min: 100 max: 200 runAsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 supplementalGroups: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200 fsGroup: rule: MustRunAs # MayRunAs # RunAsAny ranges: - min: 100 max: 200
符合策略实例的资源定义
示例中runAsUser等参数均在范围内,符合策略实例。
apiVersion: v1 kind: Pod metadata: name: nginx-users-allowed labels: app: nginx-users spec: securityContext: supplementalGroups: - 199 fsGroup: 199 containers: - name: nginx image: nginx securityContext: runAsUser: 199 runAsGroup: 199
不符合策略实例的资源定义
示例中runAsUser等参数不在范围内,不符合策略实例。
apiVersion: v1 kind: Pod metadata: name: nginx-users-disallowed labels: app: nginx-users spec: securityContext: supplementalGroups: - 250 fsGroup: 250 containers: - name: nginx image: nginx securityContext: runAsUser: 250 runAsGroup: 250
父主题: 使用策略定义库