更新时间:2024-01-05 GMT+08:00
k8spsphostfilesystem
基本信息
- 策略类型:安全
- 推荐级别:L3
- 生效资源类型:Pod
- 参数:
allowedHostPaths: readOnly: 布尔值 pathPrefix: 字符串
作用
约束PodSecurityPolicy中的“hostPath”字段的参数。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,parameters中的allowedHostPaths指定了字段的值。
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
name: psp-host-filesystem
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedHostPaths:
- readOnly: true
pathPrefix: "/foo"
符合策略实例的资源定义
示例中hostPath中pathPrefix以/foo开头,符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /foo/bar
不符合策略实例的资源定义
示例中hostPath中pathPrefix以/tmp开头,不符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: nginx-host-filesystem
labels:
app: nginx-host-filesystem-disallowed
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- mountPath: /cache
name: cache-volume
readOnly: true
volumes:
- name: cache-volume
hostPath:
path: /tmp # directory location on host
父主题: 使用策略定义库
