更新时间:2024-01-05 GMT+08:00
分享

k8spsphostfilesystem

基本信息

  • 策略类型:安全
  • 推荐级别:L3
  • 生效资源类型:Pod
  • 参数:
    allowedHostPaths:
      readOnly: 布尔值
      pathPrefix: 字符串

作用

约束PodSecurityPolicy中的“hostPath”字段的参数。

策略实例示例

以下策略实例展示了策略定义生效的资源类型,parameters中的allowedHostPaths指定了字段的值。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPHostFilesystem
metadata:
  name: psp-host-filesystem
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    allowedHostPaths:
    - readOnly: true
      pathPrefix: "/foo"

符合策略实例的资源定义

示例中hostPath中pathPrefix以/foo开头,符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: nginx-host-filesystem
  labels:
    app: nginx-host-filesystem-disallowed
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - mountPath: /cache
          name: cache-volume
          readOnly: true
  volumes:
    - name: cache-volume
      hostPath:
        path: /foo/bar

不符合策略实例的资源定义

示例中hostPath中pathPrefix以/tmp开头,不符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: nginx-host-filesystem
  labels:
    app: nginx-host-filesystem-disallowed
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - name: cache-volume
    hostPath:
      path: /tmp # directory location on host

相关文档