更新时间:2024-01-05 GMT+08:00
noupdateserviceaccount
作用
拒绝白名单外的资源更新ServiceAccount。
策略实例示例
以下策略实例展示了策略定义生效的资源类型,pararmeters中定义了允许的组列表allowedGroups和允许的用户列表allowedUsers。
# IMPORTANT: Before deploying this policy, make sure you allow-list any groups # or users that need to deploy workloads to kube-system, such as cluster- # lifecycle controllers, addon managers, etc. Such controllers may need to # update service account names during automated rollouts (e.g. of refactored # configurations). You can allow-list them with the allowedGroups and # allowedUsers properties of the NoUpdateServiceAccount Constraint. apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: no-update-kube-system-service-account spec: match: namespaces: ["kube-system"] kinds: - apiGroups: [""] kinds: # You can optionally add "Pod" here, but it is unnecessary because # Pod service account immutability is enforced by the Kubernetes API. - "ReplicationController" - apiGroups: ["apps"] kinds: - "ReplicaSet" - "Deployment" - "StatefulSet" - "DaemonSet" - apiGroups: ["batch"] kinds: # You can optionally add "Job" here, but it is unnecessary because # Job service account immutability is enforced by the Kubernetes API. - "CronJob" parameters: allowedGroups: [] allowedUsers: []
符合策略实例的资源定义
没有更新ServiceAccount,符合策略实例。
# Note: The gator tests currently require exactly one object per example file. # Since this is an update-triggered policy, at least two objects are technically # required to demonstrate it. Due to the gator requirement, we only have one # object below. The policy should allow changing everything but the # serviceAccountName field. kind: Deployment apiVersion: apps/v1 metadata: name: policy-test namespace: kube-system labels: app: policy-test spec: replicas: 1 selector: matchLabels: app: policy-test-deploy template: metadata: labels: app: policy-test-deploy spec: # Changing anything except this field should be allowed by the policy. serviceAccountName: policy-test-sa-1 containers: - name: policy-test image: ubuntu command: - /bin/bash - -c - sleep 99999
父主题: 使用策略定义库