k8sdisallowanonymous

基本信息

• 策略类型：合规
• 推荐级别：L1
• 生效资源类型：RoleBinding、ClusterRoleBinding
• 参数：

  allowedRoles：字符串数组

作用

不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group。

策略实例示例

示例展示了ClusterRole和Role资源仅能关联到allowedRoles中定义的Role。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: no-anonymous
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRoleBinding"]
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]
  parameters:
    allowedRoles: 
      - cluster-role-1

符合策略实例的资源定义

ClusterRole关联到cluster-role-1 Role中，符合策略实例。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-1
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

不符合策略实例的资源定义

ClusterRole关联到cluster-role-2 Role中，不符合策略实例。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-2
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated