k8sblockendpointeditdefaultrole
基本信息
- 策略类型:合规
- 推荐级别:L1
- 生效资源类型:ClusterRole
- 参数:无
作用
默认情况下,许多Kubernetes都预定义了一个名为system:aggregate-to-edit的ClusterRole,k8sblockendpointeditdefaultrole策略定义禁止该ClusterRole对Endpoints进行create、patch和update操作。
策略实例示例
以下策略实例展示了策略定义生效的资源类型。
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: block-endpoint-edit-default-role spec: match: kinds: - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["ClusterRole"]
符合策略实例的资源定义
示例中ClusterRole的生效对象中没有endpoints,符合策略实例。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - secrets - services/proxy verbs: - get - list - watch
不符合策略实例的资源定义
示例中ClusterRole的生效对象中有endpoints,不符合策略实例。
kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - apps resources: - endpoints verbs: - create - delete - deletecollection - patch - update