华为云用户手册

  • 华为云UCS-k8sreplicalimits:符合策略实例的资源定义
    符合策略实例的资源定义 Replicas设为了3,符合策略实例。 apiVersion: apps/v1 kind: Deployment metadata: name: allowed-deployment spec: selector: matchLabels: app: nginx replicas: 3 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80
    华为云UCS
  • 华为云UCS-k8sreplicalimits:不符合策略实例的资源定义
    不符合策略实例的资源定义 Replicas设为了100,不符合策略实例。 apiVersion: apps/v1 kind: Deployment metadata: name: disallowed-deployment spec: selector: matchLabels: app: nginx replicas: 100 template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.2 ports: - containerPort: 80
    华为云UCS
  • 华为云UCS-k8sreplicalimits:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters定义范围为3到50。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: replica-limits spec: match: kinds: - apiGroups: ["apps"] kinds: ["Deployment"] parameters: ranges: - min_replicas: 3 max_replicas: 50
    华为云UCS
  • 华为云UCS-k8srequiredannotations:基本信息
    基本信息 策略类型:合规 推荐级别:L1 生效资源类型:* 参数: annotations: 键值对数组,key/ allowedRegex key: a8r.io/owner # Matches email address or github user allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
    华为云UCS
  • 华为云UCS-k8srequiredannotations:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中指定了提示信息message以及annotations的约束定义。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: [""] kinds: ["Service"] parameters: message: "All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations." annotations: - key: a8r.io/owner # Matches email address or github user allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ - key: a8r.io/runbook # Matches urls including or not http/https allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$
    华为云UCS
  • 华为云UCS-k8srequiredannotations:符合策略实例的资源定义
    符合策略实例的资源定义 示例中的annotations符合策略实例。 apiVersion: v1 kind: Service metadata: name: allowed-service annotations: a8r.io/owner: "dev-team-alfa@contoso.com" a8r.io/runbook: "https://confluence.contoso.com/dev-team-alfa/runbooks" spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
    华为云UCS
  • 华为云UCS-k8srequiredlabels:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中指定了提示信息message以及label的约束定义。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: [""] kinds: ["Namespace"] parameters: message: "All namespaces must have an `owner` label that points to your company username" labels: - key: owner allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
    华为云UCS
  • 华为云UCS-k8srequiredlabels:基本信息
    基本信息 策略类型:合规 推荐级别:L1 生效资源类型:* 参数: labels: 键值对数组,key/ allowedRegex key: a8r.io/owner # Matches email address or github user allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$
    华为云UCS
  • 华为云UCS-k8srequiredprobes:符合策略实例的资源定义
    符合策略实例的资源定义 Pod中有livenessProbe和readinessProbe,probeType为tcpSocket,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - name: tomcat image: tomcat ports: - containerPort: 8080 livenessProbe: tcpSocket: port: 80 initialDelaySeconds: 5 periodSeconds: 10 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 10 volumes: - name: cache-volume emptyDir: {}
    华为云UCS
  • 华为云UCS-k8srequiredprobes:不符合策略实例的资源定义
    不符合策略实例的资源定义 Pod中有livenessProbe,但是没有定义probeType,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - name: nginx-1 image: nginx:1.7.9 ports: - containerPort: 80 livenessProbe: # tcpSocket: # port: 80 # initialDelaySeconds: 5 # periodSeconds: 10 volumeMounts: - mountPath: /tmp/cache name: cache-volume - name: tomcat image: tomcat ports: - containerPort: 8080 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 10 volumes: - name: cache-volume emptyDir: {}
    华为云UCS
  • 华为云UCS-k8srequiredprobes:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters展示了probes的类型和probeTypes。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: probes: ["readinessProbe", "livenessProbe"] probeTypes: ["tcpSocket", "httpGet", "exec"]
    华为云UCS
  • 华为云UCS-k8spspallowprivilegeescalationcontainer:不符合策略实例的资源定义
    不符合策略实例的资源定义 示例中allowPrivilegeEscalation的值不为false,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-privilege-escalation-disallowed labels: app: nginx-privilege-escalation spec: containers: - name: nginx image: nginx securityContext: allowPrivilegeEscalation: true
    华为云UCS
  • 华为云UCS-k8spspallowprivilegeescalationcontainer:符合策略实例的资源定义
    符合策略实例的资源定义 示例中allowPrivilegeEscalation的值为false,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-privilege-escalation-allowed labels: app: nginx-privilege-escalation spec: containers: - name: nginx image: nginx securityContext: allowPrivilegeEscalation: false
    华为云UCS
  • 华为云UCS-k8spspallowprivilegeescalationcontainer:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"]
    华为云UCS
  • 华为云UCS-k8spspapparmor:符合策略实例的资源定义
    符合策略实例的资源定义 示例中apparmor的值在上述定义的允许范围内,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-apparmor-allowed annotations: # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default container.apparmor.security.beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor spec: containers: - name: nginx image: nginx
    华为云UCS
  • 华为云UCS-k8spspapparmor:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters的allowedProfiles字段定义了允许的值列表。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: allowedProfiles: - runtime/default
    华为云UCS
  • 华为云UCS-k8spspapparmor:不符合策略实例的资源定义
    不符合策略实例的资源定义 示例中apparmor的值不在上述定义的允许范围内,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-apparmor-disallowed annotations: # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor spec: containers: - name: nginx image: nginx
    华为云UCS
  • 华为云UCS-k8spspcapabilities:不符合策略实例的资源定义
    不符合策略实例的资源定义 示例capabilities中的参数不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: opa-disallowed labels: owner: me.agilebank.demo spec: containers: - name: opa image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080" securityContext: capabilities: add: ["disallowedcapability"] resources: limits: cpu: "100m" memory: "30Mi"
    华为云UCS
  • 华为云UCS-k8spspcapabilities:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中定义了allowedCapabilities和requiredDropCapabilities的列表。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: capabilities-demo spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: - "default" parameters: allowedCapabilities: ["something"] requiredDropCapabilities: ["must_drop"]
    华为云UCS
  • 华为云UCS-k8spspcapabilities:符合策略实例的资源定义
    符合策略实例的资源定义 示例capabilities中的各项参数符合策略实例。 apiVersion: v1 kind: Pod metadata: name: opa-allowed labels: owner: me.agilebank.demo spec: containers: - name: opa image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080" securityContext: capabilities: add: ["something"] drop: ["must_drop", "another_one"] resources: limits: cpu: "100m" memory: "30Mi"
    华为云UCS
  • 华为云UCS-k8spspflexvolumes:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中的allowedFlexVolumes字段定义了允许的driver类型列表。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: allowedFlexVolumes: #[] - driver: "example/lvm" - driver: "example/cifs"
    华为云UCS
  • 华为云UCS-k8spspflexvolumes:符合策略实例的资源定义
    符合策略实例的资源定义 示例中flexVolume中的类型均在上述定义的允许范围内,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-flexvolume-driver-allowed labels: app: nginx-flexvolume-driver spec: containers: - name: nginx image: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - name: test-volume flexVolume: driver: "example/lvm"
    华为云UCS
  • 华为云UCS-k8spspflexvolumes:不符合策略实例的资源定义
    不符合策略实例的资源定义 示例中flexVolume中的类型不在上述定义的允许范围内,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-flexvolume-driver-disallowed labels: app: nginx-flexvolume-driver spec: containers: - name: nginx image: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - name: test-volume flexVolume: driver: "example/testdriver" #"example/lvm"
    华为云UCS
  • 华为云UCS-k8spspforbiddensysctls:符合策略实例的资源定义
    符合策略实例的资源定义 示例中sysctls的name符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-forbidden-sysctls-disallowed labels: app: nginx-forbidden-sysctls spec: containers: - name: nginx image: nginx securityContext: sysctls: - name: net.core.somaxconn value: "1024"
    华为云UCS
  • 华为云UCS-k8spspforbiddensysctls:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中的forbiddenSysctls定义了sysctls中不能允许的名称。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: forbiddenSysctls: # - "*" # * may be used to forbid all sysctls - kernel.*
    华为云UCS
  • 华为云UCS-k8spspforbiddensysctls:不符合策略实例的资源定义
    不符合策略实例的资源定义 示例中sysctls的name(kernel.msgmax)不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-forbidden-sysctls-disallowed labels: app: nginx-forbidden-sysctls spec: containers: - name: nginx image: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536" - name: net.core.somaxconn value: "1024"
    华为云UCS
  • 华为云UCS-k8spspfsgroup:符合策略实例的资源定义
    符合策略实例的资源定义 示例中fsGroup设为了500,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: securityContext: fsGroup: 500 # directory will have group ID 500 volumes: - name: fsgroup-demo-vol emptyDir: {} containers: - name: fsgroup-demo image: busybox command: ["sh", "-c", "sleep 1h"] volumeMounts: - name: fsgroup-demo-vol mountPath: /data/demo
    华为云UCS
  • 华为云UCS-k8spspfsgroup:不符合策略实例的资源定义
    不符合策略实例的资源定义 示例中fsGroup设为了2000,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: securityContext: fsGroup: 2000 # directory will have group ID 2000 volumes: - name: fsgroup-demo-vol emptyDir: {} containers: - name: fsgroup-demo image: busybox command: [ "sh", "-c", "sleep 1h" ] volumeMounts: - name: fsgroup-demo-vol mountPath: /data/demo
    华为云UCS
  • 华为云UCS-k8spspfsgroup:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" ranges: - min: 1 max: 1000
    华为云UCS
  • 华为云UCS-k8spsphostfilesystem:策略实例示例
    策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中的allowedHostPaths指定了字段的值。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: allowedHostPaths: - readOnly: true pathPrefix: "/foo"
    华为云UCS
共100000条
undefined

搜索反馈

您找到想要的内容了吗?

是的 没有

意见反馈

0/200

提交 取消

提交成功!非常感谢您的反馈,我们会继续努力做到更好 反馈提交失败!请稍后重试!
推荐文章