华为云用户手册

  • 符合策略实例的资源定义 示例capabilities中的各项参数符合策略实例。 apiVersion: v1 kind: Pod metadata: name: opa-allowed labels: owner: me.agilebank.demo spec: containers: - name: opa image: openpolicyagent/opa:0.9.2 args: - "run" - "--server" - "--addr=localhost:8080" securityContext: capabilities: add: ["something"] drop: ["must_drop", "another_one"] resources: limits: cpu: "100m" memory: "30Mi"
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中的allowedFlexVolumes字段定义了允许的driver类型列表。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: allowedFlexVolumes: #[] - driver: "example/lvm" - driver: "example/cifs"
  • 符合策略实例的资源定义 示例中flexVolume中的类型均在上述定义的允许范围内,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-flexvolume-driver-allowed labels: app: nginx-flexvolume-driver spec: containers: - name: nginx image: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - name: test-volume flexVolume: driver: "example/lvm"
  • 不符合策略实例的资源定义 示例中flexVolume中的类型不在上述定义的允许范围内,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-flexvolume-driver-disallowed labels: app: nginx-flexvolume-driver spec: containers: - name: nginx image: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - name: test-volume flexVolume: driver: "example/testdriver" #"example/lvm"
  • 符合策略实例的资源定义 示例中sysctls的name符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-forbidden-sysctls-disallowed labels: app: nginx-forbidden-sysctls spec: containers: - name: nginx image: nginx securityContext: sysctls: - name: net.core.somaxconn value: "1024"
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中的forbiddenSysctls定义了sysctls中不能允许的名称。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: forbiddenSysctls: # - "*" # * may be used to forbid all sysctls - kernel.*
  • 不符合策略实例的资源定义 示例中sysctls的name(kernel.msgmax)不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-forbidden-sysctls-disallowed labels: app: nginx-forbidden-sysctls spec: containers: - name: nginx image: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536" - name: net.core.somaxconn value: "1024"
  • 符合策略实例的资源定义 示例中fsGroup设为了500,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: securityContext: fsGroup: 500 # directory will have group ID 500 volumes: - name: fsgroup-demo-vol emptyDir: {} containers: - name: fsgroup-demo image: busybox command: ["sh", "-c", "sleep 1h"] volumeMounts: - name: fsgroup-demo-vol mountPath: /data/demo
  • 不符合策略实例的资源定义 示例中fsGroup设为了2000,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: securityContext: fsGroup: 2000 # directory will have group ID 2000 volumes: - name: fsgroup-demo-vol emptyDir: {} containers: - name: fsgroup-demo image: busybox command: [ "sh", "-c", "sleep 1h" ] volumeMounts: - name: fsgroup-demo-vol mountPath: /data/demo
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: rule: "MayRunAs" #"MustRunAs" #"MayRunAs", "RunAsAny" ranges: - min: 1 max: 1000
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中的allowedHostPaths指定了字段的值。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: allowedHostPaths: - readOnly: true pathPrefix: "/foo"
  • 符合策略实例的资源定义 示例中hostPath中pathPrefix以/foo开头,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-host-filesystem labels: app: nginx-host-filesystem-disallowed spec: containers: - name: nginx image: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - name: cache-volume hostPath: path: /foo/bar
  • 不符合策略实例的资源定义 示例中hostPath中pathPrefix以/tmp开头,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-host-filesystem labels: app: nginx-host-filesystem-disallowed spec: containers: - name: nginx image: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - name: cache-volume hostPath: path: /tmp # directory location on host
  • 符合策略实例的资源定义 示例中hostPID和hostIPC均为false,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-host-namespace-allowed labels: app: nginx-host-namespace spec: hostPID: false hostIPC: false containers: - name: nginx image: nginx
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: psp-host-namespace spec: match: kinds: - apiGroups: [""] kinds: ["Pod"]
  • 不符合策略实例的资源定义 示例中hostPID和hostIPC均为true,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-host-namespace-disallowed labels: app: nginx-host-namespace spec: hostPID: true hostIPC: true containers: - name: nginx image: nginx
  • 不符合策略实例的资源定义 示例中hostNetwork设置成了true,但是端口未在指定范围内,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-host-networking-ports-disallowed labels: app: nginx-host-networking-ports spec: hostNetwork: true containers: - name: nginx image: nginx ports: - containerPort: 9001 hostPort: 9001
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中hostNetwork为true时,使用的端口必须在指定的端口范围内。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: psp-host-network-ports spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: hostNetwork: bool min: 80 max: 9000
  • 符合策略实例的资源定义 示例中hostNetwork设置成了false,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-host-networking-ports-allowed labels: app: nginx-host-networking-ports spec: hostNetwork: false containers: - name: nginx image: nginx ports: - containerPort: 9000 hostPort: 80
  • 符合策略实例的资源定义 示例中privileged设置为false,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-privileged-allowed labels: app: nginx-privileged spec: containers: - name: nginx image: nginx securityContext: privileged: false
  • 不符合策略实例的资源定义 示例中privileged设置为true,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-privileged-disallowed labels: app: nginx-privileged spec: containers: - name: nginx image: nginx securityContext: privileged: true
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] excludedNamespaces: ["kube-system"]
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中指定了procMount的值为Default。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: procMount: Default
  • 不符合策略实例的资源定义 示例中securityContext字段中的procMount为Unmasked,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-proc-mount-disallowed labels: app: nginx-proc-mount spec: containers: - name: nginx image: nginx securityContext: procMount: Unmasked
  • 符合策略实例的资源定义 示例中securityContext字段中的procMount为Default,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-proc-mount-disallowed labels: app: nginx-proc-mount spec: containers: - name: nginx image: nginx securityContext: procMount: Default
  • 符合策略实例的资源定义 示例中readOnlyRootFilesystem字段为true,符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-readonlyrootfilesystem-allowed labels: app: nginx-readonlyrootfilesystem spec: containers: - name: nginx image: nginx securityContext: readOnlyRootFilesystem: true
  • 不符合策略实例的资源定义 示例中readOnlyRootFilesystem字段为false,不符合策略实例。 apiVersion: v1 kind: Pod metadata: name: nginx-readonlyrootfilesystem-disallowed labels: app: nginx-readonlyrootfilesystem spec: containers: - name: nginx image: nginx securityContext: readOnlyRootFilesystem: false
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: [""] kinds: ["Pod"]
  • 策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters中allowedProfiles定义了允许的注解。 apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: allowedProfiles: - runtime/default - docker/default
  • 不符合策略实例的资源定义 示例中的container.seccomp.security.alpha.kubernetes.io/nginx注解的value没在设定的值列表中,不符合策略定义。 apiVersion: v1 kind: Pod metadata: name: nginx-seccomp-disallowed annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp spec: containers: - name: nginx image: nginx
共100000条