Las plantillas de restricciones te permiten definir cómo funciona una restricción y también delegar la definición de sus detalles a una persona o un grupo con experiencia en el tema. Además de separar los problemas, esto también separa la lógica de la restricción de su definición.
Todas las restricciones contienen una sección match, que define los objetos a los que se aplica una restricción. Para obtener detalles sobre cómo configurar esa sección, consulta Sección de coincidencia de restricción.
No todas las plantillas de restricciones están disponibles para todas las versiones del Controlador de políticas, y las plantillas pueden cambiar entre versiones. Usa los siguientes vínculos para comparar las restricciones de las versiones compatibles:
Vínculos a las versiones compatibles de esta página
Para asegurarte de recibir asistencia completa, te recomendamos que uses plantillas de restricciones de una versión compatible de Policy Controller.
Para ayudarte a ver cómo funcionan las plantillas de restricciones, cada plantilla incluye una restricción de ejemplo y un recurso que infringe la restricción.
Plantillas de restricciones disponibles
| Plantilla de restricción | Descripción | Referencial |
|---|---|---|
| AllowedServicePortName | Requiere que los nombres de los puertos del servicio tengan un prefijo de una lista especificada. | No |
| AsmAuthzPolicyDefaultDeny | Aplica la denegación predeterminada a nivel de malla de AuthorizationPolicy Referencia a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns. | Sí |
| AsmAuthzPolicyDisallowedPrefix | Requiere que los principales y los espacios de nombres en las reglas de `AuthorizationPolicy` de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| AsmAuthzPolicyEnforceSourcePrincipals | Requiere que el campo “from” de AuthorizationPolicy de Istio, cuando se defina, tenga principios de origen, que deben configurarse en algo distinto de “*”. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| AsmAuthzPolicyNormalization | Aplica la normalización de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/reference/config/security/normalization/. | No |
| AsmAuthzPolicySafePattern | Aplica los patrones seguros de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns. | No |
| AsmIngressgatewayLabel | Aplica el uso de etiquetas de Ingressgateway de Istio solo en los Pods de Ingressgateway. | No |
| AsmPeerAuthnMeshStrictMtls | Aplica PeerAuthentication de la mTLS estricta a nivel de malla de. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | Sí |
| AsmPeerAuthnStrictMtls | Aplica todos los PeerAuthentications, no puede reemplazar la mTLS estricta Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls. | No |
| AsmRequestAuthnProhibitedOutputHeaders | En RequestAuthentication, aplica el campo "jwtRules.outPayloadToHeader" para que no contenga encabezados de solicitud HTTP conocidos ni encabezados prohibidos personalizados. Referencia a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule. | No |
| AsmSidecarInjection | Aplica el sidecar del proxy de Istio que siempre se insertó en los Pods de carga de trabajo | No |
| DestinationRuleTLSEnabled | Prohíbe la inhabilitación de TLS para todos los hosts y subconjuntos de hosts en las reglas de destino de Istio. | No |
| DisallowedAuthzPrefix | Requiere que los principales y los espacios de nombres en las reglas de `AuthorizationPolicy` de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| GCPStorageLocationConstraintV1 | Restringe las "ubicaciones" permitidas para los recursos de Config Connector de StorageBucket a la lista de ubicaciones proporcionadas en la restricción. Los nombres de los buckets de la lista `exemptions` están exentos. | No |
| GkeSpotVMTerminationGrace | Requiere que los Pods y las plantillas de Pods con `nodeSelector` o `nodeAfffinty` de `gke-spot` tengan un `terminationGracePeriodSeconds` de 15 s o menos. | Sí |
| K8sAllowedRepos | Requiere imágenes de contenedor para comenzar con una string de la lista especificada. | No |
| K8sAvoidUseOfSystemMastersGroup | No permite el uso del grupo "system:masters". No tiene efecto durante la auditoría. | No |
| K8sBlockAllIngress | No permite la creación de objetos Ingress (tipos `Ingress`, `Gateway` y `Service` de `NodePort` y `LoadBalancer`). | No |
| K8sBlockCreationWithDefaultServiceAccount | No permite la creación de recursos con una cuenta de servicio predeterminada. No tiene efecto durante la auditoría. | No |
| K8sBlockEndpointEditDefaultRole | Muchas instalaciones de Kubernetes tienen un ClusterRole system:aggregate-to-edit predeterminado que, de forma predeterminada, no restringe correctamente el acceso de edición a Endpoints. Esta ConstraintTemplate prohíbe el extremo system:aggregate-to-edit ClusterRole from granting permission to create/patch/update. ClusterRole/system:aggregate-to-edit no debe permitir los permisos de edición de extremos debido a CVE-2021-25740, los permisos de extremos y EndpointSlice permiten el reenvío entre espacios de nombres mediante https://github.com/kubernetes/kubernetes/issues/103675. | No |
| K8sBlockLoadBalancer | No permite todos los servicios con el tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | No |
| K8sBlockNodePort | No permite todos los servicios con el tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport | No |
| K8sBlockObjectsOfType | No permite objetos de tipos prohibidos. | No |
| K8sBlockProcessNamespaceSharing | Prohíbe las especificaciones de Pod con "shareProcessNamespace" establecido en "true". Esto evita situaciones en las que todos los contenedores de un Pod comparten un espacio de nombres PID y pueden acceder al sistema de archivos y a la memoria de los demás. | No |
| K8sBlockWildcardIngress | Los usuarios no deberían poder crear Ingress con un nombre de host en blanco o un comodín (*), ya que esto les permitiría interceptar el tráfico de otros servicios en el clúster, incluso si no tienen acceso a esos servicios. | No |
| K8sContainerEphemeralStorageLimit | Requiere que los contenedores tengan establecido un límite de almacenamiento efímero y restringe el límite dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerLimits | Requiere que los contenedores tengan establecidos los límites de memoria y CPU y restrinja los límites dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerRatios | Establece una proporción máxima para los límites de recursos del contenedor a las solicitudes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sContainerRequests | Requiere que los contenedores tengan establecidas las solicitudes de memoria y CPU y restrinja las solicitudes a los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sCronJobAllowedRepos | Requiere que las imágenes de contenedor de CronJobs comiencen con una cadena de la lista especificada. | No |
| K8sDisallowAnonymous | No permite asociar los recursos ClusterRole y Role al usuario system:anonymous y al grupo system:unauthenticated. | No |
| K8sDisallowInteractiveTTY | Requiere que los objetos tengan los campos "spec.tty" y "spec.stdin" configurados como falsos o sin configurar. | No |
| K8sDisallowedRepos | Son los repositorios de contenedores no permitidos que comienzan con una cadena de la lista especificada. | No |
| K8sDisallowedRoleBindingSubjects | Prohíbe RoleBindings o ClusterRoleBindings con sujetos que coinciden con cualquier `disallowedSubjects` pasado como parámetro. | No |
| K8sDisallowedTags | Se requiere que las imágenes de contenedor tengan una etiqueta de imagen diferente de las que se enumeran en la lista especificada. https://kubernetes.io/docs/concepts/containers/images/#image-names | No |
| K8sEmptyDirHasSizeLimit | Requiere que cualquier volumen `emptyDir` especifique un `sizeLimit`. De forma opcional, puedes proporcionar un parámetro `maxSizeLimit` en la restricción para especificar un límite de tamaño máximo permitido. | No |
| K8sEnforceCloudArmorBackendConfig | Aplica la configuración de Cloud Armor en los recursos de BackendConfig | No |
| K8sEnforceConfigManagement | Requiere la presencia y el funcionamiento de Config Management. Las restricciones que usen este `ConstraintTemplate` serán solo de auditoría, independientemente del valor de `enforcementAction`. | Sí |
| K8sExternalIPs | Restringe las IP externas del servicio a una lista permitida de direcciones IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | No |
| K8sHorizontalPodAutoscaler | Inhabilita las siguientes situaciones cuando implementes `HorizontalPodAutoscalers`: 1. Deployment de HorizontalPodAutoscalers con `.spec.minReplicas` o `.spec.maxReplicas` fuera de los rangos definidos en la restricción 2 Deployment de HorizontalPodAutoscalers en los que la diferencia entre `.spec.minReplicas` y `.spec.maxReplicas` es inferior a la `minimumReplicaSpread` configurada 3. Implementación de HorizontalPodAutoscalers que no hacen referencia a un `scaleTargetRef` válido (p.ej., Deployment, ReplicationController, ReplicaSet, StatefulSet). | Sí |
| K8sHttpsOnly | Requiere que los recursos Ingress solo sean HTTPS. Los recursos de entrada deben incluir la anotación "kubernetes.io/ingress.allow-http", establecida en "false". De forma predeterminada, se requiere una configuración de TLS {} válida, que se puede hacer opcional si se establece el parámetro "tlsOptional" en "true". https://kubernetes.io/es/docs/concepts/services-networking/ingress/#tls | No |
| K8sImageDigests | Requiere que las imágenes del contenedor contengan un resumen. https://kubernetes.io/docs/concepts/containers/images/ | No |
| K8sLocalStorageRequireSafeToEvict | Requiere que los Pods que usan almacenamiento local (`emptyDir` o `hostPath`) tengan la anotación `"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"`. El escalador automático del clúster no borrará los Pods sin esta anotación. | No |
| K8sMemoryRequestEqualsLimit | Promueve la estabilidad del Pod, ya que requiere que la memoria solicitada de todos los contenedores sea igual al límite de memoria, de modo que los Pods nunca se encuentren en un estado en el que el uso de memoria supere la cantidad solicitada. De lo contrario, Kubernetes puede finalizar los Pods que solicitan memoria adicional si se necesita memoria en el nodo. | No |
| K8sNoEnvVarSecrets | Prohíbe los secretos como variables de entorno en las definiciones del contenedor del Pod. En su lugar, usa archivos secretos activados en volúmenes de datos: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod | No |
| K8sNoExternalServices | Prohíbe la creación de recursos conocidos que expongan las cargas de trabajo a IP externas. Esto incluye los recursos de puerta de enlace de Istio y de Ingress de Kubernetes. Los servicios de Kubernetes tampoco están permitidos, a menos que cumplan con los siguientes criterios: Cualquier servicio de tipo "LoadBalancer" en Google Cloud debe tener una anotación ""networking.gke.io/load-balancer-type": "Internal"". Cualquier servicio de tipo "LoadBalancer" en AWS debe tener una anotación "service.beta.kubernetes.io/aws-load-balancer-internal: "true". Cualquier “IP externa” (externa al clúster) vinculada al servicio debe ser miembro de un rango de CIDR internos como se proporciona en la restricción. | No |
| K8sPSPAllowPrivilegeEscalationContainer | Controla la derivación de privilegios raíz. Corresponde al campo "allowPrivilegeEscalation" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation | No |
| K8sPSPAllowedUsers | Controla los ID de grupo y usuario del contenedor y algunos volúmenes. Corresponde a los campos "runAsUser", "runAsGroup", "supplementalGroups" y "fsGroup" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups | No |
| K8sPSPAppArmor | Configura una lista de anunciantes permitidos de los perfiles de AppArmor para que los usen los contenedores. Esto corresponde a anotaciones específicas aplicadas a una PodSecurityPolicy. Para obtener más información sobre AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/ | No |
| K8sPSPAutomountServiceAccountTokenPod | Controla la capacidad de cualquier Pod de habilitar automountServiceAccountToken. | No |
| K8sPSPCapabilities | Controla las capacidades de Linux en los contenedores. Corresponde a los campos "allowedCapabilities" y "requiredDropCapabilities" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities. | No |
| K8sPSPFSGroup | Controla la asignación de un FSGroup que posea los volúmenes del Pod. Corresponde al campo "fsGroup" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPFlexVolumes | Controla la lista de entidades permitidas de controladores Flexvolume. Corresponde al campo "allowedFlexVolumes" en PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers | No |
| K8sPSPForbiddenSysctls | Controla el perfil de `sysctl` que usan los contenedores. Corresponde a los campos "allowedUnsafeSysctls" y "forbiddenSysctls" en una PodSecurityPolicy. Cuando se especifica, cualquier sysctl que no esté en el parámetro "allowedSysctls" se considera prohibido. El parámetro `forbiddenSysctls` tiene prioridad sobre el parámetro `allowedSysctls`. Para obtener más información, consulta https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | No |
| K8sPSPHostFilesystem | Controla el uso del sistema de archivos del host. Corresponde al campo "allowedHostPaths" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPHostNamespace | Los contenedores de Pod no permiten el uso compartido de los espacios de nombres PID y IPC del host. Corresponde a los campos “hostPID” y “hostIPC” en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | No |
| K8sPSPHostNetworkingPorts | Los contenedores de pod controlan el uso del espacio de nombres de la red host. Se deben especificar puertos específicos. Corresponde a los campos "hostNetwork" y "hostPorts" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces | No |
| K8sPSPPrivilegedContainer | Controla la capacidad de cualquier contenedor de habilitar el modo privilegiado. Corresponde al campo "privileged" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged. | No |
| K8sPSPProcMount | Controla los tipos de "procMount" permitidos para el contenedor. Corresponde al campo "allowedProcMountTypes" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes | No |
| K8sPSPReadOnlyRootFilesystem | Requiere el uso de un sistema de archivos raíz de solo lectura por parte de los contenedores del Pod. Corresponde al campo "readOnlyRootFilesystem" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPSELinuxV2 | Define una lista de anunciantes permitidos de opciones de configuración seLinuxOptions para contenedores de Pod. Corresponde a una PodSecurityPolicy que requiere opciones de configuración de SELinux. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux | No |
| K8sPSPSeccomp | Controla el perfil de seccomp que usan los contenedores. Corresponde a la anotación `seccomp.security.alpha.kubernetes.io/allowedProfileNames` en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp | No |
| K8sPSPVolumeTypes | Restringe los tipos de volúmenes que se pueden activar a los que especifica el usuario. Corresponde al campo "volumes" en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | No |
| K8sPSPWindowsHostProcess | Restringe la ejecución de contenedores o Pods de Windows HostProcess. Consulta https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ para obtener más información. | No |
| K8sPSSRunAsNonRoot | Requiere que los contenedores se ejecuten como usuarios no raíz. Para obtener más información, consulta https://kubernetes.io/es/docs/concepts/security/pod-security-standards/. | No |
| K8sPodDisruptionBudget | Inhabilita las siguientes situaciones cuando implementes PodDisruptionBudgets o recursos que implementen el subrecurso de réplica (p. ej., Deployment, ReplicationController, ReplicaSet y StatefulSet): 1. Implementación de PodDisruptionBudgets con .spec.maxUnavailable == 0. 2. Implementación de PodDisruptionBudgets with .spec.minAvailable == .spec.replicas del recurso con el subrecurso de réplica. Esto evitará que PodDisruptionBudgets bloquee las interrupciones voluntarias, como el desvío de nodos. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | Sí |
| K8sPodResourcesBestPractices | Requiere que los contenedores no sean de mejor esfuerzo (estableciendo solicitudes de CPU y memoria) y que sigan las prácticas recomendadas de capacidad de ráfaga (la solicitud de memoria debe ser exactamente igual al límite). De manera opcional, se pueden configurar claves de anotación para permitir omitir las distintas validaciones. | No |
| K8sPodsRequireSecurityContext | Requiere que todos los Pods definan securityContext. Requiere que todos los contenedores definidos en los Pods tengan un SecurityContext definido a nivel del Pod o del contenedor. | No |
| K8sProhibitRoleWildcardAccess | Requiere que los Roles y ClusterRoles no establezcan el acceso a los recursos en un valor comodín “*”, excepto por los Roles exentos y los ClusterRoles que se proporcionan como exenciones. No restringe el acceso comodín a los subrecursos, como “"*/status"”. | No |
| K8sReplicaLimits | Requiere que los objetos con el campo "spec.replicas" (Deployments, ReplicaSets, etc.) especifiquen una cantidad de réplicas dentro de los rangos definidos. | No |
| K8sRequireAdmissionController | Requiere admisión de seguridad de Pods o un sistema externo de control de políticas | Sí |
| K8sRequireBinAuthZ | Requiere el webhook de admisión y validación de la autorización binaria. Las restricciones que usen este `ConstraintTemplate` serán solo de auditoría, independientemente del valor de `enforcementAction`. | Sí |
| K8sRequireCosNodeImage | Aplica el uso de Container-Optimized OS de Google en los nodos. | No |
| K8sRequireDaemonsets | Requiere que esté presente la lista de DaemonSets especificada. | Sí |
| K8sRequireDefaultDenyEgressPolicy | Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy de denegación predeterminada para la salida. | Sí |
| K8sRequireNamespaceNetworkPolicies | Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy. | Sí |
| K8sRequireValidRangesForNetworks | Aplica los bloques CIDR permitidos para la entrada y salida de la red. | No |
| K8sRequiredAnnotations | Requiere que los recursos contengan anotaciones especificadas, con valores que coincidan con las expresiones regulares proporcionadas. | No |
| K8sRequiredLabels | Requiere que los recursos contengan etiquetas especificadas, con valores que coincidan con las expresiones regulares proporcionadas. | No |
| K8sRequiredProbes | Requiere que los Pods tengan sondeos de preparación o capacidad de respuesta. | No |
| K8sRequiredResources | Requiere que los contenedores tengan recursos definidos. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | No |
| K8sRestrictAdmissionController | Restringe los controladores de admisión dinámicos a los permitidos | No |
| K8sRestrictAutomountServiceAccountTokens | Restringe el uso de tokens de cuentas de servicio. | No |
| K8sRestrictLabels | No permite que los recursos contengan etiquetas especificadas, a menos que haya una excepción para el recurso específico. | No |
| K8sRestrictNamespaces | Restringe que los recursos usen espacios de nombres enumerados en el parámetro restrictNamespaces. | No |
| K8sRestrictNfsUrls | No permite que los recursos contengan URLs de NFS, a menos que se especifique lo contrario. | No |
| K8sRestrictRbacSubjects | Restringe el uso de nombres en los sujetos de RBAC a los valores permitidos. | No |
| K8sRestrictRoleBindings | Restringe los sujetos especificados en ClusterRoleBindings y RoleBindings a una lista de sujetos permitidos. | No |
| K8sRestrictRoleRules | Restringe las reglas que se pueden establecer en los objetos Role y ClusterRole. | No |
| K8sStorageClass | Requiere que se especifiquen las clases de almacenamiento cuando se usan. Solo se admiten Gatekeeper 3.9 y versiones posteriores, y los contenedores no efímeros. | Sí |
| K8sUniqueIngressHost | Requiere que todos los hosts de reglas de entrada sean únicos. No admite comodines de nombres de host: https://kubernetes.io/docs/concepts/services-networking/ingress/ | Sí |
| K8sUniqueServiceSelector | Requiere que los servicios tengan selectores únicos dentro de un espacio de nombres. Los selectores se consideran iguales si tienen claves y valores idénticos. Los selectores pueden compartir un par clave-valor siempre que haya al menos un par clave-valor entre ellos. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | Sí |
| NoUpdateServiceAccount | Bloquea la actualización de la cuenta de servicio en los recursos que se abstraen sobre los pods. Esta política se ignora en el modo de auditoría. | No |
| PolicyStrictOnly | Requiere que la TLS mutua `STRICT` de Istio siempre se especifique cuando se usa [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/). Esta restricción también garantiza que los recursos [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) y MeshPolicy obsoletos apliquen la TLS mutua `STRICT`. Consulta https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh | No |
| RestrictNetworkExclusions | Controla qué puertos de entrada, puertos de salida y rangos de IP salientes se pueden excluir de la captura de red de Istio. El proxy de Istio no controla los puertos ni los rangos de IP que evitan la captura de red de Istio, y estos no están sujetos a la autenticación de mTLS de Istio, la política de autorización y otras funciones de Istio. Esta restricción se puede usar para aplicar restricciones al uso de las siguientes anotaciones:
Consulta https://istio.io/latest/docs/reference/config/annotations/. Cuando restringes los rangos de IP salientes, la restricción calcula si los rangos de IP excluidos son un subconjunto de las exclusiones de rangos de IP permitidas o coinciden con estas. Cuando se usa esta restricción, siempre se deben incluir todos los puertos de entrada, puertos de salida y rangos de IP salientes configurando las anotaciones “include” correspondientes como “*” o dejándolas sin configurar. No se permite establecer ninguna de las siguientes anotaciones en un elemento que no sea"*":
Esta restricción permite que el puerto 15020 se excluya porque el inyector de sidecar de Istio siempre lo agrega a la anotación | No |
| SourceNotAllAuthz | Requiere que las reglas de AuthorizationPolicy de Istio tengan principales de origen configurados en un valor distinto de “*” https://istio.io/latest/docs/reference/config/security/authorization-policy/ | No |
| VerifyDeprecatedAPI | Verifica las APIs de Kubernetes que están obsoletas para garantizar que todas las versiones de la API estén actualizadas. Esta plantilla no se aplica a la auditoría, ya que esta analiza los recursos que ya están presentes en el clúster con versiones de API no obsoletas. | No |
AllowedServicePortName
Allowed Service Port Names v1.0.1
Requiere que los nombres de los puertos del servicio tengan un prefijo de una lista especificada.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # prefixes <array>: Prefixes of allowed service port names. prefixes: - <string> Ejemplos
port-name-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata: name: port-name-constraint spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Service parameters: prefixes: - http- - http2- - grpc- - mongo- - redis- - tcp-
Permitido
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-http spec: ports: - name: http-helloport port: 5000 selector: app: helloworld
No permitida
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-tcp spec: ports: - name: foo-helloport port: 5000 selector: app: helloworld
apiVersion: v1 kind: Service metadata: labels: app: helloworld name: port-name-bad spec: ports: - name: helloport port: 5000 selector: app: helloworld
AsmAuthzPolicyDefaultDeny
ASM AuthorizationPolicy Default Deny v1.0.4
Aplica la denegación predeterminada a nivel de malla de AuthorizationPolicy Referencia a https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # rootNamespace <string>: Anthos Service Mesh root namespace, default value # is "istio-system" if not specified. rootNamespace: <string> # strictnessLevel <string>: Level of AuthorizationPolicy strictness. # Allowed Values: Low, High strictnessLevel: <string> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "security.istio.io" version: "v1beta1" kind: "AuthorizationPolicy" Ejemplos
asm-authz-policy-default-deny-with-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: istio-system strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
asm-authz-policy-default-deny-no-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-no-action namespace: istio-system spec: null
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: default-deny-with-action namespace: istio-system spec: action: ALLOW
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata: name: asm-authz-policy-default-deny-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: not-default-deny namespace: istio-system spec: action: DENY rules: - to: - operation: notMethods: - GET - POST
AsmAuthzPolicyDisallowedPrefix
Prefijos no permitidos de AuthorizationPolicy de ASM, versión 1.0.2
Requiere que los principales y los espacios de nombres en las reglas AuthorizationPolicy de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces. disallowedNamespacePrefixes: - <string> # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals. disallowedPrincipalPrefixes: - <string> Ejemplos
asm-authz-policy-disallowed-prefix-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata: name: asm-authz-policy-disallowed-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedNamespacePrefixes: - bad-ns-prefix - worse-ns-prefix disallowedPrincipalPrefixes: - bad-principal-prefix - worse-principal-prefix
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test selector: matchLabels: app: httpbin
No permitida
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/worse-principal-prefix-sleep - source: namespaces: - test selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - bad-ns-prefix-test selector: matchLabels: app: httpbin
AsmAuthzPolicyEnforceSourcePrincipals
Principales de aplicación de AuthorizationPolicy de ASM v1.0.2
Requiere que el campo “from” de AuthorizationPolicy de Istio, cuando se defina, tenga principios de origen, que deben configurarse en algo distinto de “*”. https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
asm-authz-policy-enforce-source-principals-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata: name: asm-authz-policy-enforce-source-principals-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: valid-authz-policy spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
No permitida
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: no-source-principals spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-wildcard spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-contains-wildcard spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin
AsmAuthzPolicyNormalization
Normalización de AuthorizationPolicy de ASM v1.0.2
Aplica la normalización de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/reference/config/security/normalization/.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
asm-authz-policy-normalization-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata: name: asm-authz-policy-normalization-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
No permitida
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-method-lowercase spec: action: ALLOW rules: - to: - operation: methods: - get selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-request-header-whitespace spec: action: ALLOW rules: - to: - operation: methods: - GET - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Ag ent] values: - Mozilla/* selector: matchLabels: app: httpbin
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: path-unnormalized spec: action: ALLOW rules: - to: - operation: methods: - GET paths: - /test\/foo - when: - key: source.ip values: - 10.1.2.3 - 10.2.0.0/16 - key: request.headers[User-Agent] values: - Mozilla/* selector: matchLabels: app: httpbin
AsmAuthzPolicySafePattern
Patrones seguros de AuthorizationPolicy de ASM, versión 1.0.4
Aplica los patrones seguros de AuthorizationPolicy. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of AuthorizationPolicy strictness. # Allowed Values: Low, High strictnessLevel: <string> Ejemplos
asm-authz-policy-safe-pattern-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata: name: asm-authz-policy-safe-pattern-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-istio-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good-authz-policy-asm-ingress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: asm: ingressgateway
No permitida
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: hosts-on-noningress spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: invalid-hosts spec: action: ALLOW rules: - to: - operation: hosts: - test.com methods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-negative-match spec: action: ALLOW rules: - to: - operation: hosts: - test.com - test.com:* notMethods: - GET selector: matchLabels: istio: ingressgateway
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-positive-match spec: action: DENY rules: - to: - operation: hosts: - test.com - test.com:* methods: - GET selector: matchLabels: istio: ingressgateway
AsmIngressgatewayLabel
Etiqueta de puerta de enlace de entrada de ASM v1.0.3
Aplica el uso de etiquetas de Ingressgateway de Istio solo en los Pods de Ingressgateway.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
asm-ingressgateway-label-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata: name: asm-ingressgateway-label-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: istio name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: istio-ingressgateway istio: ingressgateway name: istio-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: labels: app: asm-ingressgateway asm: ingressgateway name: asm-ingressgateway spec: containers: - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep asm: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep
apiVersion: v1 kind: Pod metadata: labels: app: sleep istio: ingressgateway name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
AsmPeerAuthnMeshStrictMtls
ASM Peer Authentication Mesh Strict mTLS v1.0.4
Aplica PeerAuthentication de la mTLS estricta a nivel de malla de. Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # rootNamespace <string>: Anthos Service Mesh root namespace, default value # is "istio-system" if not specified. rootNamespace: <string> # strictnessLevel <string>: Level of PeerAuthentication strictness. # Allowed Values: Low, High strictnessLevel: <string> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "security.istio.io" version: "v1beta1" kind: "PeerAuthentication" Ejemplos
asm-peer-authn-mesh-strict-mtls-with-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: asm-root spec: mtls: mode: STRICT
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec: enforcementAction: dryrun parameters: rootNamespace: asm-root strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: asm-root spec: mtls: mode: PERMISSIVE
asm-peer-authn-mesh-strict-mtls-no-input-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High
Permitido
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-strict-mtls namespace: istio-system spec: mtls: mode: STRICT
No permitida
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata: name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec: enforcementAction: dryrun parameters: strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mesh-permissive-mtls namespace: istio-system spec: mtls: mode: PERMISSIVE
AsmPeerAuthnStrictMtls
ASM Peer Authentication Strict mTLS v1.0.3
Aplica todos los PeerAuthentications, no puede reemplazar la mTLS estricta Referencia a https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of PeerAuthentication strictness. # Allowed Values: Low, High strictnessLevel: <string> Ejemplos
asm-peer-authn-strict-mtls-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata: name: asm-peer-authn-strict-mtls-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication parameters: strictnessLevel: High
Permitido
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: valid-strict-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
No permitida
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-permissive-mtls-pa namespace: foo spec: mtls: mode: PERMISSIVE portLevelMtls: "80": mode: UNSET "443": mode: STRICT selector: matchLabels: app: bar
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: invalid-port-disable-mtls-pa namespace: foo spec: mtls: mode: UNSET portLevelMtls: "80": mode: DISABLE "443": mode: STRICT selector: matchLabels: app: bar
AsmRequestAuthnProhibitedOutputHeaders
ASM RequestAuthentication Prohibited Output Headers v1.0.2
En RequestAuthentication, aplica el campo jwtRules.outPayloadToHeader para que no contenga encabezados de solicitud HTTP conocidos ni encabezados prohibidos personalizados. Referencia a https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # prohibitedHeaders <array>: User predefined prohibited headers. prohibitedHeaders: - <string> Ejemplos
asm-request-authn-prohibited-output-headers-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata: name: asm-request-authn-prohibited-output-headers-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - RequestAuthentication parameters: prohibitedHeaders: - Bad-Header - X-Bad-Header
Permitido
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: valid-request-authn namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Good-Header selector: matchLabels: app: istio-ingressgateway
No permitida
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: Host selector: matchLabels: app: istio-ingressgateway
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: deny-predefined-output-header namespace: istio-system spec: jwtRules: - issuer: example.com outputPayloadToHeader: X-Bad-Header selector: matchLabels: app: istio-ingressgateway
AsmSidecarInjection
ASM Sidecar Injection v1.0.2
Aplica el sidecar del proxy de Istio que siempre se insertó en los Pods de carga de trabajo
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # strictnessLevel <string>: Level of sidecar injection strictness. # Allowed Values: Low, High strictnessLevel: <string> Ejemplos
asm-sidecar-injection-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata: name: asm-sidecar-injection-sample spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: strictnessLevel: High
Permitido
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "true" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
apiVersion: v1 kind: Pod metadata: annotations: "false": "false" name: sleep spec: containers: - image: curlimages/curl name: sleep - image: gcr.io/gke-release/asm/proxyv2:release name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP
No permitida
apiVersion: v1 kind: Pod metadata: annotations: sidecar.istio.io/inject: "false" name: sleep spec: containers: - image: curlimages/curl name: sleep
DestinationRuleTLSEnabled
Regla de destino con TLS habilitado v1.0.1
Prohíbe la inhabilitación de TLS para todos los hosts y subconjuntos de hosts en las reglas de destino de Istio.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
dr-tls-enabled
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata: name: dr-tls-enabled spec: enforcementAction: dryrun match: kinds: - apiGroups: - networking.istio.io kinds: - DestinationRule
No permitida
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-subset-tls-disable namespace: default spec: host: myservice subsets: - name: v1 trafficPolicy: tls: mode: DISABLE - name: v2 trafficPolicy: tls: mode: SIMPLE
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-traffic-tls-disable namespace: default spec: host: myservice trafficPolicy: tls: mode: DISABLE
DisallowedAuthzPrefix
No permite los prefijos de AuthorizationPolicy de Istio v1.0.2
Requiere que los principales y los espacios de nombres en las reglas AuthorizationPolicy de Istio no tengan un prefijo de una lista especificada. https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedprefixes <array>: Disallowed prefixes of principals and # namespaces. disallowedprefixes: - <string> Ejemplos
disallowed-authz-prefix-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata: name: disallowed-authz-prefix-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy parameters: disallowedprefixes: - badprefix - reallybadprefix
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
No permitida
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-principal namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/badprefix-sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: bad-source-namespace namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - badprefix-test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
GCPStorageLocationConstraintV1
Restricción de ubicación de almacenamiento de GCP, versión 1.0.3
Restringe las locations permitidas para los recursos de Config Connector de StorageBucket a la lista de ubicaciones proporcionadas en la restricción. Los nombres de los buckets de la lista exemptions están exentos.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptions <array>: A list of bucket names that are exempt from this # constraint. exemptions: - <string> # locations <array>: A list of locations that a bucket is permitted to # have. locations: - <string> Ejemplos
singapore-and-jakarta-only
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata: name: singapore-and-jakarta-only spec: enforcementAction: deny match: kinds: - apiGroups: - storage.cnrm.cloud.google.com kinds: - StorageBucket parameters: exemptions: - my_project_id_cloudbuild locations: - asia-southeast1 - asia-southeast2
Permitido
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-permitted-location spec: location: asia-southeast1
No permitido
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-in-disallowed-location spec: location: us-central1
apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: bucket-without-specific-location spec: null
GkeSpotVMTerminationGrace
Restringe terminationGracePeriodSeconds para las VMs Spot de GKE v1.1.3
Requiere que los Pods y las plantillas de Pods con nodeSelector o nodeAfffinty de gke-spot tengan un terminationGracePeriodSeconds de 15 s o menos.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds` # of 15s or less for all `Pod` on a `gke-spot` Node. includePodOnSpotNodes: <boolean> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "" version: "v1" kind: "Node" Ejemplos
spotvm-termination-grace
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata: name: spotvm-termination-grace spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod parameters: includePodOnSpotNodes: true
Permitido
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-allowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 15
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
apiVersion: v1 kind: Pod metadata: name: example-with-termGrace spec: Nodename: default containers: - image: nginx name: nginx terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: name: default
No permitida
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: containers: - image: nginx name: nginx nodeSelector: cloud.google.com/gke-spot: "true" terminationGracePeriodSeconds: 30
apiVersion: v1 kind: Pod metadata: name: example-disallowed spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cloud.google.com/gke-spot operator: In values: - "true" containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: name: example-without-termGrace spec: Nodename: default containers: - image: nginx name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata: labels: cloud.google.com/gke-spot: "true" name: default
K8sAllowedRepos
Repositorios permitidos, versión 1.0.1
Requiere imágenes de contenedor para comenzar con una string de la lista especificada.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is allowed to have. repos: - <string> Ejemplos
repo-is-openpolicyagent
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: repo-is-openpolicyagent spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: repos: - openpolicyagent/
Permitido
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi
No permitido
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginxinit resources: limits: cpu: 100m memory: 30Mi
apiVersion: v1 kind: Pod metadata: name: nginx-disallowed spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi ephemeralContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi initContainers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 30Mi
K8sAvoidUseOfSystemMastersGroup
No permitir el uso del grupo "system:masters" v1.0.0
No permite el uso del grupo "system:masters". No tiene efecto durante la auditoría.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowlistedUsernames <array>: allowlistedUsernames is the list of # usernames that are allowed to use system:masters group. allowlistedUsernames: - <string> Ejemplos
avoid-use-of-system-masters-group
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata: name: avoid-use-of-system-masters-group
Permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockAllIngress
Block all Ingress v1.0.4
No permite la creación de objetos Ingress (tipos Ingress, Gateway y Service de NodePort y LoadBalancer).
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowList <array>: A list of regular expressions for the Ingress object # names that are exempt from the constraint. allowList: - <string> Ejemplos
block-all-ingress
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata: name: block-all-ingress spec: enforcementAction: dryrun parameters: allowList: - name1 - name2 - name3 - my-*
Permitido
apiVersion: v1 kind: Service metadata: name: my-service spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: allowed-clusterip-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: ClusterIP
No permitido
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: v1 kind: Service metadata: name: disallowed-service-example spec: ports: - port: 80 protocol: TCP targetPort: 9376 selector: app.kubernetes.io/name: MyApp type: LoadBalancer
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: disallowed-gateway-example spec: gatewayClassName: istio listeners: - allowedRoutes: namespaces: from: All hostname: '*.example.com' name: default port: 80 protocol: HTTP
K8sBlockCreationWithDefaultServiceAccount
Block Creation with Default Service Account v1.0.2
No permite la creación de recursos con una cuenta de servicio predeterminada. No tiene efecto durante la auditoría.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
block-creation-with-default-serviceaccount
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata: name: block-creation-with-default-serviceaccount spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace
K8sBlockEndpointEditDefaultRole
Block Endpoint Edit Default Role v1.0.0
Muchas instalaciones de Kubernetes tienen un ClusterRole system:aggregate-to-edit predeterminado que, de forma predeterminada, no restringe correctamente el acceso de edición a Endpoints. Esta ConstraintTemplate prohíbe el extremo system:aggregate-to-edit ClusterRole from granting permission to create/patch/update. ClusterRole/system:aggregate-to-edit no debe permitir los permisos de edición de extremos debido a CVE-2021-25740, los permisos de extremos y EndpointSlice permiten el reenvío entre espacios de nombres mediante https://github.com/kubernetes/kubernetes/issues/103675.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
block-endpoint-edit-default-role
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata: name: block-endpoint-edit-default-role spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update
No permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: system:aggregate-to-edit rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - endpoints - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update
K8sBlockLoadBalancer
Bloquea los servicios con el tipo LoadBalancer v1.0.0
No permite todos los servicios con el tipo LoadBalancer. https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
block-load-balancer
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata: name: block-load-balancer spec: match: kinds: - apiGroups: - "" kinds: - Service
Permitido
apiVersion: v1 kind: Service metadata: name: my-service-allowed spec: ports: - port: 80 targetPort: 80 type: ClusterIP
No permitida
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: LoadBalancer
K8sBlockNodePort
Block NodePort v1.0.0
No permite todos los servicios con el tipo NodePort. https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
block-node-port
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata: name: block-node-port spec: match: kinds: - apiGroups: - "" kinds: - Service
No permitido
apiVersion: v1 kind: Service metadata: name: my-service-disallowed spec: ports: - nodePort: 30007 port: 80 targetPort: 80 type: NodePort
K8sBlockObjectsOfType
Objetos de bloqueo de la versión 1.0.1
No permite objetos de tipos prohibidos.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: forbiddenTypes: - <string> Ejemplos
block-secrets-of-type-basic-auth
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata: name: block-secrets-of-type-basic-auth spec: match: kinds: - apiGroups: - "" kinds: - Secret parameters: forbiddenTypes: - kubernetes.io/basic-auth
Permitido
apiVersion: v1 data: password: ZHVtbXlwYXNz username: ZHVtbXl1c2Vy kind: Secret metadata: name: credentials namespace: default type: Opaque
No permitido
apiVersion: v1 data: password: YmFzaWMtcGFzc3dvcmQ= username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata: name: secret-basic-auth namespace: default type: kubernetes.io/basic-auth
K8sBlockProcessNamespaceSharing
Block Process Namespace Sharing v1.0.1
Prohíbe las especificaciones de Pod con shareProcessNamespace establecido en true. Esto evita situaciones en las que todos los contenedores de un Pod comparten un espacio de nombres PID y pueden acceder al sistema de archivos y a la memoria de los demás.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
block-process-namespace-sharing
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata: name: block-process-namespace-sharing
Permitido
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx
No permitida
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx shareProcessNamespace: true
K8sBlockWildcardIngress
Block Wildcard Ingress v1.0.1
Los usuarios no deberían poder crear Ingress con un nombre de host en blanco o un comodín (*), ya que esto les permitiría interceptar el tráfico de otros servicios en el clúster, incluso si no tienen acceso a esos servicios.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
block-wildcard-ingress
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata: name: block-wildcard-ingress spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: non-wildcard-ingress spec: rules: - host: myservice.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
No permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: "" http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wildcard-ingress spec: rules: - host: '*.example.com' http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix - host: valid.example.com http: paths: - backend: service: name: example port: number: 80 path: / pathType: Prefix
K8sContainerEphemeralStorageLimit
Límite de almacenamiento efímero del contenedor, versión 1.0.2
Requiere que los contenedores tengan establecido un límite de almacenamiento efímero y restringe el límite dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ephemeral-storage <string>: The maximum allowed ephemeral storage limit # on a Pod, exclusive. ephemeral-storage: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
container-ephemeral-storage-limit
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata: name: container-ephemeral-storage-limit spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ephemeral-storage: 500Mi
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi
No permitida
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m ephemeral-storage: 100Mi memory: 1Gi initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: init-opa resources: limits: cpu: 100m ephemeral-storage: 1Pi memory: 1Gi
K8sContainerLimits
Límites de contenedores, versión 1.0.1
Requiere que los contenedores tengan establecidos los límites de memoria y CPU y restrinja los límites dentro de los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive. cpu: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # memory <string>: The maximum allowed memory limit on a Pod, exclusive. memory: <string> Ejemplos
container-must-have-limits
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata: name: container-must-have-limits spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi
No permitida
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 2Gi
K8sContainerRatios
Container Ratios v1.0.1
Establece una proporción máxima para los límites de recursos del contenedor a las solicitudes. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to # `resources.requests.cpu` on a container. If not specified, equal to # `ratio`. cpuRatio: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # ratio <string>: The maximum allowed ratio of `resources.limits` to # `resources.requests` on a container. ratio: <string> Ejemplos
container-must-meet-ratio
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ratio: "2"
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 200m memory: 200Mi requests: cpu: 100m memory: 100Mi
No permitida
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 800m memory: 2Gi requests: cpu: 100m memory: 100Mi
container-must-meet-memory-and-cpu-ratio
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata: name: container-must-meet-memory-and-cpu-ratio spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpuRatio: "10" ratio: "1"
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: "1" memory: 2Gi
No permitida
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: "4" memory: 2Gi requests: cpu: 100m memory: 2Gi
K8sContainerRequests
Container Requests v1.0.1
Requiere que los contenedores tengan establecidas las solicitudes de memoria y CPU y restrinja las solicitudes a los valores máximos especificados. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cpu <string>: The maximum allowed cpu request on a Pod, exclusive. cpu: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # memory <string>: The maximum allowed memory request on a Pod, exclusive. memory: <string> Ejemplos
container-must-have-requests
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata: name: container-must-have-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: cpu: 200m memory: 1Gi
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 1Gi
No permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
K8sCronJobAllowedRepos
CronJob Allowed Repositories v1.0.1
Requiere que las imágenes de contenedor de CronJobs comiencen con una cadena de la lista especificada.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is allowed to have. repos: - <string> Ejemplos
cronjob-restrict-repos
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata: name: cronjob-restrict-repos spec: match: kinds: - apiGroups: - batch kinds: - CronJob parameters: repos: - gke.gcr.io/
Permitido
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: gke.gcr.io/busybox:1.28 name: hello schedule: '* * * * *'
No permitida
apiVersion: batch/v1 kind: CronJob metadata: name: hello spec: jobTemplate: spec: template: spec: containers: - image: busybox:1.28 name: hello schedule: '* * * * *'
K8sDisallowAnonymous
Bloquear el acceso anónimo v1.0.0
No permite asociar los recursos ClusterRole y Role al usuario system:anonymous y al grupo system:unauthenticated.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedRoles <array>: The list of ClusterRoles and Roles that may be # associated with the `system:unauthenticated` group and `system:anonymous` # user. allowedRoles: - <string> Ejemplos
no-anonymous
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata: name: no-anonymous spec: match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRoleBinding - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding parameters: allowedRoles: - cluster-role-1
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-1 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
No permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-role-binding-2 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowInteractiveTTY
Inhabilita los contenedores TTY interactivos v1.0.0
Requiere que los objetos tengan los campos spec.tty y spec.stdin configurados como falsos o sin configurar.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
no-interactive-tty-containers
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata: name: no-interactive-tty-containers spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-interactive-tty name: nginx-interactive-tty-allowed spec: containers: - image: nginx name: nginx stdin: false tty: false
No permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx stdin: true tty: true
K8sDisallowedRepos
Repositorios no permitidos v1.0.0
Son los repositorios de contenedores no permitidos que comienzan con una cadena de la lista especificada.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # repos <array>: The list of prefixes a container image is not allowed to # have. repos: - <string> Ejemplos
repo-must-not-be-k8s-gcr-io
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata: name: repo-must-not-be-k8s-gcr-io spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: repos: - k8s.gcr.io/
Permitido
apiVersion: v1 kind: Pod metadata: name: kustomize-allowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize
No permitida
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: registry.k8s.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomizeinit
apiVersion: v1 kind: Pod metadata: name: kustomize-disallowed spec: containers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize ephemeralContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize initContainers: - image: k8s.gcr.io/kustomize/kustomize:v3.8.9 name: kustomize
K8sDisallowedRoleBindingSubjects
Disallowed Rolebinding Subjects v1.0.1
Prohíbe RoleBinding o ClusterRoleBindings con sujetos que coinciden con cualquier disallowedSubjects pasado como parámetro.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # disallowedSubjects <array>: A list of subjects that cannot appear in a # RoleBinding. disallowedSubjects: - # apiGroup <string>: The Kubernetes API group of the disallowed role # binding subject. Currently ignored. apiGroup: <string> # kind <string>: The kind of the disallowed role binding subject. kind: <string> # name <string>: The name of the disallowed role binding subject. name: <string> Ejemplos
disallowed-rolebinding-subjects
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata: name: disallowed-rolebinding-subjects spec: parameters: disallowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated
No permitida
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: my-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
K8sDisallowedTags
No permitir etiquetas v1.0.1
Se requiere que las imágenes de contenedor tengan una etiqueta de imagen diferente de las que se enumeran en la lista especificada. https://kubernetes.io/docs/concepts/containers/images/#image-names
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # tags <array>: Disallowed container image tags. tags: - <string> Ejemplos
container-image-must-not-have-latest-tag
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata: name: container-image-must-not-have-latest-tag spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: exemptImages: - openpolicyagent/opa-exp:latest - openpolicyagent/opa-exp2:latest tags: - latest
Permitido
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa
apiVersion: v1 kind: Pod metadata: name: opa-exempt-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa-exp - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:v1 name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2
No permitida
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-2 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-ephemeral spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:latest name: opa
apiVersion: v1 kind: Pod metadata: name: opa-disallowed-3 spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp:latest name: opa - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/init:latest name: opa-init - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa-exp2:latest name: opa-exp2 - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/monitor:latest name: opa-monitor
K8sEmptyDirHasSizeLimit
Empty Directory tiene un límite de tamaño v1.0.5
Requiere que cualquier volumen emptyDir especifique un sizeLimit. De forma opcional, puedes proporcionar un parámetro maxSizeLimit en la restricción para especificar un límite de tamaño máximo permitido.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptVolumesRegex <array>: Exempt Volume names as regex match. exemptVolumesRegex: - <string> # maxSizeLimit <string>: When set, the declared size limit for each volume # must be less than `maxSizeLimit`. maxSizeLimit: <string> Ejemplos
empty-dir-has-size-limit
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata: name: empty-dir-has-size-limit spec: match: excludedNamespaces: - istio-system - kube-system - gatekeeper-system parameters: exemptVolumesRegex: - ^istio-[a-z]+$ maxSizeLimit: 4Gi
Permitido
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: sizeLimit: 2Gi name: good-pod-volume
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: istio-envoy
No permitido
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx volumes: - emptyDir: {} name: bad-pod-volume
K8sEnforceCloudArmorBackendConfig
Aplica Cloud Armor en los recursos de BackendConfig, versión 1.0.2
Aplica la configuración de Cloud Armor en los recursos de BackendConfig
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
enforce-cloudarmor-backendconfig
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata: name: enforce-cloudarmor-backendconfig spec: enforcementAction: dryrun
Permitido
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: example-security-policy
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: second-backendconfig spec: securityPolicy: name: my-security-policy
No permitido
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: null
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig namespace: examplenamespace spec: securityPolicy: name: ""
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backendconfig spec: logging: enable: true sampleRate: 0.5
K8sEnforceConfigManagement
Aplica Config Management v1.1.6
Requiere la presencia y el funcionamiento de Config Management. Las restricciones que usen este ConstraintTemplate serán solo de auditoría, independientemente del valor de enforcementAction.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # requireDriftPrevention <boolean>: Require Config Sync drift prevention to # prevent config drift. requireDriftPrevention: <boolean> # requireRootSync <boolean>: Require a Config Sync `RootSync` object for # cluster config management. requireRootSync: <boolean> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "configsync.gke.io" version: "v1beta1" kind: "RootSync" Ejemplos
enforce-config-management
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata: name: enforce-config-management spec: enforcementAction: dryrun match: kinds: - apiGroups: - configmanagement.gke.io kinds: - ConfigManagement
Permitido
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: proxy: {} syncRepo: [email protected]:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2 healthy: true
No permitida
apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: annotations: configmanagement.gke.io/managed-by-hub: "true" configmanagement.gke.io/update-time: "1663586155" name: config-management spec: binauthz: enabled: true clusterName: tec6ea817b5b4bb2-cluster enableMultiRepo: true git: syncRepo: [email protected]:/git-server/repos/sot.git hierarchyController: {} policyController: auditIntervalSeconds: 60 enabled: true monitoring: backends: - prometheus - cloudmonitoring mutation: {} referentialRulesEnabled: true templateLibraryInstalled: true status: configManagementVersion: v1.12.2-rc.2
K8sExternalIPs
IP externas v1.0.0
Restringe las IP externas del servicio a una lista permitida de direcciones IP. https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedIPs <array>: An allow-list of external IP addresses. allowedIPs: - <string> Ejemplos
external-ips
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata: name: external-ips spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: allowedIPs: - 203.0.113.0
Permitido
apiVersion: v1 kind: Service metadata: name: allowed-external-ip spec: externalIPs: - 203.0.113.0 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
No permitido
apiVersion: v1 kind: Service metadata: name: disallowed-external-ip spec: externalIPs: - 1.1.1.1 ports: - name: http port: 80 protocol: TCP targetPort: 8080 selector: app: MyApp
K8sHorizontalPodAutoscaler
Horizontal Pod Autoscaler v1.0.1
Inhabilita las siguientes situaciones cuando implementes HorizontalPodAutoscalers 1. Deployment de HorizontalPodAutoscalers con .spec.minReplicas o .spec.maxReplicas fuera de los rangos definidos en la restricción 2 Deployment de HorizontalPodAutoscalers en la que la diferencia entre .spec.minReplicas y .spec.maxReplicas es inferior a la minimumReplicaSpread configurada 3. Implementación de HorizontalPodAutoscalers que no hacen referencia a un scaleTargetRef válido (p.ej., Deployment, ReplicationController, ReplicaSet, StatefulSet).
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # enforceScaleTargetRef <boolean>: If set to true it validates the HPA # scaleTargetRef exists enforceScaleTargetRef: <boolean> # minimumReplicaSpread <integer>: If configured it enforces the minReplicas # and maxReplicas in an HPA must have a spread of at least this many # replicas minimumReplicaSpread: <integer> # ranges <array>: Allowed ranges for numbers of replicas. Values are # inclusive. ranges: # <list item: object>: A range of allowed replicas. Values are # inclusive. - # max_replicas <integer>: The maximum number of replicas allowed, # inclusive. max_replicas: <integer> # min_replicas <integer>: The minimum number of replicas allowed, # inclusive. min_replicas: <integer> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "apps" version: "v1" kind: "Deployment" OR - group: "apps" version: "v1" kind: "StatefulSet" Ejemplos
horizontal-pod-autoscaler
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata: name: horizontal-pod-autoscaler spec: enforcementAction: deny match: kinds: - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: enforceScaleTargetRef: true minimumReplicaSpread: 1 ranges: - max_replicas: 6 min_replicas: 3
Permitido
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-allowed namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
No permitida
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicas namespace: default spec: maxReplicas: 7 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 2 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-replicaspread namespace: default spec: maxReplicas: 4 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 4 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa-disallowed-scaletarget namespace: default spec: maxReplicas: 6 metrics: - resource: name: cpu target: averageUtilization: 900 type: Utilization type: Resource minReplicas: 3 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deployment-missing --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment template: metadata: labels: app: nginx example: allowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sHttpsOnly
Solo HTTPS v1.0.2
Requiere que los recursos Ingress solo sean HTTPS. Los recursos de entrada deben incluir la anotación kubernetes.io/ingress.allow-http establecida en false. De forma predeterminada, se requiere una configuración de TLS {} válida, pero esto se puede hacer opcional configurando el parámetro tlsOptional en true. https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # tlsOptional <boolean>: When set to `true` the TLS {} is optional, # defaults to false. tlsOptional: <boolean> Ejemplos
ingress-https-only
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix tls: - {}
No permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
ingress-https-only-tls-optional
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata: name: ingress-https-only-tls-optional spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress parameters: tlsOptional: true
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.allow-http: "false" name: ingress-demo-allowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
No permitida
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-demo-disallowed-tls-optional spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sImageDigests
Resúmenes de imágenes, versión 1.0.1
Requiere que las imágenes del contenedor contengan un resumen. https://kubernetes.io/docs/concepts/containers/images/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
container-image-must-have-digest
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata: name: container-image-must-have-digest spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default
Permitido
apiVersion: v1 kind: Pod metadata: name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a name: opa
No permitida
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
apiVersion: v1 kind: Pod metadata: name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa initContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opainit
K8sLocalStorageRequireSafeToEvict
Local Storage Requires Safe to Evict v1.0.1
Requiere que los Pods que usan almacenamiento local (emptyDir o hostPath) tengan la anotación "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". El escalador automático del clúster no borrará los Pods sin esta anotación.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
local-storage-require-safe-to-evict
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata: name: local-storage-require-safe-to-evict spec: match: excludedNamespaces: - kube-system - istio-system - gatekeeper-system
Permitido
apiVersion: v1 kind: Pod metadata: annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" name: good-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
No permitida
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: redis name: redis volumeMounts: - mountPath: /data/redis name: redis-storage volumes: - emptyDir: {} name: redis-storage
K8sMemoryRequestEqualsLimit
Memory Request Equals Limit v1.0.4
Promueve la estabilidad del Pod, ya que requiere que la memoria solicitada de todos los contenedores sea igual al límite de memoria, de modo que los Pods nunca se encuentren en un estado en el que el uso de memoria supere la cantidad solicitada. De lo contrario, Kubernetes puede finalizar los Pods que solicitan memoria adicional si se necesita memoria en el nodo.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptContainersRegex <array>: Exempt Container names as regex match. exemptContainersRegex: - <string> Ejemplos
container-must-request-limit
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata: name: container-must-request-limit spec: match: excludedNamespaces: - kube-system - resource-group-system - asm-system - istio-system - config-management-system - config-management-monitoring parameters: exemptContainersRegex: - ^istio-[a-z]+$
Permitido
apiVersion: v1 kind: Pod metadata: name: good-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 4Gi
apiVersion: v1 kind: Pod metadata: name: exempt-pod namespace: default spec: containers: - image: auto name: istio-proxy resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
No permitida
apiVersion: v1 kind: Pod metadata: name: bad-pod namespace: default spec: containers: - image: nginx name: nginx resources: limits: cpu: 100m memory: 4Gi requests: cpu: 50m memory: 2Gi
K8sNoEnvVarSecrets
No Environment Variable Secrets v1.0.1
Prohíbe los secretos como variables de entorno en las definiciones del contenedor del Pod. En su lugar, usa archivos secretos activados en volúmenes de datos: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
no-secrets-as-env-vars-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata: name: no-secrets-as-env-vars-sample spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: redis name: test volumeMounts: - mountPath: /etc/test name: test readOnly: true volumes: - name: test secret: secretName: mysecret
No permitida
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - env: - name: MY_PASSWORD valueFrom: secretKeyRef: key: password name: mysecret image: redis name: test
K8sNoExternalServices
No External Services v1.0.3
Prohíbe la creación de recursos conocidos que expongan las cargas de trabajo a IP externas. Esto incluye los recursos de puerta de enlace de Istio y de Ingress de Kubernetes. Los servicios de Kubernetes tampoco están permitidos, a menos que cumplan con los siguientes criterios: cualquier servicio de tipo LoadBalancer en Google Cloud debe tener una anotación "networking.gke.io/load-balancer-type": "Internal". Cualquier servicio de tipo LoadBalancer en AWS debe tener una anotación service.beta.kubernetes.io/aws-load-balancer-internal: "true. Cualquier “IP externa” (externa al clúster) vinculada al servicio debe ser miembro de un rango de CIDR internos como se proporciona en la restricción.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS` # are supported currently. cloudPlatform: <string> # internalCIDRs <array>: A list of CIDRs that are only accessible # internally, for example: `10.3.27.0/24`. Which IP ranges are # internal-only is determined by the underlying network infrastructure. internalCIDRs: - <string> Ejemplos
no-external
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external spec: parameters: internalCIDRs: - 10.0.0.1/32
Permitido
apiVersion: v1 kind: Service metadata: name: good-service namespace: default spec: externalIPs: - 10.0.0.1 ports: - port: 8888 protocol: TCP targetPort: 8888
apiVersion: v1 kind: Service metadata: annotations: networking.gke.io/load-balancer-type: Internal name: allowed-internal-load-balancer namespace: default spec: type: LoadBalancer
No permitida
apiVersion: v1 kind: Service metadata: name: bad-service namespace: default spec: externalIPs: - 10.0.0.2 ports: - port: 8888 protocol: TCP targetPort: 8888
no-external-aws
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata: name: no-external-aws spec: parameters: cloudPlatform: AWS
Permitido
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" name: good-aws-service namespace: default spec: type: LoadBalancer
No permitida
apiVersion: v1 kind: Service metadata: annotations: cloud.google.com/load-balancer-type: Internal name: bad-aws-service namespace: default spec: type: LoadBalancer
K8sPSPAllowPrivilegeEscalationContainer
Permitir la elevación de privilegios en el contenedor v1.0.1
Controla la derivación de privilegios raíz. Corresponde al campo allowPrivilegeEscalation en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
psp-allow-privilege-escalation-container-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata: name: psp-allow-privilege-escalation-container-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-allowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: false
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: containers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privilege-escalation name: nginx-privilege-escalation-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: allowPrivilegeEscalation: true
K8sPSPAllowedUsers
Usuarios permitidos, versión 1.0.2
Controla los ID de grupo y usuario del contenedor y algunos volúmenes. Corresponde a los campos runAsUser, runAsGroup, supplementalGroups y fsGroup en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod # or container-level SecurityContext. fsGroup: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the fsGroup restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> # runAsGroup <object>: Controls which group ID values are allowed in a Pod # or container-level SecurityContext. runAsGroup: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the runAsGroup restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> # runAsUser <object>: Controls which user ID values are allowed in a Pod or # container-level SecurityContext. runAsUser: # ranges <array>: A list of user ID ranges affected by the rule. ranges: # <list item: object>: The range of user IDs affected by the rule. - # max <integer>: The maximum user ID in the range, inclusive. max: <integer> # min <integer>: The minimum user ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the runAsUser restriction. # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny rule: <string> # supplementalGroups <object>: Controls the supplementalGroups values that # are allowed in a Pod or container-level SecurityContext. supplementalGroups: # ranges <array>: A list of group ID ranges affected by the rule. ranges: # <list item: object>: The range of group IDs affected by the rule. - # max <integer>: The maximum group ID in the range, inclusive. max: <integer> # min <integer>: The minimum group ID in the range, inclusive. min: <integer> # rule <string>: A strategy for applying the supplementalGroups # restriction. # Allowed Values: MustRunAs, MayRunAs, RunAsAny rule: <string> Ejemplos
psp-pods-allowed-user-ranges
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata: name: psp-pods-allowed-user-ranges spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: fsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsGroup: ranges: - max: 200 min: 100 rule: MustRunAs runAsUser: ranges: - max: 200 min: 100 rule: MustRunAs supplementalGroups: ranges: - max: 200 min: 100 rule: MustRunAs
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-allowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 199 runAsUser: 199 securityContext: fsGroup: 199 supplementalGroups: - 199
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: containers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
apiVersion: v1 kind: Pod metadata: labels: app: nginx-users name: nginx-users-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: runAsGroup: 250 runAsUser: 250 securityContext: fsGroup: 250 supplementalGroups: - 250
K8sPSPAppArmor
App Armor v1.0.0
Configura una lista de anunciantes permitidos de los perfiles de AppArmor para que los usen los contenedores. Esto corresponde a anotaciones específicas aplicadas a una PodSecurityPolicy. Para obtener más información sobre AppArmor, consulta https://kubernetes.io/docs/tutorials/clusters/apparmor/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedProfiles <array>: An array of AppArmor profiles. Examples: # `runtime/default`, `unconfined`. allowedProfiles: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
psp-apparmor
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata: name: psp-apparmor spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default
Permitido
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: runtime/default labels: app: nginx-apparmor name: nginx-apparmor-allowed spec: containers: - image: nginx name: nginx
No permitida
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.apparmor.security.beta.kubernetes.io/nginx: unconfined labels: app: nginx-apparmor name: nginx-apparmor-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPAutomountServiceAccountTokenPod
Automount Service Account Token for Pod v1.0.1
Controla la capacidad de cualquier Pod de habilitar automountServiceAccountToken.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: <object> Ejemplos
psp-automount-serviceaccount-token-pod
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata: name: psp-automount-serviceaccount-token-pod spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-not-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-allowed spec: automountServiceAccountToken: false containers: - image: nginx name: nginx
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-automountserviceaccounttoken name: nginx-automountserviceaccounttoken-disallowed spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
K8sPSPCapabilities
Capabilities v1.0.2
Controla las capacidades de Linux en los contenedores. Corresponde a los campos allowedCapabilities y requiredDropCapabilities en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedCapabilities <array>: A list of Linux capabilities that can be # added to a container. allowedCapabilities: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # requiredDropCapabilities <array>: A list of Linux capabilities that are # required to be dropped from a container. requiredDropCapabilities: - <string> Ejemplos
capabilities-demo
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: capabilities-demo spec: match: kinds: - apiGroups: - "" kinds: - Pod namespaces: - default parameters: allowedCapabilities: - something requiredDropCapabilities: - must_drop
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - something drop: - must_drop - another_one
No permitida
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: ephemeralContainers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 30Mi securityContext: capabilities: add: - disallowedcapability
K8sPSPFSGroup
FS Group v1.0.2
Controla la asignación de un FSGroup que posea los volúmenes del Pod. Corresponde al campo fsGroup en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ranges <array>: GID ranges affected by the rule. ranges: - # max <integer>: The maximum GID in the range, inclusive. max: <integer> # min <integer>: The minimum GID in the range, inclusive. min: <integer> # rule <string>: An FSGroup rule name. # Allowed Values: MayRunAs, MustRunAs, RunAsAny rule: <string> Ejemplos
psp-fsgroup
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata: name: psp-fsgroup spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: ranges: - max: 1000 min: 1 rule: MayRunAs
Permitido
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 500 volumes: - emptyDir: {} name: fsgroup-demo-vol
No permitida
apiVersion: v1 kind: Pod metadata: name: fsgroup-disallowed spec: containers: - command: - sh - -c - sleep 1h image: busybox name: fsgroup-demo volumeMounts: - mountPath: /data/demo name: fsgroup-demo-vol securityContext: fsGroup: 2000 volumes: - emptyDir: {} name: fsgroup-demo-vol
K8sPSPFlexVolumes
FlexVolumes v1.0.1
Controla la lista de entidades permitidas de controladores Flexvolume. Corresponde al campo allowedFlexVolumes en PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects. allowedFlexVolumes: - # driver <string>: The name of the FlexVolume driver. driver: <string> Ejemplos
psp-flexvolume-drivers
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata: name: psp-flexvolume-drivers spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedFlexVolumes: - driver: example/lvm - driver: example/cifs
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/lvm name: test-volume
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-flexvolume-driver name: nginx-flexvolume-driver-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /test name: test-volume readOnly: true volumes: - flexVolume: driver: example/testdriver name: test-volume
K8sPSPForbiddenSysctls
Forbidden Sysctls v1.1.3
Controla el perfil sysctl que usan los contenedores. Corresponde a los campos allowedUnsafeSysctls y forbiddenSysctls en una PodSecurityPolicy. Cuando se especifica, cualquier sysctl que no esté en el parámetro allowedSysctls se considera prohibido. El parámetro forbiddenSysctls tiene prioridad sobre el parámetro allowedSysctls. Para obtener más información, consulta https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls # not listed in the `forbiddenSysctls` parameter. allowedSysctls: - <string> # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all # sysctls. forbiddenSysctls: - <string> Ejemplos
psp-forbidden-sysctls
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata: name: psp-forbidden-sysctls spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSysctls: - '*' forbiddenSysctls: - kernel.*
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: net.core.somaxconn value: "1024"
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-forbidden-sysctls name: nginx-forbidden-sysctls-disallowed spec: containers: - image: nginx name: nginx securityContext: sysctls: - name: kernel.msgmax value: "65536" - name: net.core.somaxconn value: "1024"
K8sPSPHostFilesystem
Host Filesystem v1.0.2
Controla el uso del sistema de archivos del host. Corresponde al campo allowedHostPaths en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedHostPaths <array>: An array of hostpath objects, representing # paths and read/write configuration. allowedHostPaths: - # pathPrefix <string>: The path prefix that the host volume must # match. pathPrefix: <string> # readOnly <boolean>: when set to true, any container volumeMounts # matching the pathPrefix must include `readOnly: true`. readOnly: <boolean> Ejemplos
psp-host-filesystem
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata: name: psp-host-filesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedHostPaths: - pathPrefix: /foo readOnly: true
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /foo/bar name: cache-volume
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-filesystem-disallowed name: nginx-host-filesystem spec: ephemeralContainers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume readOnly: true volumes: - hostPath: path: /tmp name: cache-volume
K8sPSPHostNamespace
Host Namespace v1.0.1
Los contenedores de Pod no permiten el uso compartido de los espacios de nombres PID y IPC del host. Corresponde a los campos hostPID y hostIPC en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: <object> Ejemplos
psp-host-namespace-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata: name: psp-host-namespace-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-allowed spec: containers: - image: nginx name: nginx hostIPC: false hostPID: false
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-namespace name: nginx-host-namespace-disallowed spec: containers: - image: nginx name: nginx hostIPC: true hostPID: true
K8sPSPHostNetworkingPorts
Puertos de redes del host, versión 1.0.2
Los contenedores de pod controlan el uso del espacio de nombres de la red host. Se deben especificar puertos específicos. Corresponde a los campos hostNetwork y hostPorts en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # hostNetwork <boolean>: Determines if the policy allows the use of # HostNetwork in the pod spec. hostNetwork: <boolean> # max <integer>: The end of the allowed port range, inclusive. max: <integer> # min <integer>: The start of the allowed port range, inclusive. min: <integer> Ejemplos
psp-host-network-ports-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata: name: psp-host-network-ports-sample spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: hostNetwork: true max: 9000 min: 80
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-allowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9000 hostPort: 80 hostNetwork: false
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: containers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-host-networking-ports name: nginx-host-networking-ports-disallowed spec: ephemeralContainers: - image: nginx name: nginx ports: - containerPort: 9001 hostPort: 9001 hostNetwork: true
K8sPSPPrivilegedContainer
Contenedor privilegiado v1.0.1
Controla la capacidad de cualquier contenedor de habilitar el modo privilegiado. Corresponde al campo privileged en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
psp-privileged-container-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata: name: psp-privileged-container-sample spec: match: excludedNamespaces: - kube-system kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-allowed spec: containers: - image: nginx name: nginx securityContext: privileged: false
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: containers: - image: nginx name: nginx securityContext: privileged: true
apiVersion: v1 kind: Pod metadata: labels: app: nginx-privileged name: nginx-privileged-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: privileged: true
K8sPSPProcMount
Proc Mount v1.0.3
Controla los tipos procMount permitidos para el contenedor. Corresponde al campo allowedProcMountTypes en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # procMount <string>: Defines the strategy for the security exposure of # certain paths in `/proc` by the container runtime. Setting to `Default` # uses the runtime defaults, where `Unmasked` bypasses the default # behavior. # Allowed Values: Default, Unmasked procMount: <string> Ejemplos
psp-proc-mount
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata: name: psp-proc-mount spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: procMount: Default
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Default
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: containers: - image: nginx name: nginx securityContext: procMount: Unmasked
apiVersion: v1 kind: Pod metadata: labels: app: nginx-proc-mount name: nginx-proc-mount-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: procMount: Unmasked
K8sPSPReadOnlyRootFilesystem
Sistema de archivos raíz de solo lectura v1.0.1
Requiere el uso de un sistema de archivos raíz de solo lectura por parte de los contenedores del Pod. Corresponde al campo readOnlyRootFilesystem en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
psp-readonlyrootfilesystem
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata: name: psp-readonlyrootfilesystem spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-allowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: true
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
apiVersion: v1 kind: Pod metadata: labels: app: nginx-readonlyrootfilesystem name: nginx-readonlyrootfilesystem-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: false
K8sPSPSELinuxV2
SELinux V2 v1.0.3
Define una lista de anunciantes permitidos de opciones de configuración seLinuxOptions para contenedores de Pod. Corresponde a una PodSecurityPolicy que requiere opciones de configuración de SELinux. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSELinuxOptions <array>: An allow-list of SELinux options # configurations. allowedSELinuxOptions: # <list item: object>: An allowed configuration of SELinux options for a # pod container. - # level <string>: An SELinux level. level: <string> # role <string>: An SELinux role. role: <string> # type <string>: An SELinux type. type: <string> # user <string>: An SELinux user. user: <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
psp-selinux-v2
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata: name: psp-selinux-v2 spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedSELinuxOptions: - level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-allowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s0:c123,c456 role: object_r type: svirt_sandbox_file_t user: system_u
No permitida
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: containers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
apiVersion: v1 kind: Pod metadata: labels: app: nginx-selinux name: nginx-selinux-disallowed spec: ephemeralContainers: - image: nginx name: nginx securityContext: seLinuxOptions: level: s1:c234,c567 role: sysadm_r type: svirt_lxc_net_t user: sysadm_u
K8sPSPSeccomp
Seccomp v1.0.1
Controla el perfil de seccomp que usan los contenedores. Corresponde a la anotación seccomp.security.alpha.kubernetes.io/allowedProfileNames en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedLocalhostFiles <array>: When using securityContext naming scheme # for seccomp and including `Localhost` this array holds the allowed # profile JSON files. Putting a `*` in this array will allows all JSON # files to be used. This field is required to allow `Localhost` in # securityContext as with an empty list it will block. allowedLocalhostFiles: - <string> # allowedProfiles <array>: An array of allowed profile values for seccomp # on Pods/Containers. Can use the annotation naming scheme: # `runtime/default`, `docker/default`, `unconfined` and/or # `localhost/some-profile.json`. The item `localhost/*` will allow any # localhost based profile. Can also use the securityContext naming scheme: # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the # allowed profile JSON files. The policy code will translate between the # two schemes so it is not necessary to use both. Putting a `*` in this # array allows all Profiles to be used. This field is required since with # an empty list this policy will block all workloads. allowedProfiles: - <string> # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> Ejemplos
psp-seccomp
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata: name: psp-seccomp spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedProfiles: - runtime/default - docker/default
Permitido
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default labels: app: nginx-seccomp name: nginx-seccomp-allowed2 spec: containers: - image: nginx name: nginx
No permitida
apiVersion: v1 kind: Pod metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed2 spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: annotations: container.seccomp.security.alpha.kubernetes.io/nginx: unconfined labels: app: nginx-seccomp name: nginx-seccomp-disallowed spec: ephemeralContainers: - image: nginx name: nginx
K8sPSPVolumeTypes
Tipos de volúmenes, versión 1.0.2
Restringe los tipos de volúmenes que se pueden activar a los que especifica el usuario. Corresponde al campo volumes en una PodSecurityPolicy. Para obtener más información, consulta https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # volumes <array>: `volumes` is an array of volume types. All volume types # can be enabled using `*`. volumes: - <string> Ejemplos
psp-volume-types
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata: name: psp-volume-types spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim - flexVolume
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-allowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - emptyDir: {} name: cache-volume - emptyDir: {} name: demo-vol
No permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx-volume-types name: nginx-volume-types-disallowed spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /cache name: cache-volume - image: nginx name: nginx2 volumeMounts: - mountPath: /cache2 name: demo-vol volumes: - hostPath: path: /tmp name: cache-volume - emptyDir: {} name: demo-vol
K8sPSPWindowsHostProcess
Restringe los contenedores o pods de Windows HostProcess. v1.0.0
Restringe la ejecución de contenedores o Pods de Windows HostProcess. Consulta https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/ para obtener más información.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
restrict-windows-hostprocess
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata: name: restrict-windows-hostprocess spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-loop nodeSelector: kubernetes.io/os: windows
No permitido
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-container spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM hostNetwork: true nodeSelector: kubernetes.io/os: windows
apiVersion: v1 kind: Pod metadata: name: nanoserver-ping-loop-hostprocess-pod spec: containers: - command: - ping - -t - 127.0.0.1 image: mcr.microsoft.com/windows/nanoserver:1809 name: ping-test hostNetwork: true nodeSelector: kubernetes.io/os: windows securityContext: windowsOptions: hostProcess: true runAsUserName: NT AUTHORITY\SYSTEM
K8sPSSRunAsNonRoot
Requiere que los contenedores se ejecuten como usuarios no raíz. v1.0.0
Requiere que los contenedores se ejecuten como usuarios no raíz. Para obtener más información, consulta https://kubernetes.io/es/docs/concepts/security/pod-security-standards/.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
restrict-runasnonroot
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata: name: restrict-runasnonroot spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-allowed spec: containers: - image: nginx name: nginx-allowed securityContext: runAsNonRoot: true
No permitida
apiVersion: v1 kind: Pod metadata: name: nginx-pod-allowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false securityContext: runAsNonRoot: true
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-allowed securityContext: runAsNonRoot: true securityContext: runAsNonRoot: false
apiVersion: v1 kind: Pod metadata: name: nginx-pod-disallowed spec: containers: - image: nginx name: nginx-container-disallowed securityContext: runAsNonRoot: false
K8sPodDisruptionBudget
Presupuesto de interrupción de Pods v1.0.3
Inhabilita las siguientes situaciones cuando implementes PodDisruptionBudgets o recursos que implementen el subrecurso de réplica (p. ej., Deployment, ReplicationController, ReplicaSet y StatefulSet): 1. Implementación de PodDisruptionBudgets con .spec.maxUnavailable == 0. 2. Implementación de PodDisruptionBudgets with .spec.minAvailable == .spec.replicas del recurso con el subrecurso de réplica. Esto evitará que PodDisruptionBudgets bloquee las interrupciones voluntarias, como el desvío de nodos. https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "policy" version: "v1" kind: "PodDisruptionBudget" Ejemplos
pod-distruption-budget
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata: name: pod-distruption-budget spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - apiGroups: - policy kinds: - PodDisruptionBudget - apiGroups: - "" kinds: - ReplicationController
Permitido
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-allowed namespace: default spec: maxUnavailable: 1 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-1 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-1 template: metadata: labels: app: nginx example: allowed-deployment-1 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-1 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx example: allowed-deployment-1
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-2 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-2 template: metadata: labels: app: nginx example: allowed-deployment-2 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-2 namespace: default spec: maxUnavailable: 1 selector: matchLabels: app: nginx example: allowed-deployment-2
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-allowed-3 namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: allowed-deployment-3 template: metadata: labels: app: nginx example: allowed-deployment-3 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: nginx
apiVersion: apps/v1 kind: Deployment metadata: labels: app: non-matching-nginx name: nginx-deployment-allowed-4 namespace: default spec: replicas: 1 selector: matchLabels: app: non-matching-nginx example: allowed-deployment-4 template: metadata: labels: app: non-matching-nginx example: allowed-deployment-4 spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-mongo-pdb-allowed-3 namespace: default spec: minAvailable: 2 selector: matchLabels: app: mongo example: non-matching-deployment-3
No permitido
apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: nginx-pdb-disallowed namespace: default spec: maxUnavailable: 0 selector: matchLabels: foo: bar
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx-deployment-disallowed namespace: default spec: replicas: 3 selector: matchLabels: app: nginx example: disallowed-deployment template: metadata: labels: app: nginx example: disallowed-deployment spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: inventory-nginx-pdb-disallowed namespace: default spec: minAvailable: 3 selector: matchLabels: app: nginx example: disallowed-deployment
K8sPodResourcesBestPractices
Se requiere que los contenedores no sean de mejor esfuerzo y que sigan las prácticas recomendadas de Burstables v1.0.5
Requiere que los contenedores no sean de mejor esfuerzo (estableciendo solicitudes de CPU y memoria) y que sigan las prácticas recomendadas de capacidad de ráfaga (la solicitud de memoria debe ser exactamente igual al límite). De manera opcional, se pueden configurar claves de anotación para permitir omitir las distintas validaciones.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: A list of exempt Images. exemptImages: - <string> # skipBestEffortValidationAnnotationKey <string>: Optional annotation key # to skip best-effort container validation. skipBestEffortValidationAnnotationKey: <string> # skipBurstableValidationAnnotationKey <string>: Optional annotation key to # skip burstable container validation. skipBurstableValidationAnnotationKey: <string> # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional # annotation key to skip both best-effort and burstable validation. skipResourcesBestPracticesValidationAnnotationKey: <string> Ejemplos
gke-pod-resources-best-practices
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata: name: gke-pod-resources-best-practices spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: skipBestEffortValidationAnnotationKey: skip_besteffort_validation skipBurstableValidationAnnotationKey: skip_burstable_validation skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation
Permitido
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-limits-only spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-requests-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: annotations: skip_besteffort_validation: "true" skip_burstable_validation: "true" skip_resources_best_practices_validation: "false" name: pod-skip-validation spec: containers: - image: nginx name: nginx
No permitida
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-cpu-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-not-setting-requests spec: containers: - image: nginx name: nginx restartPolicy: OnFailure
apiVersion: v1 kind: Pod metadata: name: pod-setting-cpu-not-burstable-on-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 500Mi requests: cpu: 250m memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-memory-requests-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 30m requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-limits spec: containers: - image: nginx name: nginx resources: limits: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu-requests spec: containers: - image: nginx name: nginx resources: requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-cpu spec: containers: - image: nginx name: nginx resources: limits: cpu: 500m requests: cpu: 250m
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-limits spec: containers: - image: nginx name: nginx resources: limits: memory: 250Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory-requests spec: containers: - image: nginx name: nginx resources: requests: memory: 100Mi
apiVersion: v1 kind: Pod metadata: name: pod-setting-only-memory spec: containers: - image: nginx name: nginx resources: limits: memory: 100Mi requests: memory: 100Mi
K8sPodsRequireSecurityContext
Pods Require Security Context v1.1.1
Requiere que todos los Pods definan securityContext. Requiere que todos los contenedores definidos en los Pods tengan un SecurityContext definido a nivel del Pod o del contenedor.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: A list of exempt Images. exemptImages: - <string> Ejemplos
pods-require-security-context-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata: name: pods-require-security-context-sample spec: enforcementAction: dryrun parameters: exemptImages: - nginix-exempt - alpine*
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example spec: containers: - image: nginx name: nginx securityContext: runAsUser: 2000
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage spec: containers: - image: nginix-exempt name: nginx
apiVersion: v1 kind: Pod metadata: name: allowed-example-exemptImage-wildcard spec: containers: - image: alpine17 name: alpine
No permitida
apiVersion: v1 kind: Pod metadata: name: disallowed-example spec: containers: - image: nginx name: nginx
K8sProhibitRoleWildcardAccess
Prohibit Role Wildcard Access v1.0.5
Requiere que los Roles y ClusterRoles no establezcan el acceso a los recursos en un valor comodín “”, excepto por los Roles exentos y los ClusterRoles que se proporcionan como exenciones. No restringe el acceso comodín a los subrecursos, como “/status”.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptions <object>: The list of exempted Roles and/or ClusterRoles name # that are allowed to set resource access to a wildcard. exemptions: clusterRoles: - # name <string>: The name of the ClusterRole to be exempted. name: <string> # regexMatch <boolean>: The flag to allow a regular expression # based match on the name. regexMatch: <boolean> roles: - # name <string>: The name of the Role to be exempted. name: <string> # namespace <string>: The namespace of the Role to be exempted. namespace: <string> Ejemplos
prohibit-role-wildcard-access-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-role-wildcard-access-sample spec: enforcementAction: dryrun
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-example rules: - apiGroups: - "" resources: - pods verbs: - get
No permitida
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-bad-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
prohibit-wildcard-except-exempted-cluster-role
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata: name: prohibit-wildcard-except-exempted-cluster-role spec: enforcementAction: dryrun parameters: exemptions: clusterRoles: - name: cluster-role-allowed-example roles: - name: role-allowed-example namespace: role-ns-allowed-example
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-allowed-example namespace: role-ns-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
No permitida
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-role-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: role-not-allowed-example namespace: role-ns-not-allowed-example rules: - apiGroups: - "" resources: - pods verbs: - '*'
K8sReplicaLimits
Límites de réplicas, versión 1.0.2
Requiere que los objetos con el campo spec.replicas (implementaciones, ReplicaSets, etc.) especifiquen una cantidad de réplicas dentro de los rangos definidos.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # ranges <array>: Allowed ranges for numbers of replicas. Values are # inclusive. ranges: # <list item: object>: A range of allowed replicas. Values are # inclusive. - # max_replicas <integer>: The maximum number of replicas allowed, # inclusive. max_replicas: <integer> # min_replicas <integer>: The minimum number of replicas allowed, # inclusive. min_replicas: <integer> Ejemplos
replica-limits
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata: name: replica-limits spec: match: kinds: - apiGroups: - apps kinds: - Deployment parameters: ranges: - max_replicas: 50 min_replicas: 3
Permitido
apiVersion: apps/v1 kind: Deployment metadata: name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
No permitido
apiVersion: apps/v1 kind: Deployment metadata: name: disallowed-deployment spec: replicas: 100 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
K8sRequireAdmissionController
Se requiere el controlador de admisión v1.0.0
Requiere admisión de seguridad de Pods o un sistema externo de control de políticas
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # permittedValidatingWebhooks <array>: List of permitted validating # webhooks which are valid external policy control systems permittedValidatingWebhooks: - <string> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "admissionregistration.k8s.io" version: "v1" OR "v1beta1" kind: "ValidatingWebhookConfiguration" Ejemplos
require-admission-controller
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata: name: require-admission-controller spec: match: kinds: - apiGroups: - "" kinds: - Namespace
Permitido
apiVersion: v1 kind: Namespace metadata: labels: pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/enforce-version: v1.28 name: allowed-namespace
No permitido
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequireBinAuthZ
Requiere la versión 1.0.2 de la Autorización Binaria
Requiere el webhook de admisión y validación de la autorización binaria. Las restricciones que usen este ConstraintTemplate serán solo de auditoría, independientemente del valor de enforcementAction.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "admissionregistration.k8s.io" version: "v1" OR "v1beta1" kind: "ValidatingWebhookConfiguration" Ejemplos
require-binauthz
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata: name: require-binauthz spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace
Permitido
apiVersion: v1 kind: Namespace metadata: name: default --- # Referential Data apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: binauthz-admission-controller webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview name: imagepolicywebhook.image-policy.k8s.io rules: - operations: - CREATE - UPDATE - apiVersion: - v1 sideEffects: None
No permitida
apiVersion: v1 kind: Namespace metadata: name: default
K8sRequireCosNodeImage
Se requiere la imagen de nodo de COS v1.1.1
Aplica el uso de Container-Optimized OS de Google en los nodos.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptOsImages <array>: A list of exempt OS Images. exemptOsImages: - <string> Ejemplos
nodes-have-consistent-time
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata: name: nodes-have-consistent-time spec: enforcementAction: dryrun parameters: exemptOsImages: - Debian - Ubuntu*
Permitido
apiVersion: v1 kind: Node metadata: name: allowed-example status: nodeInfo: osImage: Container-Optimized OS from Google
apiVersion: v1 kind: Node metadata: name: example-exempt status: nodeInfo: osImage: Debian
apiVersion: v1 kind: Node metadata: name: example-exempt-wildcard status: nodeInfo: osImage: Ubuntu 18.04.5 LTS
No permitido
apiVersion: v1 kind: Node metadata: name: disallowed-example status: nodeInfo: osImage: Debian GNUv1.0
K8sRequireDaemonsets
Daemonsets obligatorios v1.1.2
Requiere que esté presente la lista de DaemonSets especificada.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # requiredDaemonsets <array>: A list of names and namespaces of the # required daemonsets. requiredDaemonsets: - # name <string>: The name of the required daemonset. name: <string> # namespace <string>: The namespace for the required daemonset. namespace: <string> # restrictNodeSelector <boolean>: The daemonsets cannot include # `NodeSelector`. restrictNodeSelector: <boolean> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "DaemonSet" OR - group: "apps" version: "v1beta2" OR "v1" kind: "DaemonSet" Ejemplos
require-daemonset
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata: name: require-daemonset spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Namespace parameters: requiredDaemonsets: - name: clamav namespace: pci-dss-av restrictNodeSelector: true
Permitido
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: labels: k8s-app: clamav-host-scanner name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: metadata: labels: name: clamav spec: containers: - image: us.gcr.io/{your-project-id}/clamav:latest livenessProbe: exec: command: - /health.sh initialDelaySeconds: 60 periodSeconds: 30 name: clamav-scanner resources: limits: memory: 3Gi requests: cpu: 500m memory: 2Gi volumeMounts: - mountPath: /data name: data-vol - mountPath: /host-fs name: host-fs readOnly: true - mountPath: /logs name: logs terminationGracePeriodSeconds: 30 tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master volumes: - emptyDir: {} name: data-vol - hostPath: path: / name: host-fs - hostPath: path: /var/log/clamav name: logs
No permitido
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: other namespace: pci-dss-av spec: selector: matchLabels: name: other template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: other
apiVersion: v1 kind: Namespace metadata: name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata: name: clamav namespace: pci-dss-av spec: selector: matchLabels: name: clamav template: spec: containers: - image: us.gcr.io/{your-project-id}/other:latest name: clamav nodeSelector: cloud.google.com/gke-spot: "true"
K8sRequireDefaultDenyEgressPolicy
Se requiere la política de salida predeterminada de denegación v1.0.3
Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy de denegación predeterminada para la salida.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "NetworkPolicy" OR - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" Ejemplos
require-default-deny-network-policies
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata: name: require-default-deny-network-policies spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: example-namespace --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
No permitida
apiVersion: v1 kind: Namespace metadata: name: example-namespace
apiVersion: v1 kind: Namespace metadata: name: example-namespace2 --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-egress namespace: example-namespace spec: podSelector: {} policyTypes: - Egress
K8sRequireNamespaceNetworkPolicies
Require Namespace Network Policies v1.0.6
Requiere que cada espacio de nombres definido en el clúster tenga una NetworkPolicy.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "NetworkPolicy" OR - group: "networking.k8s.io" version: "v1" kind: "NetworkPolicy" Ejemplos
require-namespace-network-policies-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata: name: require-namespace-network-policies-sample spec: enforcementAction: dryrun
Permitido
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: require-namespace-network-policies-example
No permitido
apiVersion: v1 kind: Namespace metadata: name: require-namespace-network-policies-example
K8sRequireValidRangesForNetworks
Require Valid Ranges for Networks v1.0.2
Aplica los bloques CIDR permitidos para la entrada y salida de la red.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are # allowed for egress. allowedEgress: - <string> # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are # allowed for ingress. allowedIngress: - <string> Ejemplos
require-valid-network-ranges
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata: name: require-valid-network-ranges spec: enforcementAction: dryrun parameters: allowedEgress: - 10.0.0.0/32 allowedIngress: - 10.0.0.0/24
Permitido
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 10.0.0.0/32 ingress: - from: - ipBlock: cidr: 10.0.0.0/29 - ipBlock: cidr: 10.0.0.100/29 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
No permitida
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: test-network-policy-disallowed namespace: default spec: egress: - ports: - port: 5978 protocol: TCP to: - ipBlock: cidr: 1.1.2.0/31 ingress: - from: - ipBlock: cidr: 1.1.2.0/24 - ipBlock: cidr: 2.1.2.0/24 - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - port: 6379 protocol: TCP podSelector: matchLabels: role: db policyTypes: - Ingress - Egress
K8sRequiredAnnotations
Anotaciones obligatorias v1.0.1
Requiere que los recursos contengan anotaciones especificadas, con valores que coincidan con las expresiones regulares proporcionadas.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # annotations <array>: A list of annotations and values the object must # specify. annotations: - # allowedRegex <string>: If specified, a regular expression the # annotation's value must match. The value must contain at least one # match for the regular expression. allowedRegex: <string> # key <string>: The required annotation. key: <string> message: <string> Ejemplos
all-must-have-certain-set-of-annotations
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata: name: all-must-have-certain-set-of-annotations spec: match: kinds: - apiGroups: - "" kinds: - Service parameters: annotations: - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$ key: a8r.io/owner - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$ key: a8r.io/runbook message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.
Permitido
apiVersion: v1 kind: Service metadata: annotations: a8r.io/owner: [email protected] a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks name: allowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
No permitida
apiVersion: v1 kind: Service metadata: name: disallowed-service spec: ports: - name: http port: 80 targetPort: 8080 selector: app: foo
K8sRequiredLabels
Required Labels v1.0.1
Requiere que los recursos contengan etiquetas especificadas, con valores que coincidan con las expresiones regulares proporcionadas.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # labels <array>: A list of labels and values the object must specify. labels: - # allowedRegex <string>: If specified, a regular expression the # annotation's value must match. The value must contain at least one # match for the regular expression. allowedRegex: <string> # key <string>: The required label. key: <string> message: <string> Ejemplos
all-must-have-owner
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata: name: all-must-have-owner spec: match: kinds: - apiGroups: - "" kinds: - Namespace parameters: labels: - allowedRegex: ^[a-zA-Z]+.agilebank.demo$ key: owner message: All namespaces must have an `owner` label that points to your company username
Permitido
apiVersion: v1 kind: Namespace metadata: labels: owner: user.agilebank.demo name: allowed-namespace
No permitida
apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace
K8sRequiredProbes
Sondas obligatorias, versión 1.0.1
Requiere que los Pods tengan sondeos de preparación o capacidad de respuesta.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # probeTypes <array>: The probe must define a field listed in `probeType` # in order to satisfy the constraint (ex. `tcpSocket` satisfies # `['tcpSocket', 'exec']`) probeTypes: - <string> # probes <array>: A list of probes that are required (ex: `readinessProbe`) probes: - <string> Ejemplos
must-have-probes
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata: name: must-have-probes spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: probeTypes: - tcpSocket - httpGet - exec probes: - readinessProbe - livenessProbe
Permitido
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: tomcat livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
No permitida
apiVersion: v1 kind: Pod metadata: name: test-pod1 spec: containers: - image: nginx:1.7.9 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
apiVersion: v1 kind: Pod metadata: name: test-pod2 spec: containers: - image: nginx:1.7.9 livenessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 80 name: nginx-1 ports: - containerPort: 80 volumeMounts: - mountPath: /tmp/cache name: cache-volume - image: tomcat name: tomcat ports: - containerPort: 8080 readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 tcpSocket: port: 8080 volumes: - emptyDir: {} name: cache-volume
Recursos requeridos de K8s
Required Resources v1.0.1
Requiere que los contenedores tengan recursos definidos. https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exemptImages <array>: Any container that uses an image that matches an # entry in this list will be excluded from enforcement. Prefix-matching can # be signified with `*`. For example: `my-image-*`. It is recommended that # users use the fully-qualified Docker image name (e.g. start with a domain # name) in order to avoid unexpectedly exempting images from an untrusted # repository. exemptImages: - <string> # limits <array>: A list of limits that should be enforced (`cpu`, # `memory`, or both). limits: # Allowed Values: cpu, memory - <string> # requests <array>: A list of requests that should be enforced (`cpu`, # `memory`, or both). requests: # Allowed Values: cpu, memory - <string> Ejemplos
container-must-have-limits-and-requests
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - cpu - memory requests: - cpu - memory
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
No permitida
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
container-must-have-cpu-requests-memory-limits-and-requests
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: container-must-have-cpu-requests-memory-limits-and-requests spec: match: kinds: - apiGroups: - "" kinds: - Pod parameters: limits: - memory requests: - cpu - memory
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m memory: 2Gi
No permitida
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
no-enforcements
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata: name: no-enforcements spec: match: kinds: - apiGroups: - "" kinds: - Pod
Permitido
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-allowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: cpu: 100m memory: 1Gi requests: cpu: 100m memory: 1Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: requests: cpu: 100m memory: 2Gi
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: limits: memory: 2Gi requests: cpu: 100m
apiVersion: v1 kind: Pod metadata: labels: owner: me.agilebank.demo name: opa-disallowed spec: containers: - args: - run - --server - --addr=localhost:8080 image: openpolicyagent/opa:0.9.2 name: opa resources: {}
K8sRestrictAdmissionController
Restrict Admission Controller v1.0.0
Restringe los controladores de admisión dinámicos a los permitidos
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # permittedMutatingWebhooks <array>: List of permitted mutating webhooks # (mutating admission controllers) permittedMutatingWebhooks: - <string> # permittedValidatingWebhooks <array>: List of permitted validating # webhooks (validating admission controllers) permittedValidatingWebhooks: - <string> Ejemplos
restrict-admission-controller
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata: name: restrict-admission-controller spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration parameters: permittedMutatingWebhooks: - allowed-mutating-webhook permittedValidatingWebhooks: - allowed-validating-webhook
Permitido
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: allowed-validating-webhook
No permitido
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: disallowed-validating-webhook
K8sRestrictAutomountServiceAccountTokens
Restrict Service Account Tokens v1.0.1
Restringe el uso de tokens de cuentas de servicio.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
restrict-serviceaccounttokens
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata: name: restrict-serviceaccounttokens spec: enforcementAction: dryrun match: kinds: - apiGroups: - "" kinds: - Pod - ServiceAccount
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example-pod spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: ServiceAccount metadata: name: disallowed-example-serviceaccount
No permitida
apiVersion: v1 kind: Pod metadata: name: disallowed-example-pod spec: automountServiceAccountToken: true containers: - image: nginx name: nginx
apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: name: allowed-example-serviceaccount
K8sRestrictLabels
Restrict Labels v1.0.2
No permite que los recursos contengan etiquetas especificadas, a menos que haya una excepción para el recurso específico.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # exceptions <array>: Objects listed here are exempt from enforcement of # this constraint. All fields must be provided. exceptions: # <list item: object>: A single object's identification, based on group, # kind, namespace, and name. - # group <string>: The Kubernetes group of the exempt object. group: <string> # kind <string>: The Kubernetes kind of the exempt object. kind: <string> # name <string>: The name of the exempt object. name: <string> # namespace <string>: The namespace of the exempt object. For # cluster-scoped resources, use the empty string `""`. namespace: <string> # restrictedLabels <array>: A list of label keys strings. restrictedLabels: - <string> Ejemplos
restrict-label-example
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: exceptions: - group: "" kind: Pod name: allowed-example namespace: default restrictedLabels: - label-example
Permitido
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
No permitida
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNamespaces
Restrict Namespaces v1.0.1
Restringe que los recursos usen espacios de nombres enumerados en el parámetro restrictNamespaces.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # restrictedNamespaces <array>: A list of Namespaces to restrict. restrictedNamespaces: - <string> Ejemplos
restrict-default-namespace-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata: name: restrict-default-namespace-sample spec: enforcementAction: dryrun parameters: restrictedNamespaces: - default
Permitido
apiVersion: v1 kind: Pod metadata: name: allowed-example namespace: test-namespace spec: containers: - image: nginx name: nginx
No permitido
apiVersion: v1 kind: Pod metadata: name: disallowed-example namespace: default spec: containers: - image: nginx name: nginx
K8sRestrictNfsUrls
Restringe las URLs de NFS v1.0.1
No permite que los recursos contengan URLs de NFS, a menos que se especifique lo contrario.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedNfsUrls <array>: A list of allowed NFS URLs allowedNfsUrls: - <string> Ejemplos
restrict-label-example
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata: name: restrict-label-example spec: enforcementAction: dryrun parameters: allowedNfsUrls: - my-nfs-server.example.com/my-nfs-volume - my-nfs-server.example.com/my-wildcard-nfs-volume/*
Permitido
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example namespace: default spec: containers: - image: nginx name: nginx
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume server: my-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: allowed-example-nfs-wildcard namespace: default spec: containers: - image: nginx name: nginx - name: test-volume nfs: path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path server: my-nfs-server.example.com
No permitido
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
apiVersion: v1 kind: Pod metadata: labels: label-example: example name: disallowed-example-nfs-mixed namespace: default spec: containers: - image: nginx name: nginx volumes: - name: test-volume-allowed nfs: path: /my-nfs-volume server: my-nfs-server.example.com - name: test-volume-disallowed nfs: path: /my-nfs-volume server: disallowed-nfs-server.example.com
K8sRestrictRbacSubjects
Restringe los sujetos de RBAC v1.0.3
Restringe el uso de nombres en los sujetos de RBAC a los valores permitidos.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSubjects <array>: The list of names permitted in RBAC subjects. allowedSubjects: - # name <string>: The exact-name or the pattern of the allowed subject name: <string> # regexMatch <boolean>: The flag to allow a regular expression based # match on the name. regexMatch: <boolean> Ejemplos
restrict-rbac-subjects
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata: name: restrict-rbac-subjects spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - RoleBinding - ClusterRoleBinding parameters: allowedSubjects: - name: system:masters - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$ regexMatch: true - name: ^[email protected]$ regexMatch: true - name: ^[email protected]$ regexMatch: true
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected] - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected]
No permitida
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected] - apiGroup: rbac.authorization.k8s.io kind: User name: [email protected]
K8sRestrictRoleBindings
Restrict Role Bindings v1.0.3
Restringe los sujetos especificados en ClusterRoleBindings y RoleBindings a una lista de sujetos permitidos.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedSubjects <array>: The list of subjects that are allowed to bind to # the restricted role. allowedSubjects: - # apiGroup <string>: The Kubernetes API group of the subject. apiGroup: <string> # kind <string>: The Kubernetes kind of the subject. kind: <string> # name <string>: The name of the subject which is matched exactly as # provided as well as based on a regular expression. name: <string> # regexMatch <boolean>: The flag to allow a regular expression based # match on the name. regexMatch: <boolean> # restrictedRole <object>: The role that cannot be bound to unless # expressly allowed. restrictedRole: # apiGroup <string>: The Kubernetes API group of the role. apiGroup: <string> # kind <string>: The Kubernetes kind of the role. kind: <string> # name <string>: The name of the role. name: <string> Ejemplos
restrict-clusteradmin-rolebindings-sample
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-sample spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters
No permitida
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:unauthenticated
restrict-clusteradmin-rolebindings-regex
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: name: restrict-clusteradmin-rolebindings-regex spec: enforcementAction: dryrun parameters: allowedSubjects: - apiGroup: rbac.authorization.k8s.io kind: User name: ^service-[0-9][email protected]$ regexMatch: true restrictedRole: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: good-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
No permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: bad-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com
K8sRestrictRoleRules
Restringe las reglas de Role y ClusterRole. v1.0.4
Restringe las reglas que se pueden establecer en los objetos Role y ClusterRole.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedRules <array>: AllowedRules is the list of rules that are allowed # on Role or ClusterRole objects. If set, any item off this list will be # rejected. allowedRules: - # apiGroups <array>: APIGroups is the name of the APIGroup that # contains the resources. If multiple API groups are specified, any # action requested against one of the enumerated resources in any API # group will be allowed. "" represents the core API group and "*" # represents all API groups. apiGroups: - <string> # resources <array>: Resources is a list of resources this rule # applies to. '*' represents all resources. resources: - <string> # verbs <array>: Verbs is a list of Verbs that apply to ALL the # ResourceKinds contained in this rule. '*' represents all verbs. verbs: - <string> # disallowedRules <array>: DisallowedRules is the list of rules that are # NOT allowed on Role or ClusterRole objects. If set, any item on this list # will be rejected. disallowedRules: - # apiGroups <array>: APIGroups is the name of the APIGroup that # contains the resources. If multiple API groups are specified, any # action requested against one of the enumerated resources in any API # group will be disallowed. "" represents the core API group and "*" # represents all API groups. apiGroups: - <string> # resources <array>: Resources is a list of resources this rule # applies to. '*' represents all resources. resources: - <string> # verbs <array>: Verbs is a list of Verbs that apply to ALL the # ResourceKinds contained in this rule. '*' represents all verbs. verbs: - <string> # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles # names that are allowed to violate this policy. exemptions: clusterRoles: - # name <string>: Name is the name or a pattern of the ClusterRole # to be exempted. name: <string> # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs # regex match of the ClusterRole name. regexMatch: <boolean> roles: - # name <string>: Name is the name of the Role to be exempted. name: <string> # namespace <string>: Namespace is the namespace of the Role to be # exempted. namespace: <string> Ejemplos
restrict-pods-exec
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata: name: restrict-pods-exec spec: enforcementAction: dryrun match: kinds: - apiGroups: - rbac.authorization.k8s.io kinds: - Role - ClusterRole parameters: disallowedRules: - apiGroups: - "" resources: - pods/exec verbs: - create
Permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: allowed-role-example rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
No permitido
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: disallowed-cluster-role-example rules: - apiGroups: - "" resources: - pods/exec verbs: - '*'
K8sStorageClass
Clase de almacenamiento v1.1.2
Requiere que se especifiquen las clases de almacenamiento cuando se usan. Solo se admiten Gatekeeper 3.9 y versiones posteriores, y los contenedores no efímeros.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedStorageClasses <array>: An optional allow-list of storage classes. # If specified, any storage class not in the `allowedStorageClasses` # parameter is disallowed. allowedStorageClasses: - <string> includeStorageClassesInMessage: <boolean> Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "storage.k8s.io" version: "v1" kind: "StorageClass" Ejemplos
storageclass
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: includeStorageClassesInMessage: true
Permitido
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ok spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: somestorageclass volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
apiVersion: apps/v1 kind: StatefulSet metadata: name: volumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: volumeclaimstorageclass serviceName: volumeclaimstorageclass template: metadata: labels: app: volumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: somestorageclass --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: somestorageclass provisioner: foo
No permitido
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: badstorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: badstorageclass volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: badvolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: badvolumeclaimstorageclass serviceName: badvolumeclaimstorageclass template: metadata: labels: app: badvolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: badstorageclass
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nostorageclass spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi volumeMode: Filesystem
apiVersion: apps/v1 kind: StatefulSet metadata: name: novolumeclaimstorageclass spec: replicas: 1 selector: matchLabels: app: novolumeclaimstorageclass serviceName: novolumeclaimstorageclass template: metadata: labels: app: novolumeclaimstorageclass spec: containers: - image: registry.k8s.io/nginx-slim:0.8 name: main volumeMounts: - mountPath: /usr/share/nginx/html name: data volumeClaimTemplates: - metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi
allowed-storageclass
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata: name: allowed-storageclass spec: match: kinds: - apiGroups: - "" kinds: - PersistentVolumeClaim - apiGroups: - apps kinds: - StatefulSet parameters: allowedStorageClasses: - allowed-storage-class includeStorageClassesInMessage: true
Permitido
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: allowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: allowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
No permitida
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: disallowed-storage-class-pvc spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: disallowed-storage-class volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: allowed-storage-class provisioner: foo
K8sUniqueIngressHost
Unique Ingress Host v1.0.4
Requiere que todos los hosts de reglas de entrada sean únicos. No admite comodines de nombres de host: https://kubernetes.io/docs/concepts/services-networking/ingress/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "extensions" version: "v1beta1" kind: "Ingress" OR - group: "networking.k8s.io" version: "v1beta1" OR "v1" kind: "Ingress" Ejemplos
unique-ingress-host
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata: name: unique-ingress-host spec: match: kinds: - apiGroups: - extensions - networking.k8s.io kinds: - Ingress
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-allowed namespace: default spec: rules: - host: example-allowed-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-allowed-host1.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix
No permitida
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example namespace: default spec: rules: - host: example-host.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-disallowed2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix - host: example-host3.example.com http: paths: - backend: service: name: nginx2 port: number: 80 path: / pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-host-example2 namespace: default spec: rules: - host: example-host2.example.com http: paths: - backend: service: name: nginx port: number: 80 path: / pathType: Prefix
K8sUniqueServiceSelector
Selector de servicio único v1.0.2
Requiere que los servicios tengan selectores únicos dentro de un espacio de nombres. Los selectores se consideran iguales si tienen claves y valores idénticos. Los selectores pueden compartir un par clave-valor siempre que haya al menos un par clave-valor entre ellos. https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Restricción referencial
Esta restricción es referencial. Antes de usar las restricciones referenciales, debes habilitarlas y crear una configuración que le indique a Policy Controller qué tipos de objetos debe observar.
Tu Config de Policy Controller requerirá una entrada syncOnly similar a la siguiente:
spec: sync: syncOnly: - group: "" version: "v1" kind: "Service" Ejemplos
unique-service-selector
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata: labels: owner: admin.agilebank.demo name: unique-service-selector
Permitido
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: other-value
No permitida
apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-disallowed namespace: default spec: ports: - port: 443 selector: key: value --- # Referential Data apiVersion: v1 kind: Service metadata: name: gatekeeper-test-service-example namespace: default spec: ports: - port: 443 selector: key: value
NoUpdateServiceAccount
Se bloqueó la actualización de la cuenta de servicio v1.0.1
Bloquea la actualización de la cuenta de servicio en los recursos que se abstraen sobre los pods. Esta política se ignora en el modo de auditoría.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedGroups <array>: Groups that should be allowed to bypass the # policy. allowedGroups: - <string> # allowedUsers <array>: Users that should be allowed to bypass the policy. allowedUsers: - <string> Ejemplos
no-update-kube-system-service-account
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata: name: no-update-kube-system-service-account spec: match: kinds: - apiGroups: - "" kinds: - ReplicationController - apiGroups: - apps kinds: - ReplicaSet - Deployment - StatefulSet - DaemonSet - apiGroups: - batch kinds: - CronJob namespaces: - kube-system parameters: allowedGroups: [] allowedUsers: []
Permitido
apiVersion: apps/v1 kind: Deployment metadata: labels: app: policy-test name: policy-test namespace: kube-system spec: replicas: 1 selector: matchLabels: app: policy-test-deploy template: metadata: labels: app: policy-test-deploy spec: containers: - command: - /bin/bash - -c - sleep 99999 image: ubuntu name: policy-test serviceAccountName: policy-test-sa-1
PolicyStrictOnly
Requiere la política STRICT de mTLS de Istio v1.0.4
Requiere que la TLS mutua STRICT de Istio siempre se especifique cuando se usa PeerAuthentication. Esta restricción también garantiza que los recursos Policy y MeshPolicy obsoletos apliquen la TLS mutua STRICT. Consulta https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
peerauthentication-strict-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: peerauthentication-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - PeerAuthentication namespaces: - default
Permitido
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict namespace: default spec: mtls: mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-level namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-unset namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: UNSET
No permitida
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: empty-mtls namespace: default spec: mtls: {}
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: unspecified-mtls namespace: default
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-null namespace: default spec: mtls: mode: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mtls-null namespace: default spec: mtls: null
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-permissive namespace: default spec: mtls: mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: mode-strict-port-permissive namespace: default spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE "8081": mode: STRICT
deprecated-policy-strict-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata: name: deprecated-policy-strict-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - authentication.istio.io kinds: - Policy namespaces: - default
Permitido
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mode-strict namespace: default spec: peers: - mtls: mode: STRICT
No permitida
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-empty namespace: default spec: peers: - mtls: {}
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: default-mtls-null namespace: default spec: peers: - mtls: null
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: peers-empty namespace: default spec: peers: []
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-no-peers namespace: default spec: targets: - name: httpbin
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: policy-permissive namespace: default spec: peers: - mtls: mode: PERMISSIVE
RestrictNetworkExclusions
Restrict Network Exclusions v1.0.2
Controla qué puertos de entrada, puertos de salida y rangos de IP salientes se pueden excluir de la captura de red de Istio. El proxy de Istio no controla los puertos ni los rangos de IP que evitan la captura de red de Istio, y estos no están sujetos a la autenticación de mTLS de Istio, la política de autorización y otras funciones de Istio. Esta restricción se puede usar para aplicar restricciones al uso de las siguientes anotaciones:
traffic.sidecar.istio.io/excludeInboundPortstraffic.sidecar.istio.io/excludeOutboundPortstraffic.sidecar.istio.io/excludeOutboundIPRanges
Consulta https://istio.io/latest/docs/reference/config/annotations/.
Cuando restringes los rangos de IP salientes, la restricción calcula si los rangos de IP excluidos son un subconjunto de las exclusiones de rangos de IP permitidas o coinciden con estas.
Cuando se usa esta restricción, siempre se deben incluir todos los puertos de entrada, puertos de salida y rangos de IP salientes configurando las anotaciones “include” correspondientes como "*" o dejándolas sin configurar. No se permite establecer ninguna de las siguientes anotaciones en un elemento que no sea "*":
traffic.sidecar.istio.io/includeInboundPortstraffic.sidecar.istio.io/includeOutboundPortstraffic.sidecar.istio.io/includeOutboundIPRanges
Esta restricción permite que el puerto 15020 se excluya porque el inyector de sidecar de Istio siempre lo agrega a la anotación traffic.sidecar.istio.io/excludeInboundPorts a fin de que pueda usarse para la verificación de estado.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # allowedInboundPortExclusions <array>: A list of ports that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeInboundPorts` annotation. allowedInboundPortExclusions: - <string> # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The # constraint calculates whether excluded IP ranges match or are a subset of # the ranges in this list. allowedOutboundIPRangeExclusions: - <string> # allowedOutboundPortExclusions <array>: A list of ports that this # constraint will allow in the # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation. allowedOutboundPortExclusions: - <string> Ejemplos
restrict-network-exclusions
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata: name: restrict-network-exclusions spec: enforcementAction: deny match: kinds: - apiGroups: - "" kinds: - Pod parameters: allowedInboundPortExclusions: - "80" allowedOutboundIPRangeExclusions: - 169.254.169.254/32 allowedOutboundPortExclusions: - "8888"
Permitido
apiVersion: v1 kind: Pod metadata: labels: app: nginx name: nothing-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeInboundPorts: "80" traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/excludeOutboundPorts: "8888" labels: app: nginx name: allowed-port-and-ip-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundIPRanges: '*' labels: app: nginx name: all-ip-ranges-included-with-one-allowed-ip-excluded spec: containers: - image: nginx name: nginx ports: - containerPort: 80
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: '*' traffic.sidecar.istio.io/includeOutboundIPRanges: '*' traffic.sidecar.istio.io/includeOutboundPorts: '*' labels: app: nginx name: everything-included-with-no-exclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
No permitida
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24 labels: app: nginx name: disallowed-ip-range-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24 labels: app: nginx name: one-disallowed-ip-exclusion-and-one-allowed-exclusion spec: containers: - image: nginx name: nginx ports: - containerPort: 80 - containerPort: 443
apiVersion: v1 kind: Pod metadata: annotations: traffic.sidecar.istio.io/includeInboundPorts: 80,443 traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32 traffic.sidecar.istio.io/includeOutboundPorts: "8888" labels: app: nginx name: disallowed-specific-port-and-ip-inclusions spec: containers: - image: nginx name: nginx ports: - containerPort: 80
SourceNotAllAuthz
Se requiere que la fuente de Istio AuthorizationPolicy no sea toda la versión 1.0.1
Requiere que las reglas de AuthorizationPolicy de Istio tengan principales de origen configurados en un valor distinto de “*” https://istio.io/latest/docs/reference/config/security/authorization-policy/
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] Ejemplos
sourcenotall-authz-constraint
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata: name: sourcenotall-authz-constraint spec: enforcementAction: dryrun match: kinds: - apiGroups: - security.istio.io kinds: - AuthorizationPolicy
Permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-good namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
No permitido
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-dne namespace: foo spec: rules: - from: - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-all namespace: foo spec: rules: - from: - source: principals: - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: source-principals-someall namespace: foo spec: rules: - from: - source: principals: - cluster.local/ns/default/sa/sleep - '*' - source: namespaces: - test to: - operation: methods: - GET paths: - /info* - operation: methods: - POST paths: - /data when: - key: request.auth.claims[iss] values: - https://accounts.google.com selector: matchLabels: app: httpbin version: v1
VerifyDeprecatedAPI
Verifica las APIs obsoletas v1.0.0
Verifica las APIs de Kubernetes que están obsoletas para garantizar que todas las versiones de la API estén actualizadas. Esta plantilla no se aplica a la auditoría, ya que esta analiza los recursos que ya están presentes en el clúster con versiones de API no obsoletas.
Esquema de restricciones
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: example spec: # match <object>: lets you configure which resources are in scope for this # constraint. For more information, see the Policy Controller Constraint # match documentation: # https://cloud.google.com/anthos-config-management/docs/reference/match match: [match schema] parameters: # k8sVersion <number>: kubernetes version k8sVersion: <number> # kvs <array>: Deprecated api versions and corresponding kinds kvs: - # deprecatedAPI <string>: deprecated api deprecatedAPI: <string> # kinds <array>: impacted list of kinds kinds: - <string> # targetAPI <string>: target api targetAPI: <string> Ejemplos
verify-1.16
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.16 spec: match: kinds: - apiGroups: - apps kinds: - Deployment - ReplicaSet - StatefulSet - DaemonSet - apiGroups: - extensions kinds: - PodSecurityPolicy - ReplicaSet - Deployment - DaemonSet - NetworkPolicy parameters: k8sVersion: 1.16 kvs: - deprecatedAPI: apps/v1beta1 kinds: - Deployment - ReplicaSet - StatefulSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - ReplicaSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - PodSecurityPolicy targetAPI: policy/v1beta1 - deprecatedAPI: apps/v1beta2 kinds: - ReplicaSet - StatefulSet - Deployment - DaemonSet targetAPI: apps/v1 - deprecatedAPI: extensions/v1beta1 kinds: - NetworkPolicy targetAPI: networking.k8s.io/v1
Permitido
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: allowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
No permitido
apiVersion: apps/v1beta1 kind: Deployment metadata: labels: app: nginx name: disallowed-deployment spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.14.2 name: nginx ports: - containerPort: 80
verify-1.22
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.22 spec: match: kinds: - apiGroups: - admissionregistration.k8s.io kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration - apiGroups: - apiextensions.k8s.io kinds: - CustomResourceDefinition - apiGroups: - apiregistration.k8s.io kinds: - APIService - apiGroups: - authentication.k8s.io kinds: - TokenReview - apiGroups: - authorization.k8s.io kinds: - SubjectAccessReview - apiGroups: - certificates.k8s.io kinds: - CertificateSigningRequest - apiGroups: - coordination.k8s.io kinds: - Lease - apiGroups: - extensions - networking.k8s.io kinds: - Ingress - apiGroups: - networking.k8s.io kinds: - IngressClass - apiGroups: - rbac.authorization.k8s.io kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding - apiGroups: - scheduling.k8s.io kinds: - PriorityClass - apiGroups: - storage.k8s.io kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment parameters: k8sVersion: 1.22 kvs: - deprecatedAPI: admissionregistration.k8s.io/v1beta1 kinds: - MutatingWebhookConfiguration - ValidatingWebhookConfiguration targetAPI: admissionregistration.k8s.io/v1 - deprecatedAPI: apiextensions.k8s.io/v1beta1 kinds: - CustomResourceDefinition targetAPI: apiextensions.k8s.io/v1 - deprecatedAPI: apiregistration.k8s.io/v1beta1 kinds: - APIService targetAPI: apiregistration.k8s.io/v1 - deprecatedAPI: authentication.k8s.io/v1beta1 kinds: - TokenReview targetAPI: authentication.k8s.io/v1 - deprecatedAPI: authorization.k8s.io/v1beta1 kinds: - SubjectAccessReview targetAPI: authorization.k8s.io/v1 - deprecatedAPI: certificates.k8s.io/v1beta1 kinds: - CertificateSigningRequest targetAPI: certificates.k8s.io/v1 - deprecatedAPI: coordination.k8s.io/v1beta1 kinds: - Lease targetAPI: coordination.k8s.io/v1 - deprecatedAPI: extensions/v1beta1 kinds: - Ingress targetAPI: networking.k8s.io/v1 - deprecatedAPI: networking.k8s.io/v1beta1 kinds: - Ingress - IngressClass targetAPI: networking.k8s.io/v1 - deprecatedAPI: rbac.authorization.k8s.io/v1beta1 kinds: - ClusterRole - ClusterRoleBinding - Role - RoleBinding targetAPI: rbac.authorization.k8s.io/v1 - deprecatedAPI: scheduling.k8s.io/v1beta1 kinds: - PriorityClass targetAPI: scheduling.k8s.io/v1 - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIDriver - CSINode - StorageClass - VolumeAttachment targetAPI: storage.k8s.io/v1
Permitido
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: allowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
No permitido
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/rewrite-target: / name: disallowed-ingress spec: ingressClassName: nginx-example rules: - http: paths: - backend: service: name: test port: number: 80 path: /testpath pathType: Prefix
verify-1.25
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.25 spec: match: kinds: - apiGroups: - batch kinds: - CronJob - apiGroups: - discovery.k8s.io kinds: - EndpointSlice - apiGroups: - events.k8s.io kinds: - Event - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler - apiGroups: - policy kinds: - PodDisruptionBudget - PodSecurityPolicy - apiGroups: - node.k8s.io kinds: - RuntimeClass parameters: k8sVersion: 1.25 kvs: - deprecatedAPI: batch/v1beta1 kinds: - CronJob targetAPI: batch/v1 - deprecatedAPI: discovery.k8s.io/v1beta1 kinds: - EndpointSlice targetAPI: discovery.k8s.io/v1 - deprecatedAPI: events.k8s.io/v1beta1 kinds: - Event targetAPI: events.k8s.io/v1 - deprecatedAPI: autoscaling/v2beta1 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2 - deprecatedAPI: policy/v1beta1 kinds: - PodDisruptionBudget targetAPI: policy/v1 - deprecatedAPI: policy/v1beta1 kinds: - PodSecurityPolicy targetAPI: None - deprecatedAPI: node.k8s.io/v1beta1 kinds: - RuntimeClass targetAPI: node.k8s.io/v1
Permitido
apiVersion: batch/v1 kind: CronJob metadata: name: allowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
No permitido
apiVersion: batch/v1beta1 kind: CronJob metadata: name: disallowed-cronjob namespace: default spec: jobTemplate: spec: template: spec: containers: - command: - /bin/sh - -c - date; echo Hello from the Kubernetes cluster image: busybox:1.28 imagePullPolicy: IfNotPresent name: hello restartPolicy: OnFailure schedule: '* * * * *'
verify-1.26
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.26 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration - apiGroups: - autoscaling kinds: - HorizontalPodAutoscaler parameters: k8sVersion: 1.26 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3 - deprecatedAPI: autoscaling/v2beta2 kinds: - HorizontalPodAutoscaler targetAPI: autoscaling/v2
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
No permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
verify-1.27
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.27 spec: match: kinds: - apiGroups: - storage.k8s.io kinds: - CSIStorageCapacity parameters: k8sVersion: 1.27 kvs: - deprecatedAPI: storage.k8s.io/v1beta1 kinds: - CSIStorageCapacity targetAPI: storage.k8s.io/v1
Permitido
apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity storageClassName: standard
No permitido
apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata: name: allowed-csistoragecapacity namespace: default storageClassName: standard
verify-1.29
Restricción
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata: name: verify-1.29 spec: match: kinds: - apiGroups: - flowcontrol.apiserver.k8s.io kinds: - FlowSchema - PriorityLevelConfiguration parameters: k8sVersion: 1.29 kvs: - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2 kinds: - FlowSchema - PriorityLevelConfiguration targetAPI: flowcontrol.apiserver.k8s.io/v1beta3
Permitido
apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata: name: allowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
No permitida
apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 kind: FlowSchema metadata: name: disallowed-flowcontrol namespace: default spec: matchingPrecedence: 1000 priorityLevelConfiguration: name: exempt rules: - nonResourceRules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - '*' subjects: - group: name: system:unauthenticated kind: Group
¿Qué sigue?
- Obtén más información sobre el Controlador de políticas.
- Instala el controlador de políticas.
- Aprende cómo usar restricciones en lugar de PodSecurityPolicies.
- Visualiza la biblioteca de código abierto de las plantillas de restricciones en el repositorio gatekeeper-library.