限制条件模板库

借助限制条件模板，您可以定义限制条件的工作原理，但可以将定义限制条件的细节委托给具有主题专业知识的个人或群组。除了分离关注点之外，这还将限制条件的逻辑与其定义分离。

所有限制条件都包含一个 match 部分，该部分定义限制条件应用于的对象。如需详细了解如何配置该部分，请参阅限制条件匹配部分。

并非所有限制条件模板都适用于所有版本的 Policy Controller，模板可能会因版本而异。访问以下链接可对受支持的各版本中的限制条件进行比较：

指向本页面受支持版本的链接

为确保您获得完整支持，我们建议您使用受支持的 Policy Controller 版本中的限制条件模板。

为了帮助您了解限制条件模板的工作原理，每个模板都包含了一个示例限制条件和一个违反该限制条件的资源。

可用的限制条件模板

限制条件模板	说明	参照
AllowedServicePortName	要求服务端口名称具有指定列表中的前缀。	否
AsmAuthzPolicyDefaultDeny	强制执行网格级层的默认拒绝 AuthorizationPolicy。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns。	是
AsmAuthzPolicyDisallowedPrefix	要求 Istio“AuthorizationPolicy”规则中的主账号和命名空间不包含指定列表中的前缀。 https://istio.io/latest/docs/reference/config/security/authorization-policy/	否
AsmAuthzPolicyEnforceSourcePrincipals	要求 Istio AuthorizationPolicy 的“from”字段（如有定义）必须包含设置为“*”以外内容的来源主账号。 https://istio.io/latest/docs/reference/config/security/authorization-policy/	否
AsmAuthzPolicyNormalization	强制执行 AuthorizationPolicy 标准化。请参阅 https://istio.io/latest/docs/reference/config/security/normalization/。	否
AsmAuthzPolicySafePattern	强制执行 AuthorizationPolicy 安全模式。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns。	否
AsmIngressgatewayLabel	仅在 ingressgateway pod 上强制执行 istio ingressgateway 标签使用。	否
AsmPeerAuthnMeshStrictMtls	强制执行网格级层的严格 mtls PeerAuthentication。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls。	是
AsmPeerAuthnStrictMtls	强制要求所有 PeerAuthentication 均不得覆盖严格 mtls。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls。	否
AsmRequestAuthnProhibitedOutputHeaders	在 RequestAuthentication 中，强制执行“jwtRules.outPayloadToHeader”字段，使其不包含常见的 HTTP 请求标头或自定义禁止的标头。请参阅 https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule。	否
AsmSidecarInjection	强制要求 istio 代理 Sidecar 始终注入工作负载 pod。	否
DestinationRuleTLSEnabled	禁止为 Istio DestinationRules 中的所有主机和主机子集停用 TLS。	否
DisallowedAuthzPrefix	要求 Istio“AuthorizationPolicy”规则中的主账号和命名空间不包含指定列表中的前缀。 https://istio.io/latest/docs/reference/config/security/authorization-policy/	否
GCPStorageLocationConstraintV1	将允许的 StorageBucket Config Connector 资源的“位置”限制在限制条件中提供的位置列表内。“例外”列表中的存储桶名称例外。	否
GkeSpotVMTerminationGrace	要求具有“gke-spot”的“nodeSelector”或“nodeAfffinty”的 Pod 和 Pod 模板的“terminationGracePeriodSeconds”不超过 15 秒。	是
K8sAllowedRepos	要求容器映像以指定列表中的字符串开头。	否
K8sAvoidUseOfSystemMastersGroup	禁止使用“system:masters”组。在审核期间没有任何影响。	否
K8sBlockAllIngress	禁止创建 Ingress 对象（“NodePort”和“LoadBalancer”类型的“Ingress”“Gateway”和“Service”）。	否
K8sBlockCreationWithDefaultServiceAccount	禁止使用默认服务账号创建资源。在审核期间没有任何影响。	否
K8sBlockEndpointEditDefaultRole	默认情况下，许多 Kubernetes 安装都具有一个 system:aggregate-to-edit ClusterRole，但它并没有正确地限制修改端点的权限。此 ConstraintTemplate 可禁止 system:aggregate-to-edit ClusterRole 授予创建/修补/更新端点的权限。ClusterRole/system:aggregate-to-edit 不应该因 CVE-2021-25740 而允许端点修改权限，Endpoint 和 Endpointslice 权限允许跨命名空间转发，https://github.com/kubernetes/kubernetes/issues/103675	否
K8sBlockLoadBalancer	禁止类型为 LoadBalancer 的所有 Service。 https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer	否
K8sBlockNodePort	禁止类型为 NodePort 的所有 Service。 https://kubernetes.io/docs/concepts/services-networking/service/#nodeport	否
K8sBlockObjectsOfType	不允许使用被禁止的类型的对象。	否
K8sBlockProcessNamespaceSharing	禁止“shareProcessNamespace”设置为“true”的 Pod 规范。这可避免 Pod 中的所有容器共享一个 PID 命名空间并可访问彼此的文件系统和内存这样的情况。	否
K8sBlockWildcardIngress	用户无法使用空白或通配符 (*) 主机名创建 Ingress，因为这会导致没有集群中其他服务的访问权限的用户能够拦截这些服务的流量。	否
K8sContainerEphemeralStorageLimit	要求容器设置临时存储限制，并将该限制约束在指定的最大值范围内。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	否
K8sContainerLimits	要求容器设置内存和 CPU 限制，并将该限值限制在指定的最大值范围内。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	否
K8sContainerRatios	设置容器资源限制与请求的最大比例。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	否
K8sContainerRequests	要求容器设置内存和 CPU 请求，并将请求限制在指定的最大值范围内。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	否
K8sCronJobAllowedRepos	要求 CronJob 的容器映像以指定列表中的字符串开头。	否
K8sDisallowAnonymous	禁止将 ClusterRole 和 Role 资源关联到 system:anonymous user 和 system:unauthenticated group。	否
K8sDisallowInteractiveTTY	要求对象将字段“spec.tty”和“spec.stdin”设置为 false 或不设置。	否
K8sDisallowedRepos	不允许的容器代码库（以指定列表中的字符串开头）。	否
K8sDisallowedRoleBindingSubjects	禁止将主题与任何“disallowedSubjects”匹配的 RoleBinding 或 ClusterRoleBinding 传递为参数。	否
K8sDisallowedTags	要求容器映像的映像标记与指定列表中的映像标记不同。 https://kubernetes.io/docs/concepts/containers/images/#image-names	否
K8sEmptyDirHasSizeLimit	要求任何“emptyDir”卷指定“sizeLimit”。（可选）可以在限制条件中提供“maxSizeLimit”参数，以指定允许的大小上限。	否
K8sEnforceCloudArmorBackendConfig	在 BackendConfig 资源上强制执行 Cloud Armor 配置	否
K8sEnforceConfigManagement	要求 Config Management 存在并运行。无论“enforcementAction”值是多少，使用此“ConstraintTemplate”的限制条件都将仅进行审核。	是
K8sExternalIPs	将 Service externalIP 限制为允许的 IP 地址列表。 https://kubernetes.io/docs/concepts/services-networking/service/#external-ips	否
K8sHorizontalPodAutoscaler	部署“HorizontalPodAutoscalers”时，禁止以下情况的发生：1. 在限制条件 2 定义的范围之外，使用“.spec.minReplicas”或“.spec.maxReplicas”的 HorizontalPodAutoscalers 部署。部署 HorizontalPodAutoscalers，其中“.spec.minReplicas”与“.spec.maxReplicas”之间的差异小于配置的“minimumReplicaSpread”3。未引用有效“scaleTargetRef”的 HorizontalPodAutoscalers 部署（例如 Deployment、ReplicationController、ReplicaSet、StatefulSet）。	是
K8sHttpsOnly	要求 Ingress 资源仅限于 HTTPS。 Ingress 资源必须包含“kubernetes.io/ingress.allow-http”注解，设置为“false”。默认情况下，需要有效的 TLS {} 配置，可以通过将“tlsOptional”参数设置为“true”来指示这是可选配置。 https://kubernetes.io/docs/concepts/services-networking/ingress/#tls	否
K8sImageDigests	要求容器映像包含摘要。 https://kubernetes.io/docs/concepts/containers/images/	否
K8sLocalStorageRequireSafeToEvict	要求使用本地存储空间（“emptyDir”或“hostPath”）的 Pod 具有注解“"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"”。集群自动扩缩器不会删除没有此注解的 Pod。	否
K8sMemoryRequestEqualsLimit	通过要求所有容器请求的内存与内存限制完全一致来提升 Pod 稳定性，让 Pod 绝不会处于内存用量超出所请求数量的状态。否则，如果节点上需要内存，Kubernetes 可能会终止请求额外内存的 Pod。	否
K8sNoEnvVarSecrets	禁止 Secret 用作 Pod 容器定义中的环境变量；相反，请在数据卷中使用装载的机密文件： https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod	否
K8sNoExternalServices	禁止创建将工作负载公开给外部 IP 的已知资源。这包括 Istio 网关资源和 Kubernetes Ingress 资源。除非满足以下条件，否则 Kubernetes 服务也不允许创建：Google Cloud 中类型为“LoadBalancer”的任何服务都必须具有“"networking.gke.io/load-balancer-type": "Internal"”注解。AWS 中“LoadBalancer”类型的任何 Service 都必须具有“service.beta.kubernetes.io/aws-load-balancer-internal：true”注解。绑定到 Service 的任何“外部 IP”（即位于集群外部）都必须在提供给限制条件的内部 CIDR 范围内。	否
K8sPSPAllowPrivilegeEscalationContainer	对限制升级至 root 权限这一操作进行控制。对应于 PodSecurityPolicy 中的“allowPrivilegeEscalation”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation	否
K8sPSPAllowedUsers	控制容器和部分卷的用户 ID 和组 ID。对应于 PodSecurityPolicy 中的“runAsUser”“runAsGroup”“supplementalGroups”和“fsGroup”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups	否
K8sPSPAppArmor	配置供容器使用的 AppArmor 配置文件的许可名单。对应于应用于 PodSecurityPolicy 的特定注释。如需详细了解 AppArmor，请参阅 https://kubernetes.io/docs/tutorials/clusters/apparmor/	否
K8sPSPAutomountServiceAccountTokenPod	控制任何 pod 启用 automountServiceAccountToken 的能力。	否
K8sPSPCapabilities	控制容器上的 Linux 功能。对应于 PodSecurityPolicy 中的“allowedCapabilities”和“requiredDropCapabilities”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities	否
K8sPSPFSGroup	对分配拥有 Pod 卷的 FSGroup 这一操作进行控制。对应于 PodSecurityPolicy 中的“fsGroup”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems	否
K8sPSPFlexVolumes	控制 FlexVolume 驱动程序的许可名单。对应于 PodSecurityPolicy 中的“allowedFlexVolumes”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers	否
K8sPSPForbiddenSysctls	控制容器使用的“sysctl”配置文件。对应于 PodSecurityPolicy 中的“allowedUnsafeSysctls”和“forbiddenSysctls”字段。如果指定，则任何不在“allowedSysctls”参数中的 sysctl 都会被视为禁止。“forbiddenSysctls”参数的优先级高于“allowedSysctls”参数。如需了解详情，请参阅 https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/	否
K8sPSPHostFilesystem	控制主机文件系统的使用情况。对应于 PodSecurityPolicy 中的“allowedHostPaths”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems	否
K8sPSPHostNamespace	禁止 pod 容器共享主机 PID 和 IPC 命名空间。对应于 PodSecurityPolicy 中的“hostPID”和“hostIPC”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces	否
K8sPSPHostNetworkingPorts	控制 pod 容器的主机网络命名空间的使用情况。必须指定特定端口。对应于 PodSecurityPolicy 中的“hostNetwork”和“hostPorts”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces	否
K8sPSPPrivilegedContainer	控制任何容器启用特权模式的能力。对应于 PodSecurityPolicy 中的“特权”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged	否
K8sPSPProcMount	控制容器允许的“procMount”类型。对应于 PodSecurityPolicy 中的“allowedProcMountTypes”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes	否
K8sPSPReadOnlyRootFilesystem	要求 Pod 容器使用只读根文件系统。对应于 PodSecurityPolicy 中的“readOnlyRootFilesystem”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems	否
K8sPSPSELinuxV2	定义 pod 容器的 seLinuxOptions 配置的许可名单。对应于要求使用 SELinux 配置的 PodSecurityPolicy。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux	否
K8sPSPSeccomp	控制容器使用的 seccomp 配置文件。对应于 PodSecurityPolicy 中的“seccomp.security.alpha.kubernetes.io/allowedProfileNames”注解。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp	否
K8sPSPVolumeTypes	将可装载卷的类型限制为用户指定的类型。对应于 PodSecurityPolicy 中的“卷”字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems	否
K8sPSPWindowsHostProcess	限制 Windows HostProcess 容器 / pod 的运行。如需了解详情，请参阅 https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/。	否
K8sPSSRunAsNonRoot	要求容器以非根用户身份运行。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/security/pod-security-standards/	否
K8sPodDisruptionBudget	部署 PodDisruptionBudgets 或实现副本子资源的资源（例如 Deployment、ReplicationController、ReplicaSet、StatefulSet）时，禁止以下场景：1. PodDisruptionBudgets 部署，其中 .spec.maxUnavailable == 0 2。PodDisruptionBudgets 部署，其中 .spec.minAvailable == .spec.具有副本子资源的资源的副本数。这会阻止 PodDisruptionBudgets 阻止主动中断（例如节点排空） https://kubernetes.io/docs/concepts/workloads/pods/disruptions/	是
K8sPodResourcesBestPractices	要求容器并非尽力而为（通过设置 CPU 和内存请求）并遵循突发性最佳实践（内存请求必须完全相同的限制）。您也可以酌情配置注解键，以允许跳过各种验证。	否
K8sPodsRequireSecurityContext	要求所有 Pod 都定义 securityContext。要求 Pod 中定义的所有容器都在 Pod 或容器级层定义 SecurityContext。	否
K8sProhibitRoleWildcardAccess	要求 Role 和 ClusterRole 不得对通配符“”值设置资源访问权限，但作为豁免项提供的豁免 Role 和 ClusterRole 除外。不限制对子资源的通配符访问，例如“/status”。	否
K8sReplicaLimits	要求包含“spec.replicas”字段（Deployments、ReplicaSets 等）的对象指定的副本数量在所定义的范围内。	否
K8sRequireAdmissionController	需要 Pod 安全准入或外部政策控制系统	是
K8sRequireBinAuthZ	要求 Binary Authorization 验证准入 webhook。无论“enforcementAction”值是多少，使用此“ConstraintTemplate”的限制条件都将仅进行审核。	是
K8sRequireCosNodeImage	强制在节点上使用 Google 的 Container-Optimized OS。	否
K8sRequireDaemonsets	要求指定的 daemonset 列表存在。	是
K8sRequireDefaultDenyEgressPolicy	要求集群中定义的每个命名空间都具有出站流量的默认拒绝 NetworkPolicy。	是
K8sRequireNamespaceNetworkPolicies	要求集群中定义的每个命名空间都具有一个 NetworkPolicy。	是
K8sRequireValidRangesForNetworks	强制执行网络入站流量和出站流量允许的 CIDR 地址块。	否
K8sRequiredAnnotations	要求资源包含指定的注解，其值与提供的正则表达式匹配。	否
K8sRequiredLabels	要求资源包含指定的标签，其值与提供的正则表达式匹配。	否
K8sRequiredProbes	要求 Pod 具有就绪和/或活跃探测。	否
K8sRequiredResources	要求容器设置已定义的资源。https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/	否
K8sRestrictAdmissionController	将动态准入控制器限制为允许使用的控制器	否
K8sRestrictAutomountServiceAccountTokens	限制服务账号令牌的使用。	否
K8sRestrictLabels	禁止资源包含指定的标签，除非特定资源存在例外。	否
K8sRestrictNamespaces	限制资源使用 restrictedNamespaces 参数下列出的命名空间。	否
K8sRestrictNfsUrls	除非另有指定，否则禁止资源包含 NFS 网址。	否
K8sRestrictRbacSubjects	将 RBAC 主体中的名称限制为只能使用指定的值。	否
K8sRestrictRoleBindings	将 ClusterRoleBinding 和 RoleBinding 中指定的主题限制为允许的主题列表。	否
K8sRestrictRoleRules	限制可在 Role 和 ClusterRole 对象上设置的规则。	否
K8sStorageClass	要求在使用时指定存储类别。仅支持 Gatekeeper 3.9+ 和非临时容器。	是
K8sUniqueIngressHost	要求所有 Ingress 规则主机都具有唯一性。系统不会处理主机名通配符：https://kubernetes.io/docs/concepts/services-networking/ingress/	是
K8sUniqueServiceSelector	要求服务在命名空间内具有唯一的选择器。如果选择器具有相同的键和值，则它们会被视为相同的选择器。选择器可以共享键值对，只要它们之间至少有一个不同的键值对即可。 https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service	是
NoUpdateServiceAccount	阻止在 Pod 上抽象的资源上更新服务账号。此政策在审核模式下被忽略。	否
PolicyStrictOnly	要求在使用 [PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/) 时始终指定“STRICT”Istio 双向 TLS。此限制条件还可确保已弃用的 [Policy](https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) 和 MeshPolicy 资源也强制执行“STRICT”双向 TLS。请参阅：https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh	否
RestrictNetworkExclusions	控制可以从 Istio 网络捕获中排除的入站端口、出站端口和出站 IP 范围。Istio 代理不会处理绕过 Istio 网络捕获的端口和 IP 范围，它们不受 Istio mTLS 身份验证、授权政策和其他 Istio 功能的约束。此限制条件可用于对以下注解的使用施加限制： `traffic.sidecar.istio.io/excludeInboundPorts` `traffic.sidecar.istio.io/excludeOutboundPorts` `traffic.sidecar.istio.io/excludeOutboundIPRanges` 请参阅 https://istio.io/latest/docs/reference/config/annotations/。限制出站 IP 范围时，限制条件会计算排除的 IP 范围是匹配还是允许的 IP 范围排除项的子集。使用此限制条件时，必须始终将所有入站端口、出站端口和出站 IP 范围包含在内，方法是将相应的“include”注解设置为“”或保持未设置。不允许将以下任何注解设置为“”以外的任何值： `traffic.sidecar.istio.io/includeInboundPorts` `traffic.sidecar.istio.io/includeOutboundPorts` `traffic.sidecar.istio.io/includeOutboundIPRanges` 此限制条件始终允许排除端口 15020，因为 Istio Sidecar 注入器会始终将其添加到 `traffic.sidecar.istio.io/excludeInboundPorts` 注解，以便用于健康检查。	否
SourceNotAllAuthz	要求 Istio AuthorizationPolicy 规则将来源主体设置为“*”以外的内容。 https://istio.io/latest/docs/reference/config/security/authorization-policy/	否
VerifyDeprecatedAPI	验证已弃用的 Kubernetes API，确保所有 API 版本均为最新版本。此模板不适用于审核，因为审核会检查集群内已存在且具有未弃用 API 版本的资源。	否

AllowedServicePortName

Allowed Service Port Names v1.0.1

要求服务端口名称具有指定列表中的前缀。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # prefixes <array>: Prefixes of allowed service port names.     prefixes:       - <string>

示例

port-name-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AllowedServicePortName metadata:   name: port-name-constraint spec:   enforcementAction: deny   match:     kinds:     - apiGroups:       - ""       kinds:       - Service   parameters:     prefixes:     - http-     - http2-     - grpc-     - mongo-     - redis-     - tcp-

允许

apiVersion: v1 kind: Service metadata:   labels:     app: helloworld   name: port-name-http spec:   ports:   - name: http-helloport     port: 5000   selector:     app: helloworld

不允许

apiVersion: v1 kind: Service metadata:   labels:     app: helloworld   name: port-name-tcp spec:   ports:   - name: foo-helloport     port: 5000   selector:     app: helloworld

apiVersion: v1 kind: Service metadata:   labels:     app: helloworld   name: port-name-bad spec:   ports:   - name: helloport     port: 5000   selector:     app: helloworld

AsmAuthzPolicyDefaultDeny

ASM AuthorizationPolicy Default Deny v1.0.4

强制执行网格级层的默认拒绝 AuthorizationPolicy。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#use-default-deny-patterns。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # rootNamespace <string>: Anthos Service Mesh root namespace, default value     # is "istio-system" if not specified.     rootNamespace: <string>     # strictnessLevel <string>: Level of AuthorizationPolicy strictness.     # Allowed Values: Low, High     strictnessLevel: <string>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "security.istio.io"         version: "v1beta1"         kind: "AuthorizationPolicy"

示例

asm-authz-policy-default-deny-with-input-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-with-input-constraint spec:   enforcementAction: dryrun   parameters:     rootNamespace: istio-system     strictnessLevel: High

允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-with-input-constraint spec:   enforcementAction: dryrun   parameters:     rootNamespace: istio-system     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: default-deny-no-action   namespace: istio-system spec: null

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-with-input-constraint spec:   enforcementAction: dryrun   parameters:     rootNamespace: istio-system     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: default-deny-with-action   namespace: istio-system spec:   action: ALLOW

不允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-with-input-constraint spec:   enforcementAction: dryrun   parameters:     rootNamespace: istio-system     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: not-default-deny   namespace: istio-system spec:   action: DENY   rules:   - to:     - operation:         notMethods:         - GET         - POST

asm-authz-policy-default-deny-no-input-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-no-input-constraint spec:   enforcementAction: dryrun   parameters:     strictnessLevel: High

允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-no-input-constraint spec:   enforcementAction: dryrun   parameters:     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: default-deny-no-action   namespace: istio-system spec: null

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-no-input-constraint spec:   enforcementAction: dryrun   parameters:     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: default-deny-with-action   namespace: istio-system spec:   action: ALLOW

不允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDefaultDeny metadata:   name: asm-authz-policy-default-deny-no-input-constraint spec:   enforcementAction: dryrun   parameters:     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: not-default-deny   namespace: istio-system spec:   action: DENY   rules:   - to:     - operation:         notMethods:         - GET         - POST

AsmAuthzPolicyDisallowedPrefix

ASM AuthorizationPolicy Disallowed Prefixes v1.0.2

要求 Istio AuthorizationPolicy 规则中的主账号和命名空间不包含指定列表中的前缀。 https://istio.io/latest/docs/reference/config/security/authorization-policy/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # disallowedNamespacePrefixes <array>: Disallowed prefixes for namespaces.     disallowedNamespacePrefixes:       - <string>     # disallowedPrincipalPrefixes <array>: Disallowed prefixes for principals.     disallowedPrincipalPrefixes:       - <string>

示例

asm-authz-policy-disallowed-prefix-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyDisallowedPrefix metadata:   name: asm-authz-policy-disallowed-prefix-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - AuthorizationPolicy   parameters:     disallowedNamespacePrefixes:     - bad-ns-prefix     - worse-ns-prefix     disallowedPrincipalPrefixes:     - bad-principal-prefix     - worse-principal-prefix

允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: valid-authz-policy spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep     - source:         namespaces:         - test   selector:     matchLabels:       app: httpbin

不允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: bad-source-principal spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/worse-principal-prefix-sleep     - source:         namespaces:         - test   selector:     matchLabels:       app: httpbin

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: bad-source-namespace spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep     - source:         namespaces:         - bad-ns-prefix-test   selector:     matchLabels:       app: httpbin

AsmAuthzPolicyEnforceSourcePrincipals

ASM AuthorizationPolicy Enforcement Principals v1.0.2

要求 Istio AuthorizationPolicy 的“from”字段（如有定义）必须包含设置为“*”以外内容的来源主账号。 https://istio.io/latest/docs/reference/config/security/authorization-policy/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

asm-authz-policy-enforce-source-principals-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyEnforceSourcePrincipals metadata:   name: asm-authz-policy-enforce-source-principals-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - AuthorizationPolicy

允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: valid-authz-policy spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin

不允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: no-source-principals spec:   rules:   - from:     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: source-principals-wildcard spec:   rules:   - from:     - source:         principals:         - '*'     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: source-principals-contains-wildcard spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep         - '*'     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin

AsmAuthzPolicyNormalization

ASM AuthorizationPolicy Normalization v1.0.2

强制执行 AuthorizationPolicy 标准化。请参阅 https://istio.io/latest/docs/reference/config/security/normalization/。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

asm-authz-policy-normalization-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicyNormalization metadata:   name: asm-authz-policy-normalization-sample spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - AuthorizationPolicy

允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: good-authz-policy spec:   action: ALLOW   rules:   - to:     - operation:         methods:         - GET         paths:         - /test/foo   - when:     - key: source.ip       values:       - 10.1.2.3       - 10.2.0.0/16     - key: request.headers[User-Agent]       values:       - Mozilla/*   selector:     matchLabels:       app: httpbin

不允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: bad-method-lowercase spec:   action: ALLOW   rules:   - to:     - operation:         methods:         - get   selector:     matchLabels:       app: httpbin

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: bad-request-header-whitespace spec:   action: ALLOW   rules:   - to:     - operation:         methods:         - GET   - when:     - key: source.ip       values:       - 10.1.2.3       - 10.2.0.0/16     - key: request.headers[User-Ag ent]       values:       - Mozilla/*   selector:     matchLabels:       app: httpbin

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: path-unnormalized spec:   action: ALLOW   rules:   - to:     - operation:         methods:         - GET         paths:         - /test\/foo   - when:     - key: source.ip       values:       - 10.1.2.3       - 10.2.0.0/16     - key: request.headers[User-Agent]       values:       - Mozilla/*   selector:     matchLabels:       app: httpbin

AsmAuthzPolicySafePattern

ASM AuthorizationPolicy Safe Patterns v1.0.4

强制执行 AuthorizationPolicy 安全模式。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#safer-authorization-policy-patterns。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # strictnessLevel <string>: Level of AuthorizationPolicy strictness.     # Allowed Values: Low, High     strictnessLevel: <string>

示例

asm-authz-policy-safe-pattern-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmAuthzPolicySafePattern metadata:   name: asm-authz-policy-safe-pattern-sample spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - AuthorizationPolicy   parameters:     strictnessLevel: High

允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: good-authz-policy-istio-ingress spec:   action: ALLOW   rules:   - to:     - operation:         hosts:         - test.com         - test.com:*         methods:         - GET   selector:     matchLabels:       istio: ingressgateway

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: good-authz-policy-asm-ingress spec:   action: ALLOW   rules:   - to:     - operation:         hosts:         - test.com         - test.com:*         methods:         - GET   selector:     matchLabels:       asm: ingressgateway

不允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: hosts-on-noningress spec:   action: ALLOW   rules:   - to:     - operation:         hosts:         - test.com         - test.com:*         methods:         - GET

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: invalid-hosts spec:   action: ALLOW   rules:   - to:     - operation:         hosts:         - test.com         methods:         - GET   selector:     matchLabels:       istio: ingressgateway

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: allow-negative-match spec:   action: ALLOW   rules:   - to:     - operation:         hosts:         - test.com         - test.com:*         notMethods:         - GET   selector:     matchLabels:       istio: ingressgateway

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: deny-positive-match spec:   action: DENY   rules:   - to:     - operation:         hosts:         - test.com         - test.com:*         methods:         - GET   selector:     matchLabels:       istio: ingressgateway

AsmIngressgatewayLabel

ASM Ingress Gateway Label v1.0.3

仅在 ingressgateway pod 上强制执行 istio ingressgateway 标签使用。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

asm-ingressgateway-label-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmIngressgatewayLabel metadata:   name: asm-ingressgateway-label-sample spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: sleep     istio: istio   name: sleep spec:   containers:   - image: curlimages/curl     name: sleep   - image: gcr.io/gke-release/asm/proxyv2:release     name: istio-proxy     ports:     - containerPort: 15090       name: http-envoy-prom       protocol: TCP

apiVersion: v1 kind: Pod metadata:   labels:     app: istio-ingressgateway     istio: ingressgateway   name: istio-ingressgateway spec:   containers:   - image: gcr.io/gke-release/asm/proxyv2:release     name: istio-proxy     ports:     - containerPort: 15090       name: http-envoy-prom       protocol: TCP

apiVersion: v1 kind: Pod metadata:   labels:     app: asm-ingressgateway     asm: ingressgateway   name: asm-ingressgateway spec:   containers:   - image: gcr.io/gke-release/asm/proxyv2:release     name: istio-proxy     ports:     - containerPort: 15090       name: http-envoy-prom       protocol: TCP

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: sleep     istio: ingressgateway   name: sleep spec:   containers:   - image: curlimages/curl     name: sleep

apiVersion: v1 kind: Pod metadata:   labels:     app: sleep     asm: ingressgateway   name: sleep spec:   containers:   - image: curlimages/curl     name: sleep

apiVersion: v1 kind: Pod metadata:   labels:     app: sleep     istio: ingressgateway   name: sleep spec:   containers:   - image: curlimages/curl     name: sleep   - image: gcr.io/gke-release/asm/proxyv2:release     name: istio-proxy     ports:     - containerPort: 15090       name: http-envoy-prom       protocol: TCP

AsmPeerAuthnMeshStrictMtls

ASM Peer Authentication Mesh Strict mTLS v1.0.4

强制执行网格级层的严格 mtls PeerAuthentication。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # rootNamespace <string>: Anthos Service Mesh root namespace, default value     # is "istio-system" if not specified.     rootNamespace: <string>     # strictnessLevel <string>: Level of PeerAuthentication strictness.     # Allowed Values: Low, High     strictnessLevel: <string>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "security.istio.io"         version: "v1beta1"         kind: "PeerAuthentication"

示例

asm-peer-authn-mesh-strict-mtls-with-input-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata:   name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec:   enforcementAction: dryrun   parameters:     rootNamespace: asm-root     strictnessLevel: High

允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata:   name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec:   enforcementAction: dryrun   parameters:     rootNamespace: asm-root     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mesh-strict-mtls   namespace: asm-root spec:   mtls:     mode: STRICT

不允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata:   name: asm-peer-authn-mesh-strict-mtls-with-input-constraint spec:   enforcementAction: dryrun   parameters:     rootNamespace: asm-root     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mesh-permissive-mtls   namespace: asm-root spec:   mtls:     mode: PERMISSIVE

asm-peer-authn-mesh-strict-mtls-no-input-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata:   name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec:   enforcementAction: dryrun   parameters:     strictnessLevel: High

允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata:   name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec:   enforcementAction: dryrun   parameters:     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mesh-strict-mtls   namespace: istio-system spec:   mtls:     mode: STRICT

不允许

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnMeshStrictMtls metadata:   name: asm-peer-authn-mesh-strict-mtls-no-input-constraint spec:   enforcementAction: dryrun   parameters:     strictnessLevel: High --- # Referential Data apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mesh-permissive-mtls   namespace: istio-system spec:   mtls:     mode: PERMISSIVE

AsmPeerAuthnStrictMtls

ASM Peer Authentication Strict mTLS v1.0.3

强制要求所有 PeerAuthentication 均不得覆盖严格 mtls。请参阅 https://istio.io/latest/docs/ops/best-practices/security/#mutual-tls。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # strictnessLevel <string>: Level of PeerAuthentication strictness.     # Allowed Values: Low, High     strictnessLevel: <string>

示例

asm-peer-authn-strict-mtls-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmPeerAuthnStrictMtls metadata:   name: asm-peer-authn-strict-mtls-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - PeerAuthentication   parameters:     strictnessLevel: High

允许

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: valid-strict-mtls-pa   namespace: foo spec:   mtls:     mode: UNSET   portLevelMtls:     "80":       mode: UNSET     "443":       mode: STRICT   selector:     matchLabels:       app: bar

不允许

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: invalid-permissive-mtls-pa   namespace: foo spec:   mtls:     mode: PERMISSIVE   portLevelMtls:     "80":       mode: UNSET     "443":       mode: STRICT   selector:     matchLabels:       app: bar

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: invalid-port-disable-mtls-pa   namespace: foo spec:   mtls:     mode: UNSET   portLevelMtls:     "80":       mode: DISABLE     "443":       mode: STRICT   selector:     matchLabels:       app: bar

AsmRequestAuthnProhibitedOutputHeaders

ASM RequestAuthentication Prohibited Output Headers v1.0.2

在 RequestAuthentication 中，强制执行 jwtRules.outPayloadToHeader 字段，使其不包含常见的 HTTP 请求标头或自定义禁止的标头。请参阅 https://istio.io/latest/docs/reference/config/security/jwt/#JWTRule。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # prohibitedHeaders <array>: User predefined prohibited headers.     prohibitedHeaders:       - <string>

示例

asm-request-authn-prohibited-output-headers-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmRequestAuthnProhibitedOutputHeaders metadata:   name: asm-request-authn-prohibited-output-headers-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - RequestAuthentication   parameters:     prohibitedHeaders:     - Bad-Header     - X-Bad-Header

允许

apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:   name: valid-request-authn   namespace: istio-system spec:   jwtRules:   - issuer: example.com     outputPayloadToHeader: Good-Header   selector:     matchLabels:       app: istio-ingressgateway

不允许

apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:   name: deny-predefined-output-header   namespace: istio-system spec:   jwtRules:   - issuer: example.com     outputPayloadToHeader: Host   selector:     matchLabels:       app: istio-ingressgateway

apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata:   name: deny-predefined-output-header   namespace: istio-system spec:   jwtRules:   - issuer: example.com     outputPayloadToHeader: X-Bad-Header   selector:     matchLabels:       app: istio-ingressgateway

AsmSidecarInjection

ASM Sidecar Injection v1.0.2

强制要求 istio 代理 Sidecar 始终注入工作负载 pod。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # strictnessLevel <string>: Level of sidecar injection strictness.     # Allowed Values: Low, High     strictnessLevel: <string>

示例

asm-sidecar-injection-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: AsmSidecarInjection metadata:   name: asm-sidecar-injection-sample spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     strictnessLevel: High

允许

apiVersion: v1 kind: Pod metadata:   annotations:     sidecar.istio.io/inject: "true"   name: sleep spec:   containers:   - image: curlimages/curl     name: sleep   - image: gcr.io/gke-release/asm/proxyv2:release     name: istio-proxy     ports:     - containerPort: 15090       name: http-envoy-prom       protocol: TCP

apiVersion: v1 kind: Pod metadata:   annotations:     "false": "false"   name: sleep spec:   containers:   - image: curlimages/curl     name: sleep   - image: gcr.io/gke-release/asm/proxyv2:release     name: istio-proxy     ports:     - containerPort: 15090       name: http-envoy-prom       protocol: TCP

不允许

apiVersion: v1 kind: Pod metadata:   annotations:     sidecar.istio.io/inject: "false"   name: sleep spec:   containers:   - image: curlimages/curl     name: sleep

DestinationRuleTLSEnabled

Destination Rule TLS Enabled v1.0.1

禁止为 Istio DestinationRules 中的所有主机和主机子集停用 TLS。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

dr-tls-enabled

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DestinationRuleTLSEnabled metadata:   name: dr-tls-enabled spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - networking.istio.io       kinds:       - DestinationRule

不允许

apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata:   name: dr-subset-tls-disable   namespace: default spec:   host: myservice   subsets:   - name: v1     trafficPolicy:       tls:         mode: DISABLE   - name: v2     trafficPolicy:       tls:         mode: SIMPLE

apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata:   name: dr-traffic-tls-disable   namespace: default spec:   host: myservice   trafficPolicy:     tls:       mode: DISABLE

DisallowedAuthzPrefix

Disallow Istio AuthorizationPolicy Prefixes v1.0.2

要求 Istio AuthorizationPolicy 规则中的主账号和命名空间不包含指定列表中的前缀。 https://istio.io/latest/docs/reference/config/security/authorization-policy/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # disallowedprefixes <array>: Disallowed prefixes of principals and     # namespaces.     disallowedprefixes:       - <string>

示例

disallowed-authz-prefix-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: DisallowedAuthzPrefix metadata:   name: disallowed-authz-prefix-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - AuthorizationPolicy   parameters:     disallowedprefixes:     - badprefix     - reallybadprefix

允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: good   namespace: foo spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin       version: v1

不允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: bad-source-principal   namespace: foo spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/badprefix-sleep     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin       version: v1

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: bad-source-namespace   namespace: foo spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep     - source:         namespaces:         - badprefix-test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin       version: v1

GCPStorageLocationConstraintV1

GCP Storage Location Constraint v1.0.3

将允许的 StorageBucket Config Connector 资源的 locations 限制在限制条件中提供的位置列表内。exemptions 列表中的存储桶名称例外。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptions <array>: A list of bucket names that are exempt from this     # constraint.     exemptions:       - <string>     # locations <array>: A list of locations that a bucket is permitted to     # have.     locations:       - <string>

示例

singapore-and-jakarta-only

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GCPStorageLocationConstraintV1 metadata:   name: singapore-and-jakarta-only spec:   enforcementAction: deny   match:     kinds:     - apiGroups:       - storage.cnrm.cloud.google.com       kinds:       - StorageBucket   parameters:     exemptions:     - my_project_id_cloudbuild     locations:     - asia-southeast1     - asia-southeast2

允许

apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata:   name: bucket-in-permitted-location spec:   location: asia-southeast1

不允许

apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata:   name: bucket-in-disallowed-location spec:   location: us-central1

apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata:   name: bucket-without-specific-location spec: null

GkeSpotVMTerminationGrace

Restricts terminationGracePeriodSeconds for GKE Spot VMs v1.1.3

要求具有 gke-spot 的 nodeSelector 或 nodeAfffinty 的 Pod 和 Pod 模板的 terminationGracePeriodSeconds 不超过 15 秒。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # includePodOnSpotNodes <boolean>: Require `terminationGracePeriodSeconds`     # of 15s or less for all `Pod` on a `gke-spot` Node.     includePodOnSpotNodes: <boolean>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: ""         version: "v1"         kind: "Node"

示例

spotvm-termination-grace

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: GkeSpotVMTerminationGrace metadata:   name: spotvm-termination-grace spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     includePodOnSpotNodes: true

允许

apiVersion: v1 kind: Pod metadata:   name: example-allowed spec:   containers:   - image: nginx     name: nginx   nodeSelector:     cloud.google.com/gke-spot: "true"   terminationGracePeriodSeconds: 15

apiVersion: v1 kind: Pod metadata:   name: example-allowed spec:   containers:   - image: nginx     name: nginx   nodeSelector:     cloud.google.com/gke-spot: "true"   terminationGracePeriodSeconds: 15

apiVersion: v1 kind: Pod metadata:   name: example-with-termGrace spec:   Nodename: default   containers:   - image: nginx     name: nginx   terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata:   labels:     cloud.google.com/gke-spot: "true"   name: default

apiVersion: v1 kind: Pod metadata:   name: example-with-termGrace spec:   Nodename: default   containers:   - image: nginx     name: nginx   terminationGracePeriodSeconds: 15 --- # Referential Data apiVersion: v1 kind: Node metadata:   name: default

apiVersion: v1 kind: Pod metadata:   name: example-without-termGrace spec:   Nodename: default   containers:   - image: nginx     name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata:   name: default

不允许

apiVersion: v1 kind: Pod metadata:   name: example-disallowed spec:   affinity:     nodeAffinity:       requiredDuringSchedulingIgnoredDuringExecution:         nodeSelectorTerms:         - matchExpressions:           - key: cloud.google.com/gke-spot             operator: In             values:             - "true"   containers:   - image: nginx     name: nginx   terminationGracePeriodSeconds: 30

apiVersion: v1 kind: Pod metadata:   name: example-disallowed spec:   affinity:     nodeAffinity:       requiredDuringSchedulingIgnoredDuringExecution:         nodeSelectorTerms:         - matchExpressions:           - key: cloud.google.com/gke-spot             operator: In             values:             - "true"   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: Pod metadata:   name: example-disallowed spec:   containers:   - image: nginx     name: nginx   nodeSelector:     cloud.google.com/gke-spot: "true"   terminationGracePeriodSeconds: 30

apiVersion: v1 kind: Pod metadata:   name: example-disallowed spec:   affinity:     nodeAffinity:       requiredDuringSchedulingIgnoredDuringExecution:         nodeSelectorTerms:         - matchExpressions:           - key: cloud.google.com/gke-spot             operator: In             values:             - "true"   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: Pod metadata:   name: example-without-termGrace spec:   Nodename: default   containers:   - image: nginx     name: nginx --- # Referential Data apiVersion: v1 kind: Node metadata:   labels:     cloud.google.com/gke-spot: "true"   name: default

K8sAllowedRepos

Allowed Repositories v1.0.1

要求容器映像以指定列表中的字符串开头。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # repos <array>: The list of prefixes a container image is allowed to have.     repos:       - <string>

示例

repo-is-openpolicyagent

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata:   name: repo-is-openpolicyagent spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod     namespaces:     - default   parameters:     repos:     - openpolicyagent/

允许

apiVersion: v1 kind: Pod metadata:   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 30Mi

不允许

apiVersion: v1 kind: Pod metadata:   name: nginx-disallowed spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 100m         memory: 30Mi

apiVersion: v1 kind: Pod metadata:   name: nginx-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 30Mi   initContainers:   - image: nginx     name: nginxinit     resources:       limits:         cpu: 100m         memory: 30Mi

apiVersion: v1 kind: Pod metadata:   name: nginx-disallowed spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 100m         memory: 30Mi   initContainers:   - image: nginx     name: nginxinit     resources:       limits:         cpu: 100m         memory: 30Mi

apiVersion: v1 kind: Pod metadata:   name: nginx-disallowed spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 100m         memory: 30Mi   ephemeralContainers:   - image: nginx     name: nginx     resources:       limits:         cpu: 100m         memory: 30Mi   initContainers:   - image: nginx     name: nginx     resources:       limits:         cpu: 100m         memory: 30Mi

K8sAvoidUseOfSystemMastersGroup

Disallow the use of 'system:masters' group v1.0.0

禁止使用“system:masters”组。在审核期间没有任何影响。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowlistedUsernames <array>: allowlistedUsernames is the list of     # usernames that are allowed to use system:masters group.     allowlistedUsernames:       - <string>

示例

avoid-use-of-system-masters-group

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAvoidUseOfSystemMastersGroup metadata:   name: avoid-use-of-system-masters-group

允许

apiVersion: v1 kind: Namespace metadata:   name: example-namespace

K8sBlockAllIngress

Block all Ingress v1.0.4

不允许创建 Ingress 对象（Ingress、Gateway 和 Service 类型的 NodePort 和 LoadBalancer）。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowList <array>: A list of regular expressions for the Ingress object     # names that are exempt from the constraint.     allowList:       - <string>

示例

block-all-ingress

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockAllIngress metadata:   name: block-all-ingress spec:   enforcementAction: dryrun   parameters:     allowList:     - name1     - name2     - name3     - my-*

允许

apiVersion: v1 kind: Service metadata:   name: my-service spec:   ports:   - port: 80     protocol: TCP     targetPort: 9376   selector:     app.kubernetes.io/name: MyApp   type: LoadBalancer

apiVersion: v1 kind: Service metadata:   name: allowed-clusterip-service-example spec:   ports:   - port: 80     protocol: TCP     targetPort: 9376   selector:     app.kubernetes.io/name: MyApp   type: ClusterIP

不允许

apiVersion: v1 kind: Service metadata:   name: disallowed-service-example spec:   ports:   - port: 80     protocol: TCP     targetPort: 9376   selector:     app.kubernetes.io/name: MyApp   type: LoadBalancer

apiVersion: v1 kind: Service metadata:   name: disallowed-service-example spec:   ports:   - port: 80     protocol: TCP     targetPort: 9376   selector:     app.kubernetes.io/name: MyApp   type: LoadBalancer

apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata:   name: disallowed-gateway-example spec:   gatewayClassName: istio   listeners:   - allowedRoutes:       namespaces:         from: All     hostname: '*.example.com'     name: default     port: 80     protocol: HTTP

K8sBlockCreationWithDefaultServiceAccount

Block Creation with Default Service Account v1.0.2

禁止使用默认服务账号创建资源。在审核期间没有任何影响。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

block-creation-with-default-serviceaccount

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockCreationWithDefaultServiceAccount metadata:   name: block-creation-with-default-serviceaccount spec:   enforcementAction: dryrun

允许

apiVersion: v1 kind: Namespace metadata:   name: example-namespace

K8sBlockEndpointEditDefaultRole

Block Endpoint Edit Default Role v1.0.0

默认情况下，许多 Kubernetes 安装都具有一个 system:aggregate-to-edit ClusterRole，但它并没有正确地限制修改端点的权限。此 ConstraintTemplate 可禁止 system:aggregate-to-edit ClusterRole 授予创建/修补/更新端点的权限。ClusterRole/system:aggregate-to-edit 不应该因 CVE-2021-25740 而允许端点修改权限，Endpoint 和 Endpointslice 权限允许跨命名空间转发，https://github.com/kubernetes/kubernetes/issues/103675

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

block-endpoint-edit-default-role

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockEndpointEditDefaultRole metadata:   name: block-endpoint-edit-default-role spec:   match:     kinds:     - apiGroups:       - rbac.authorization.k8s.io       kinds:       - ClusterRole

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   annotations:     rbac.authorization.kubernetes.io/autoupdate: "true"   labels:     kubernetes.io/bootstrapping: rbac-defaults     rbac.authorization.k8s.io/aggregate-to-edit: "true"   name: system:aggregate-to-edit rules: - apiGroups:   - ""   resources:   - pods/attach   - pods/exec   - pods/portforward   - pods/proxy   - secrets   - services/proxy   verbs:   - get   - list   - watch - apiGroups:   - ""   resources:   - serviceaccounts   verbs:   - impersonate - apiGroups:   - ""   resources:   - pods   - pods/attach   - pods/exec   - pods/portforward   - pods/proxy   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - ""   resources:   - configmaps   - persistentvolumeclaims   - replicationcontrollers   - replicationcontrollers/scale   - secrets   - serviceaccounts   - services   - services/proxy   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - apps   resources:   - daemonsets   - deployments   - deployments/rollback   - deployments/scale   - replicasets   - replicasets/scale   - statefulsets   - statefulsets/scale   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - autoscaling   resources:   - horizontalpodautoscalers   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - batch   resources:   - cronjobs   - jobs   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - extensions   resources:   - daemonsets   - deployments   - deployments/rollback   - deployments/scale   - ingresses   - networkpolicies   - replicasets   - replicasets/scale   - replicationcontrollers/scale   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - policy   resources:   - poddisruptionbudgets   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - networking.k8s.io   resources:   - ingresses   - networkpolicies   verbs:   - create   - delete   - deletecollection   - patch   - update

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   annotations:     rbac.authorization.kubernetes.io/autoupdate: "true"   labels:     kubernetes.io/bootstrapping: rbac-defaults     rbac.authorization.k8s.io/aggregate-to-edit: "true"   name: system:aggregate-to-edit rules: - apiGroups:   - ""   resources:   - pods/attach   - pods/exec   - pods/portforward   - pods/proxy   - secrets   - services/proxy   verbs:   - get   - list   - watch - apiGroups:   - ""   resources:   - serviceaccounts   verbs:   - impersonate - apiGroups:   - ""   resources:   - pods   - pods/attach   - pods/exec   - pods/portforward   - pods/proxy   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - ""   resources:   - configmaps   - persistentvolumeclaims   - replicationcontrollers   - replicationcontrollers/scale   - secrets   - serviceaccounts   - services   - services/proxy   verbs:   - create   - delete   - deletecollection   - patch   - update - apiGroups:   - apps   resources:   - daemonsets   - deployments   - deployments/rollback   - deployments/scale   - endpoints   - replicasets   - replicasets/scale   - statefulsets   - statefulsets/scale   verbs:   - create   - delete   - deletecollection   - patch   - update

K8sBlockLoadBalancer

Block Services with type LoadBalancer v1.0.0

禁止类型为 LoadBalancer 的所有 Service。 https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

block-load-balancer

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockLoadBalancer metadata:   name: block-load-balancer spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Service

允许

apiVersion: v1 kind: Service metadata:   name: my-service-allowed spec:   ports:   - port: 80     targetPort: 80   type: ClusterIP

不允许

apiVersion: v1 kind: Service metadata:   name: my-service-disallowed spec:   ports:   - nodePort: 30007     port: 80     targetPort: 80   type: LoadBalancer

K8sBlockNodePort

Block NodePort v1.0.0

禁止类型为 NodePort 的所有 Service。 https://kubernetes.io/docs/concepts/services-networking/service/#nodeport

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

block-node-port

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata:   name: block-node-port spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Service

不允许

apiVersion: v1 kind: Service metadata:   name: my-service-disallowed spec:   ports:   - nodePort: 30007     port: 80     targetPort: 80   type: NodePort

K8sBlockObjectsOfType

Block Objects of Type v1.0.1

不允许使用被禁止的类型的对象。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     forbiddenTypes:       - <string>

示例

block-secrets-of-type-basic-auth

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockObjectsOfType metadata:   name: block-secrets-of-type-basic-auth spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Secret   parameters:     forbiddenTypes:     - kubernetes.io/basic-auth

允许

apiVersion: v1 data:   password: ZHVtbXlwYXNz   username: ZHVtbXl1c2Vy kind: Secret metadata:   name: credentials   namespace: default type: Opaque

不允许

apiVersion: v1 data:   password: YmFzaWMtcGFzc3dvcmQ=   username: YmFzaWMtdXNlcm5hbWU= kind: Secret metadata:   name: secret-basic-auth   namespace: default type: kubernetes.io/basic-auth

K8sBlockProcessNamespaceSharing

Block Process Namespace Sharing v1.0.1

通过将 shareProcessNamespace 设置为 true 来禁止 Pod 规范。这可避免 Pod 中的所有容器共享一个 PID 命名空间和访问彼此文件系统和内存这样的场景。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockProcessNamespaceSharing metadata:   name: block-process-namespace-sharing

允许

apiVersion: v1 kind: Pod metadata:   name: good-pod   namespace: default spec:   containers:   - image: nginx     name: nginx

不允许

apiVersion: v1 kind: Pod metadata:   name: bad-pod   namespace: default spec:   containers:   - image: nginx     name: nginx   shareProcessNamespace: true

K8sBlockWildcardIngress

Block Wildcard Ingress v1.0.1

用户无法使用空白或通配符 (*) 主机名创建 Ingress，因为这会导致没有集群中其他服务的访问权限的用户能够拦截这些服务的流量。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

block-wildcard-ingress

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockWildcardIngress metadata:   name: block-wildcard-ingress spec:   match:     kinds:     - apiGroups:       - extensions       - networking.k8s.io       kinds:       - Ingress

允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: non-wildcard-ingress spec:   rules:   - host: myservice.example.com     http:       paths:       - backend:           service:             name: example             port:               number: 80         path: /         pathType: Prefix

不允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: wildcard-ingress spec:   rules:   - host: ""     http:       paths:       - backend:           service:             name: example             port:               number: 80         path: /         pathType: Prefix

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: wildcard-ingress spec:   rules:   - http:       paths:       - backend:           service:             name: example             port:               number: 80         path: /         pathType: Prefix

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: wildcard-ingress spec:   rules:   - host: '*.example.com'     http:       paths:       - backend:           service:             name: example             port:               number: 80         path: /         pathType: Prefix   - host: valid.example.com     http:       paths:       - backend:           service:             name: example             port:               number: 80         path: /         pathType: Prefix

K8sContainerEphemeralStorageLimit

Container ephemeral storage limit v1.0.2

要求容器设置临时存储限制，并将该限制约束在指定的最大值范围内。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # ephemeral-storage <string>: The maximum allowed ephemeral storage limit     # on a Pod, exclusive.     ephemeral-storage: <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

container-ephemeral-storage-limit

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerEphemeralStorageLimit metadata:   name: container-ephemeral-storage-limit spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     ephemeral-storage: 500Mi

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         ephemeral-storage: 100Mi         memory: 1Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         ephemeral-storage: 100Mi         memory: 1Gi   initContainers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: init-opa     resources:       limits:         cpu: 100m         ephemeral-storage: 100Mi         memory: 1Gi

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 2Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         ephemeral-storage: 1Pi         memory: 1Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         ephemeral-storage: 100Mi         memory: 1Gi   initContainers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: init-opa     resources:       limits:         cpu: 100m         ephemeral-storage: 1Pi         memory: 1Gi

K8sContainerLimits

Container Limits v1.0.1

要求容器设置内存和 CPU 限制，并将该限值限制在指定的最大值范围内。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # cpu <string>: The maximum allowed cpu limit on a Pod, exclusive.     cpu: <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # memory <string>: The maximum allowed memory limit on a Pod, exclusive.     memory: <string>

示例

container-must-have-limits

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerLimits metadata:   name: container-must-have-limits spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     cpu: 200m     memory: 1Gi

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 1Gi

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 2Gi

K8sContainerRatios

Container Ratios v1.0.1

设置容器资源限制与请求的最大比例。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # cpuRatio <string>: The maximum allowed ratio of `resources.limits.cpu` to     # `resources.requests.cpu` on a container. If not specified, equal to     # `ratio`.     cpuRatio: <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # ratio <string>: The maximum allowed ratio of `resources.limits` to     # `resources.requests` on a container.     ratio: <string>

示例

container-must-meet-ratio

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata:   name: container-must-meet-ratio spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     ratio: "2"

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 200m         memory: 200Mi       requests:         cpu: 100m         memory: 100Mi

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 800m         memory: 2Gi       requests:         cpu: 100m         memory: 100Mi

container-must-meet-memory-and-cpu-ratio

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRatios metadata:   name: container-must-meet-memory-and-cpu-ratio spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     cpuRatio: "10"     ratio: "1"

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: "4"         memory: 2Gi       requests:         cpu: "1"         memory: 2Gi

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: "4"         memory: 2Gi       requests:         cpu: 100m         memory: 2Gi

K8sContainerRequests

Container Requests v1.0.1

要求容器设置内存和 CPU 请求，并将请求限制在指定的最大值范围内。 https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # cpu <string>: The maximum allowed cpu request on a Pod, exclusive.     cpu: <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # memory <string>: The maximum allowed memory request on a Pod, exclusive.     memory: <string>

示例

container-must-have-requests

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sContainerRequests metadata:   name: container-must-have-requests spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     cpu: 200m     memory: 1Gi

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       requests:         cpu: 100m         memory: 1Gi

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       requests:         cpu: 100m         memory: 2Gi

K8sCronJobAllowedRepos

CronJob Allowed Repositories v1.0.1

要求 CronJob 的容器映像以指定列表中的字符串开头。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # repos <array>: The list of prefixes a container image is allowed to have.     repos:       - <string>

示例

cronjob-restrict-repos

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sCronJobAllowedRepos metadata:   name: cronjob-restrict-repos spec:   match:     kinds:     - apiGroups:       - batch       kinds:       - CronJob   parameters:     repos:     - gke.gcr.io/

允许

apiVersion: batch/v1 kind: CronJob metadata:   name: hello spec:   jobTemplate:     spec:       template:         spec:           containers:           - image: gke.gcr.io/busybox:1.28             name: hello   schedule: '* * * * *'

不允许

apiVersion: batch/v1 kind: CronJob metadata:   name: hello spec:   jobTemplate:     spec:       template:         spec:           containers:           - image: busybox:1.28             name: hello   schedule: '* * * * *'

K8sDisallowAnonymous

Disallow Anonymous Access v1.0.0

禁止将 ClusterRole 和 Role 资源关联到 system:anonymous user 和 system:unauthenticated group。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedRoles <array>: The list of ClusterRoles and Roles that may be     # associated with the `system:unauthenticated` group and `system:anonymous`     # user.     allowedRoles:       - <string>

示例

no-anonymous

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowAnonymous metadata:   name: no-anonymous spec:   match:     kinds:     - apiGroups:       - rbac.authorization.k8s.io       kinds:       - ClusterRoleBinding     - apiGroups:       - rbac.authorization.k8s.io       kinds:       - RoleBinding   parameters:     allowedRoles:     - cluster-role-1

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: cluster-role-binding-1 roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-role-1 subjects: - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:authenticated - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:unauthenticated

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: cluster-role-binding-2 roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-role-2 subjects: - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:authenticated - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:unauthenticated

K8sDisallowInteractiveTTY

Disallow Interactive TTY Containers v1.0.0

要求对象将字段 spec.tty 和 spec.stdin 设置为 false 或不设置。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

no-interactive-tty-containers

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowInteractiveTTY metadata:   name: no-interactive-tty-containers spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-interactive-tty   name: nginx-interactive-tty-allowed spec:   containers:   - image: nginx     name: nginx     stdin: false     tty: false

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-privilege-escalation   name: nginx-privilege-escalation-disallowed spec:   containers:   - image: nginx     name: nginx     stdin: true     tty: true

K8sDisallowedRepos

Disallowed Repositories v1.0.0

不允许的容器代码库（以指定列表中的字符串开头）。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # repos <array>: The list of prefixes a container image is not allowed to     # have.     repos:       - <string>

示例

repo-must-not-be-k8s-gcr-io

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRepos metadata:   name: repo-must-not-be-k8s-gcr-io spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     repos:     - k8s.gcr.io/

允许

apiVersion: v1 kind: Pod metadata:   name: kustomize-allowed spec:   containers:   - image: registry.k8s.io/kustomize/kustomize:v3.8.9     name: kustomize

不允许

apiVersion: v1 kind: Pod metadata:   name: kustomize-disallowed spec:   containers:   - image: k8s.gcr.io/kustomize/kustomize:v3.8.9     name: kustomize

apiVersion: v1 kind: Pod metadata:   name: kustomize-disallowed spec:   containers:   - image: registry.k8s.io/kustomize/kustomize:v3.8.9     name: kustomize   initContainers:   - image: k8s.gcr.io/kustomize/kustomize:v3.8.9     name: kustomizeinit

apiVersion: v1 kind: Pod metadata:   name: kustomize-disallowed spec:   containers:   - image: k8s.gcr.io/kustomize/kustomize:v3.8.9     name: kustomize   initContainers:   - image: k8s.gcr.io/kustomize/kustomize:v3.8.9     name: kustomizeinit

apiVersion: v1 kind: Pod metadata:   name: kustomize-disallowed spec:   containers:   - image: k8s.gcr.io/kustomize/kustomize:v3.8.9     name: kustomize   ephemeralContainers:   - image: k8s.gcr.io/kustomize/kustomize:v3.8.9     name: kustomize   initContainers:   - image: k8s.gcr.io/kustomize/kustomize:v3.8.9     name: kustomize

K8sDisallowedRoleBindingSubjects

Disallowed Rolebinding Subjects v1.0.1

禁止将主题与 disallowedSubjects 匹配的 RoleBinding 或 ClusterRoleBinding 传递为参数。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # disallowedSubjects <array>: A list of subjects that cannot appear in a     # RoleBinding.     disallowedSubjects:       - # apiGroup <string>: The Kubernetes API group of the disallowed role         # binding subject. Currently ignored.         apiGroup: <string>         # kind <string>: The kind of the disallowed role binding subject.         kind: <string>         # name <string>: The name of the disallowed role binding subject.         name: <string>

示例

disallowed-rolebinding-subjects

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedRoleBindingSubjects metadata:   name: disallowed-rolebinding-subjects spec:   parameters:     disallowedSubjects:     - apiGroup: rbac.authorization.k8s.io       kind: Group       name: system:unauthenticated

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: good-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: my-role subjects: - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:authenticated

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: bad-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: my-role subjects: - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:unauthenticated

K8sDisallowedTags

Disallow tags v1.0.1

要求容器映像的映像标记与指定列表中的映像标记不同。 https://kubernetes.io/docs/concepts/containers/images/#image-names

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # tags <array>: Disallowed container image tags.     tags:       - <string>

示例

container-image-must-not-have-latest-tag

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sDisallowedTags metadata:   name: container-image-must-not-have-latest-tag spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod     namespaces:     - default   parameters:     exemptImages:     - openpolicyagent/opa-exp:latest     - openpolicyagent/opa-exp2:latest     tags:     - latest

允许

apiVersion: v1 kind: Pod metadata:   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa

apiVersion: v1 kind: Pod metadata:   name: opa-exempt-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa-exp:latest     name: opa-exp   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/init:v1     name: opa-init   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa-exp2:latest     name: opa-exp2

不允许

apiVersion: v1 kind: Pod metadata:   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa     name: opa

apiVersion: v1 kind: Pod metadata:   name: opa-disallowed-2 spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:latest     name: opa

apiVersion: v1 kind: Pod metadata:   name: opa-disallowed-ephemeral spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa   ephemeralContainers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:latest     name: opa

apiVersion: v1 kind: Pod metadata:   name: opa-disallowed-3 spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa-exp:latest     name: opa   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/init:latest     name: opa-init   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa-exp2:latest     name: opa-exp2   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/monitor:latest     name: opa-monitor

K8sEmptyDirHasSizeLimit

Empty Directory has Size Limit v1.0.5

要求任何 emptyDir 卷都指定 sizeLimit；您也可以视情况在限制条件中提供 maxSizeLimit 参数来指定许可的大小上限。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptVolumesRegex <array>: Exempt Volume names as regex match.     exemptVolumesRegex:       - <string>     # maxSizeLimit <string>: When set, the declared size limit for each volume     # must be less than `maxSizeLimit`.     maxSizeLimit: <string>

示例

empty-dir-has-size-limit

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEmptyDirHasSizeLimit metadata:   name: empty-dir-has-size-limit spec:   match:     excludedNamespaces:     - istio-system     - kube-system     - gatekeeper-system   parameters:     exemptVolumesRegex:     - ^istio-[a-z]+$     maxSizeLimit: 4Gi

允许

apiVersion: v1 kind: Pod metadata:   name: good-pod   namespace: default spec:   containers:   - image: nginx     name: nginx   volumes:   - emptyDir:       sizeLimit: 2Gi     name: good-pod-volume

apiVersion: v1 kind: Pod metadata:   name: exempt-pod   namespace: default spec:   containers:   - image: nginx     name: nginx   volumes:   - emptyDir: {}     name: istio-envoy

不允许

apiVersion: v1 kind: Pod metadata:   name: bad-pod   namespace: default spec:   containers:   - image: nginx     name: nginx   volumes:   - emptyDir: {}     name: bad-pod-volume

K8sEnforceCloudArmorBackendConfig

Enforce Cloud Armor on BackendConfig Resources v1.0.2

在 BackendConfig 资源上强制执行 Cloud Armor 配置

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

enforce-cloudarmor-backendconfig

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceCloudArmorBackendConfig metadata:   name: enforce-cloudarmor-backendconfig spec:   enforcementAction: dryrun

允许

apiVersion: cloud.google.com/v1 kind: BackendConfig metadata:   name: my-backendconfig   namespace: examplenamespace spec:   securityPolicy:     name: example-security-policy

apiVersion: cloud.google.com/v1 kind: BackendConfig metadata:   name: second-backendconfig spec:   securityPolicy:     name: my-security-policy

不允许

apiVersion: cloud.google.com/v1 kind: BackendConfig metadata:   name: my-backendconfig   namespace: examplenamespace spec:   securityPolicy:     name: null

apiVersion: cloud.google.com/v1 kind: BackendConfig metadata:   name: my-backendconfig   namespace: examplenamespace spec:   securityPolicy:     name: ""

apiVersion: cloud.google.com/v1 kind: BackendConfig metadata:   name: my-backendconfig spec:   logging:     enable: true     sampleRate: 0.5

K8sEnforceConfigManagement

Enforce Config Management v1.1.6

要求 Config Management 存在并运行。无论 enforcementAction 值如何，使用此 ConstraintTemplate 的限制条件都将仅进行审核。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # requireDriftPrevention <boolean>: Require Config Sync drift prevention to     # prevent config drift.     requireDriftPrevention: <boolean>     # requireRootSync <boolean>: Require a Config Sync `RootSync` object for     # cluster config management.     requireRootSync: <boolean>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "configsync.gke.io"         version: "v1beta1"         kind: "RootSync"

示例

enforce-config-management

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sEnforceConfigManagement metadata:   name: enforce-config-management spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - configmanagement.gke.io       kinds:       - ConfigManagement

允许

apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata:   annotations:     configmanagement.gke.io/managed-by-hub: "true"     configmanagement.gke.io/update-time: "1663586155"   name: config-management spec:   binauthz:     enabled: true   clusterName: tec6ea817b5b4bb2-cluster   enableMultiRepo: true   git:     proxy: {}     syncRepo: [email protected]:/git-server/repos/sot.git   hierarchyController: {}   policyController:     auditIntervalSeconds: 60     enabled: true     monitoring:       backends:       - prometheus       - cloudmonitoring     mutation: {}     referentialRulesEnabled: true     templateLibraryInstalled: true status:   configManagementVersion: v1.12.2-rc.2   healthy: true

不允许

apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata:   annotations:     configmanagement.gke.io/managed-by-hub: "true"     configmanagement.gke.io/update-time: "1663586155"   name: config-management spec:   binauthz:     enabled: true   clusterName: tec6ea817b5b4bb2-cluster   enableMultiRepo: true   git:     syncRepo: [email protected]:/git-server/repos/sot.git   hierarchyController: {}   policyController:     auditIntervalSeconds: 60     enabled: true     monitoring:       backends:       - prometheus       - cloudmonitoring     mutation: {}     referentialRulesEnabled: true     templateLibraryInstalled: true status:   configManagementVersion: v1.12.2-rc.2

K8sExternalIPs

External IPs v1.0.0

将 Service externalIP 限制为允许的 IP 地址列表。 https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedIPs <array>: An allow-list of external IP addresses.     allowedIPs:       - <string>

示例

external-ips

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sExternalIPs metadata:   name: external-ips spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Service   parameters:     allowedIPs:     - 203.0.113.0

允许

apiVersion: v1 kind: Service metadata:   name: allowed-external-ip spec:   externalIPs:   - 203.0.113.0   ports:   - name: http     port: 80     protocol: TCP     targetPort: 8080   selector:     app: MyApp

不允许

apiVersion: v1 kind: Service metadata:   name: disallowed-external-ip spec:   externalIPs:   - 1.1.1.1   ports:   - name: http     port: 80     protocol: TCP     targetPort: 8080   selector:     app: MyApp

K8sHorizontalPodAutoscaler

Horizontal Pod Autoscaler v1.0.1

部署 HorizontalPodAutoscalers 时，禁止以下场景：1.在限制条件 2 中定义的范围之外，使用 .spec.minReplicas 或 .spec.maxReplicas 的 HorizontalPodAutoscalers 部署。部署 HorizontalPodAutoscalers，其中 .spec.minReplicas 和 .spec.maxReplicas 之间的差异小于配置的 minimumReplicaSpread 3。未引用有效 scaleTargetRef 的 HorizontalPodAutoscalers 部署（例如 Deployment、ReplicationController、ReplicaSet、StatefulSet）。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # enforceScaleTargetRef <boolean>: If set to true it validates the HPA     # scaleTargetRef exists     enforceScaleTargetRef: <boolean>     # minimumReplicaSpread <integer>: If configured it enforces the minReplicas     # and maxReplicas in an HPA must have a spread of at least this many     # replicas     minimumReplicaSpread: <integer>     # ranges <array>: Allowed ranges for numbers of replicas.  Values are     # inclusive.     ranges:       # <list item: object>: A range of allowed replicas.  Values are       # inclusive.       - # max_replicas <integer>: The maximum number of replicas allowed,         # inclusive.         max_replicas: <integer>         # min_replicas <integer>: The minimum number of replicas allowed,         # inclusive.         min_replicas: <integer>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "apps"         version: "v1"         kind: "Deployment"       OR       - group: "apps"         version: "v1"         kind: "StatefulSet"

示例

horizontal-pod-autoscaler

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHorizontalPodAutoscaler metadata:   name: horizontal-pod-autoscaler spec:   enforcementAction: deny   match:     kinds:     - apiGroups:       - autoscaling       kinds:       - HorizontalPodAutoscaler   parameters:     enforceScaleTargetRef: true     minimumReplicaSpread: 1     ranges:     - max_replicas: 6       min_replicas: 3

允许

apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata:   name: nginx-hpa-allowed   namespace: default spec:   maxReplicas: 6   metrics:   - resource:       name: cpu       target:         averageUtilization: 900         type: Utilization     type: Resource   minReplicas: 3   scaleTargetRef:     apiVersion: apps/v1     kind: Deployment     name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: allowed-deployment   template:     metadata:       labels:         app: nginx         example: allowed-deployment     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

不允许

apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata:   name: nginx-hpa-disallowed-replicas   namespace: default spec:   maxReplicas: 7   metrics:   - resource:       name: cpu       target:         averageUtilization: 900         type: Utilization     type: Resource   minReplicas: 2   scaleTargetRef:     apiVersion: apps/v1     kind: Deployment     name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: allowed-deployment   template:     metadata:       labels:         app: nginx         example: allowed-deployment     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata:   name: nginx-hpa-disallowed-replicaspread   namespace: default spec:   maxReplicas: 4   metrics:   - resource:       name: cpu       target:         averageUtilization: 900         type: Utilization     type: Resource   minReplicas: 4   scaleTargetRef:     apiVersion: apps/v1     kind: Deployment     name: nginx-deployment --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: allowed-deployment   template:     metadata:       labels:         app: nginx         example: allowed-deployment     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata:   name: nginx-hpa-disallowed-scaletarget   namespace: default spec:   maxReplicas: 6   metrics:   - resource:       name: cpu       target:         averageUtilization: 900         type: Utilization     type: Resource   minReplicas: 3   scaleTargetRef:     apiVersion: apps/v1     kind: Deployment     name: nginx-deployment-missing --- # Referential Data apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: allowed-deployment   template:     metadata:       labels:         app: nginx         example: allowed-deployment     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

K8sHttpsOnly

HTTPS Only v1.0.2

要求 Ingress 资源仅限于 HTTPS。 Ingress 资源必须包含 kubernetes.io/ingress.allow-http 注解且设置为 false。默认情况下，有效的 TLS {} 配置是必需的，通过将 tlsOptional 参数设置为 true 可以将该配置设置为可选配置。https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # tlsOptional <boolean>: When set to `true` the TLS {} is optional,     # defaults to false.     tlsOptional: <boolean>

示例

ingress-https-only

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata:   name: ingress-https-only spec:   match:     kinds:     - apiGroups:       - extensions       - networking.k8s.io       kinds:       - Ingress

允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   annotations:     kubernetes.io/ingress.allow-http: "false"   name: ingress-demo-allowed spec:   rules:   - host: example-host.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix   tls:   - {}

不允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: ingress-demo-disallowed spec:   rules:   - host: example-host.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix

ingress-https-only-tls-optional

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sHttpsOnly metadata:   name: ingress-https-only-tls-optional spec:   match:     kinds:     - apiGroups:       - extensions       - networking.k8s.io       kinds:       - Ingress   parameters:     tlsOptional: true

允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   annotations:     kubernetes.io/ingress.allow-http: "false"   name: ingress-demo-allowed-tls-optional spec:   rules:   - host: example-host.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix

不允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: ingress-demo-disallowed-tls-optional spec:   rules:   - host: example-host.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix

K8sImageDigests

Image Digests v1.0.1

要求容器映像包含摘要。 https://kubernetes.io/docs/concepts/containers/images/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

container-image-must-have-digest

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sImageDigests metadata:   name: container-image-must-have-digest spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod     namespaces:     - default

允许

apiVersion: v1 kind: Pod metadata:   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a     name: opa

不允许

apiVersion: v1 kind: Pod metadata:   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa   initContainers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opainit

apiVersion: v1 kind: Pod metadata:   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa   ephemeralContainers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa   initContainers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opainit

K8sLocalStorageRequireSafeToEvict

Local Storage Requires Safe to Evict v1.0.1

要求使用本地存储空间（emptyDir 或 hostPath）的 Pod 必须具有 "cluster-autoscaler.kubernetes.io/safe-to-evict": "true" 注释。集群自动扩缩器不会删除没有此注释的 Pod。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

local-storage-require-safe-to-evict

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sLocalStorageRequireSafeToEvict metadata:   name: local-storage-require-safe-to-evict spec:   match:     excludedNamespaces:     - kube-system     - istio-system     - gatekeeper-system

允许

apiVersion: v1 kind: Pod metadata:   annotations:     cluster-autoscaler.kubernetes.io/safe-to-evict: "true"   name: good-pod   namespace: default spec:   containers:   - image: redis     name: redis     volumeMounts:     - mountPath: /data/redis       name: redis-storage   volumes:   - emptyDir: {}     name: redis-storage

不允许

apiVersion: v1 kind: Pod metadata:   name: bad-pod   namespace: default spec:   containers:   - image: redis     name: redis     volumeMounts:     - mountPath: /data/redis       name: redis-storage   volumes:   - emptyDir: {}     name: redis-storage

K8sMemoryRequestEqualsLimit

Memory Request Equals Limit v1.0.4

通过要求所有容器请求的内存与内存限制完全一致来提升 Pod 稳定性，让 Pod 绝不会处于内存用量超出所请求数量的状态。否则，如果节点上需要内存，Kubernetes 可能会终止请求额外内存的 Pod。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptContainersRegex <array>: Exempt Container names as regex match.     exemptContainersRegex:       - <string>

示例

container-must-request-limit

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sMemoryRequestEqualsLimit metadata:   name: container-must-request-limit spec:   match:     excludedNamespaces:     - kube-system     - resource-group-system     - asm-system     - istio-system     - config-management-system     - config-management-monitoring   parameters:     exemptContainersRegex:     - ^istio-[a-z]+$

允许

apiVersion: v1 kind: Pod metadata:   name: good-pod   namespace: default spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 100m         memory: 4Gi       requests:         cpu: 50m         memory: 4Gi

apiVersion: v1 kind: Pod metadata:   name: exempt-pod   namespace: default spec:   containers:   - image: auto     name: istio-proxy     resources:       limits:         cpu: 100m         memory: 4Gi       requests:         cpu: 50m         memory: 2Gi

不允许

apiVersion: v1 kind: Pod metadata:   name: bad-pod   namespace: default spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 100m         memory: 4Gi       requests:         cpu: 50m         memory: 2Gi

K8sNoEnvVarSecrets

No Environment Variable Secrets v1.0.1

禁止 Secret 用作 Pod 容器定义中的环境变量；相反，请在数据卷中使用装载的机密文件： https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

no-secrets-as-env-vars-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoEnvVarSecrets metadata:   name: no-secrets-as-env-vars-sample spec:   enforcementAction: dryrun

允许

apiVersion: v1 kind: Pod metadata:   name: allowed-example spec:   containers:   - image: redis     name: test     volumeMounts:     - mountPath: /etc/test       name: test       readOnly: true   volumes:   - name: test     secret:       secretName: mysecret

不允许

apiVersion: v1 kind: Pod metadata:   name: disallowed-example spec:   containers:   - env:     - name: MY_PASSWORD       valueFrom:         secretKeyRef:           key: password           name: mysecret     image: redis     name: test

K8sNoExternalServices

No External Services v1.0.3

禁止创建将工作负载公开给外部 IP 的已知资源。这包括 Istio 网关资源和 Kubernetes Ingress 资源。除非满足以下条件，否则 Kubernetes 服务也不允许创建：Google Cloud 中 LoadBalancer 类型的任何 Service 都必须具有 "networking.gke.io/load-balancer-type": "Internal" 注释。AWS 中 LoadBalancer 类型的任何 Service 都必须具有 service.beta.kubernetes.io/aws-load-balancer-internal: "true 注释。绑定到 Service 的任何“外部 IP”（即位于集群外部）都必须在提供给限制条件的内部 CIDR 范围内。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # cloudPlatform <string>: The hosting cloud platform. Only `GCP` and `AWS`     # are supported currently.     cloudPlatform: <string>     # internalCIDRs <array>: A list of CIDRs that are only accessible     # internally, for example: `10.3.27.0/24`. Which IP ranges are     # internal-only is determined by the underlying network infrastructure.     internalCIDRs:       - <string>

示例

no-external

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata:   name: no-external spec:   parameters:     internalCIDRs:     - 10.0.0.1/32

允许

apiVersion: v1 kind: Service metadata:   name: good-service   namespace: default spec:   externalIPs:   - 10.0.0.1   ports:   - port: 8888     protocol: TCP     targetPort: 8888

apiVersion: v1 kind: Service metadata:   annotations:     networking.gke.io/load-balancer-type: Internal   name: allowed-internal-load-balancer   namespace: default spec:   type: LoadBalancer

不允许

apiVersion: v1 kind: Service metadata:   name: bad-service   namespace: default spec:   externalIPs:   - 10.0.0.2   ports:   - port: 8888     protocol: TCP     targetPort: 8888

no-external-aws

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sNoExternalServices metadata:   name: no-external-aws spec:   parameters:     cloudPlatform: AWS

允许

apiVersion: v1 kind: Service metadata:   annotations:     service.beta.kubernetes.io/aws-load-balancer-internal: "true"   name: good-aws-service   namespace: default spec:   type: LoadBalancer

不允许

apiVersion: v1 kind: Service metadata:   annotations:     cloud.google.com/load-balancer-type: Internal   name: bad-aws-service   namespace: default spec:   type: LoadBalancer

K8sPSPAllowPrivilegeEscalationContainer

Allow Privilege Escalation in Container v1.0.1

对限制升级至 root 权限这一操作进行控制。对应于 PodSecurityPolicy 中的 allowPrivilegeEscalation 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

psp-allow-privilege-escalation-container-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowPrivilegeEscalationContainer metadata:   name: psp-allow-privilege-escalation-container-sample spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-privilege-escalation   name: nginx-privilege-escalation-allowed spec:   containers:   - image: nginx     name: nginx     securityContext:       allowPrivilegeEscalation: false

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-privilege-escalation   name: nginx-privilege-escalation-disallowed spec:   containers:   - image: nginx     name: nginx     securityContext:       allowPrivilegeEscalation: true

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-privilege-escalation   name: nginx-privilege-escalation-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx     securityContext:       allowPrivilegeEscalation: true

K8sPSPAllowedUsers

Allowed Users v1.0.2

控制容器和部分卷的用户 ID 和组 ID。对应于 PodSecurityPolicy 中的 runAsUser、runAsGroup、supplementalGroups 和 fsGroup 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # fsGroup <object>: Controls the fsGroup values that are allowed in a Pod     # or container-level SecurityContext.     fsGroup:       # ranges <array>: A list of group ID ranges affected by the rule.       ranges:         # <list item: object>: The range of group IDs affected by the rule.         - # max <integer>: The maximum group ID in the range, inclusive.           max: <integer>           # min <integer>: The minimum group ID in the range, inclusive.           min: <integer>       # rule <string>: A strategy for applying the fsGroup restriction.       # Allowed Values: MustRunAs, MayRunAs, RunAsAny       rule: <string>     # runAsGroup <object>: Controls which group ID values are allowed in a Pod     # or container-level SecurityContext.     runAsGroup:       # ranges <array>: A list of group ID ranges affected by the rule.       ranges:         # <list item: object>: The range of group IDs affected by the rule.         - # max <integer>: The maximum group ID in the range, inclusive.           max: <integer>           # min <integer>: The minimum group ID in the range, inclusive.           min: <integer>       # rule <string>: A strategy for applying the runAsGroup restriction.       # Allowed Values: MustRunAs, MayRunAs, RunAsAny       rule: <string>     # runAsUser <object>: Controls which user ID values are allowed in a Pod or     # container-level SecurityContext.     runAsUser:       # ranges <array>: A list of user ID ranges affected by the rule.       ranges:         # <list item: object>: The range of user IDs affected by the rule.         - # max <integer>: The maximum user ID in the range, inclusive.           max: <integer>           # min <integer>: The minimum user ID in the range, inclusive.           min: <integer>       # rule <string>: A strategy for applying the runAsUser restriction.       # Allowed Values: MustRunAs, MustRunAsNonRoot, RunAsAny       rule: <string>     # supplementalGroups <object>: Controls the supplementalGroups values that     # are allowed in a Pod or container-level SecurityContext.     supplementalGroups:       # ranges <array>: A list of group ID ranges affected by the rule.       ranges:         # <list item: object>: The range of group IDs affected by the rule.         - # max <integer>: The maximum group ID in the range, inclusive.           max: <integer>           # min <integer>: The minimum group ID in the range, inclusive.           min: <integer>       # rule <string>: A strategy for applying the supplementalGroups       # restriction.       # Allowed Values: MustRunAs, MayRunAs, RunAsAny       rule: <string>

示例

psp-pods-allowed-user-ranges

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAllowedUsers metadata:   name: psp-pods-allowed-user-ranges spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     fsGroup:       ranges:       - max: 200         min: 100       rule: MustRunAs     runAsGroup:       ranges:       - max: 200         min: 100       rule: MustRunAs     runAsUser:       ranges:       - max: 200         min: 100       rule: MustRunAs     supplementalGroups:       ranges:       - max: 200         min: 100       rule: MustRunAs

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-users   name: nginx-users-allowed spec:   containers:   - image: nginx     name: nginx     securityContext:       runAsGroup: 199       runAsUser: 199   securityContext:     fsGroup: 199     supplementalGroups:     - 199

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-users   name: nginx-users-disallowed spec:   containers:   - image: nginx     name: nginx     securityContext:       runAsGroup: 250       runAsUser: 250   securityContext:     fsGroup: 250     supplementalGroups:     - 250

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-users   name: nginx-users-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx     securityContext:       runAsGroup: 250       runAsUser: 250   securityContext:     fsGroup: 250     supplementalGroups:     - 250

K8sPSPAppArmor

App Armor v1.0.0

配置供容器使用的 AppArmor 配置文件的许可名单。对应于应用于 PodSecurityPolicy 的特定注释。如需详细了解 AppArmor，请参阅 https://kubernetes.io/docs/tutorials/clusters/apparmor/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedProfiles <array>: An array of AppArmor profiles. Examples:     # `runtime/default`, `unconfined`.     allowedProfiles:       - <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

psp-apparmor

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAppArmor metadata:   name: psp-apparmor spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     allowedProfiles:     - runtime/default

允许

apiVersion: v1 kind: Pod metadata:   annotations:     container.apparmor.security.beta.kubernetes.io/nginx: runtime/default   labels:     app: nginx-apparmor   name: nginx-apparmor-allowed spec:   containers:   - image: nginx     name: nginx

不允许

apiVersion: v1 kind: Pod metadata:   annotations:     container.apparmor.security.beta.kubernetes.io/nginx: unconfined   labels:     app: nginx-apparmor   name: nginx-apparmor-disallowed spec:   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: Pod metadata:   annotations:     container.apparmor.security.beta.kubernetes.io/nginx: unconfined   labels:     app: nginx-apparmor   name: nginx-apparmor-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx

K8sPSPAutomountServiceAccountTokenPod

Automount Service Account Token for Pod v1.0.1

控制任何 pod 启用 automountServiceAccountToken 的能力。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     <object>

示例

psp-automount-serviceaccount-token-pod

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPAutomountServiceAccountTokenPod metadata:   name: psp-automount-serviceaccount-token-pod spec:   match:     excludedNamespaces:     - kube-system     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-not-automountserviceaccounttoken   name: nginx-automountserviceaccounttoken-allowed spec:   automountServiceAccountToken: false   containers:   - image: nginx     name: nginx

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-automountserviceaccounttoken   name: nginx-automountserviceaccounttoken-disallowed spec:   automountServiceAccountToken: true   containers:   - image: nginx     name: nginx

K8sPSPCapabilities

Capabilities v1.0.2

控制容器上的 Linux 功能。对应于 PodSecurityPolicy 中的 allowedCapabilities 和 requiredDropCapabilities 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedCapabilities <array>: A list of Linux capabilities that can be     # added to a container.     allowedCapabilities:       - <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # requiredDropCapabilities <array>: A list of Linux capabilities that are     # required to be dropped from a container.     requiredDropCapabilities:       - <string>

示例

capabilities-demo

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata:   name: capabilities-demo spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod     namespaces:     - default   parameters:     allowedCapabilities:     - something     requiredDropCapabilities:     - must_drop

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 30Mi     securityContext:       capabilities:         add:         - something         drop:         - must_drop         - another_one

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 30Mi     securityContext:       capabilities:         add:         - disallowedcapability

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   ephemeralContainers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 30Mi     securityContext:       capabilities:         add:         - disallowedcapability

K8sPSPFSGroup

FS Group v1.0.2

对分配拥有 Pod 卷的 FSGroup 这一操作进行控制。对应于 PodSecurityPolicy 中的 fsGroup 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # ranges <array>: GID ranges affected by the rule.     ranges:       - # max <integer>: The maximum GID in the range, inclusive.         max: <integer>         # min <integer>: The minimum GID in the range, inclusive.         min: <integer>     # rule <string>: An FSGroup rule name.     # Allowed Values: MayRunAs, MustRunAs, RunAsAny     rule: <string>

示例

psp-fsgroup

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFSGroup metadata:   name: psp-fsgroup spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     ranges:     - max: 1000       min: 1     rule: MayRunAs

允许

apiVersion: v1 kind: Pod metadata:   name: fsgroup-disallowed spec:   containers:   - command:     - sh     - -c     - sleep 1h     image: busybox     name: fsgroup-demo     volumeMounts:     - mountPath: /data/demo       name: fsgroup-demo-vol   securityContext:     fsGroup: 500   volumes:   - emptyDir: {}     name: fsgroup-demo-vol

不允许

apiVersion: v1 kind: Pod metadata:   name: fsgroup-disallowed spec:   containers:   - command:     - sh     - -c     - sleep 1h     image: busybox     name: fsgroup-demo     volumeMounts:     - mountPath: /data/demo       name: fsgroup-demo-vol   securityContext:     fsGroup: 2000   volumes:   - emptyDir: {}     name: fsgroup-demo-vol

K8sPSPFlexVolumes

FlexVolumes v1.0.1

控制 FlexVolume 驱动程序的许可名单。对应于 PodSecurityPolicy 中的 allowedFlexVolumes 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#flexvolume-drivers

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedFlexVolumes <array>: An array of AllowedFlexVolume objects.     allowedFlexVolumes:       - # driver <string>: The name of the FlexVolume driver.         driver: <string>

示例

psp-flexvolume-drivers

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPFlexVolumes metadata:   name: psp-flexvolume-drivers spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     allowedFlexVolumes:     - driver: example/lvm     - driver: example/cifs

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-flexvolume-driver   name: nginx-flexvolume-driver-allowed spec:   containers:   - image: nginx     name: nginx     volumeMounts:     - mountPath: /test       name: test-volume       readOnly: true   volumes:   - flexVolume:       driver: example/lvm     name: test-volume

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-flexvolume-driver   name: nginx-flexvolume-driver-disallowed spec:   containers:   - image: nginx     name: nginx     volumeMounts:     - mountPath: /test       name: test-volume       readOnly: true   volumes:   - flexVolume:       driver: example/testdriver     name: test-volume

K8sPSPForbiddenSysctls

Forbidden Sysctls v1.1.3

控制容器使用的 sysctl 配置文件。对应于 PodSecurityPolicy 中的 allowedUnsafeSysctls 和 forbiddenSysctls 字段。如果指定，则任何不在 allowedSysctls 参数中的 sysctl 都会被视为禁止。forbiddenSysctls 参数的优先级高于 allowedSysctls 参数。如需了解详情，请参阅 https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedSysctls <array>: An allow-list of sysctls. `*` allows all sysctls     # not listed in the `forbiddenSysctls` parameter.     allowedSysctls:       - <string>     # forbiddenSysctls <array>: A disallow-list of sysctls. `*` forbids all     # sysctls.     forbiddenSysctls:       - <string>

示例

psp-forbidden-sysctls

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPForbiddenSysctls metadata:   name: psp-forbidden-sysctls spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     allowedSysctls:     - '*'     forbiddenSysctls:     - kernel.*

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-forbidden-sysctls   name: nginx-forbidden-sysctls-disallowed spec:   containers:   - image: nginx     name: nginx   securityContext:     sysctls:     - name: net.core.somaxconn       value: "1024"

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-forbidden-sysctls   name: nginx-forbidden-sysctls-disallowed spec:   containers:   - image: nginx     name: nginx   securityContext:     sysctls:     - name: kernel.msgmax       value: "65536"     - name: net.core.somaxconn       value: "1024"

K8sPSPHostFilesystem

Host Filesystem v1.0.2

控制主机文件系统的使用情况。对应于 PodSecurityPolicy 中的 allowedHostPaths 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedHostPaths <array>: An array of hostpath objects, representing     # paths and read/write configuration.     allowedHostPaths:       - # pathPrefix <string>: The path prefix that the host volume must         # match.         pathPrefix: <string>         # readOnly <boolean>: when set to true, any container volumeMounts         # matching the pathPrefix must include `readOnly: true`.         readOnly: <boolean>

示例

psp-host-filesystem

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostFilesystem metadata:   name: psp-host-filesystem spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     allowedHostPaths:     - pathPrefix: /foo       readOnly: true

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-filesystem-disallowed   name: nginx-host-filesystem spec:   containers:   - image: nginx     name: nginx     volumeMounts:     - mountPath: /cache       name: cache-volume       readOnly: true   volumes:   - hostPath:       path: /foo/bar     name: cache-volume

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-filesystem-disallowed   name: nginx-host-filesystem spec:   containers:   - image: nginx     name: nginx     volumeMounts:     - mountPath: /cache       name: cache-volume       readOnly: true   volumes:   - hostPath:       path: /tmp     name: cache-volume

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-filesystem-disallowed   name: nginx-host-filesystem spec:   ephemeralContainers:   - image: nginx     name: nginx     volumeMounts:     - mountPath: /cache       name: cache-volume       readOnly: true   volumes:   - hostPath:       path: /tmp     name: cache-volume

K8sPSPHostNamespace

Host Namespace v1.0.1

禁止 pod 容器共享主机 PID 和 IPC 命名空间。对应于 PodSecurityPolicy 中的 hostPID 和 hostIPC 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     <object>

示例

psp-host-namespace-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNamespace metadata:   name: psp-host-namespace-sample spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-namespace   name: nginx-host-namespace-allowed spec:   containers:   - image: nginx     name: nginx   hostIPC: false   hostPID: false

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-namespace   name: nginx-host-namespace-disallowed spec:   containers:   - image: nginx     name: nginx   hostIPC: true   hostPID: true

K8sPSPHostNetworkingPorts

Host Networking Ports v1.0.2

控制 pod 容器的主机网络命名空间的使用情况。必须指定特定端口。对应于 PodSecurityPolicy 中的 hostNetwork 和 hostPorts 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # hostNetwork <boolean>: Determines if the policy allows the use of     # HostNetwork in the pod spec.     hostNetwork: <boolean>     # max <integer>: The end of the allowed port range, inclusive.     max: <integer>     # min <integer>: The start of the allowed port range, inclusive.     min: <integer>

示例

psp-host-network-ports-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPHostNetworkingPorts metadata:   name: psp-host-network-ports-sample spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     hostNetwork: true     max: 9000     min: 80

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-networking-ports   name: nginx-host-networking-ports-allowed spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 9000       hostPort: 80   hostNetwork: false

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-networking-ports   name: nginx-host-networking-ports-disallowed spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 9001       hostPort: 9001   hostNetwork: true

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-host-networking-ports   name: nginx-host-networking-ports-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx     ports:     - containerPort: 9001       hostPort: 9001   hostNetwork: true

K8sPSPPrivilegedContainer

Privileged Container v1.0.1

控制任何容器启用特权模式的能力。对应于 PodSecurityPolicy 中的 privileged 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

psp-privileged-container-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPPrivilegedContainer metadata:   name: psp-privileged-container-sample spec:   match:     excludedNamespaces:     - kube-system     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-privileged   name: nginx-privileged-allowed spec:   containers:   - image: nginx     name: nginx     securityContext:       privileged: false

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-privileged   name: nginx-privileged-disallowed spec:   containers:   - image: nginx     name: nginx     securityContext:       privileged: true

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-privileged   name: nginx-privileged-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx     securityContext:       privileged: true

K8sPSPProcMount

Proc Mount v1.0.3

控制容器所允许的 procMount 类型。对应于 PodSecurityPolicy 中的 allowedProcMountTypes 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # procMount <string>: Defines the strategy for the security exposure of     # certain paths in `/proc` by the container runtime. Setting to `Default`     # uses the runtime defaults, where `Unmasked` bypasses the default     # behavior.     # Allowed Values: Default, Unmasked     procMount: <string>

示例

psp-proc-mount

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPProcMount metadata:   name: psp-proc-mount spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     procMount: Default

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-proc-mount   name: nginx-proc-mount-disallowed spec:   containers:   - image: nginx     name: nginx     securityContext:       procMount: Default

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-proc-mount   name: nginx-proc-mount-disallowed spec:   containers:   - image: nginx     name: nginx     securityContext:       procMount: Unmasked

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-proc-mount   name: nginx-proc-mount-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx     securityContext:       procMount: Unmasked

K8sPSPReadOnlyRootFilesystem

Read Only Root Filesystem v1.0.1

要求 Pod 容器使用只读根文件系统。对应于 PodSecurityPolicy 中的 readOnlyRootFilesystem 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

psp-readonlyrootfilesystem

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPReadOnlyRootFilesystem metadata:   name: psp-readonlyrootfilesystem spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-readonlyrootfilesystem   name: nginx-readonlyrootfilesystem-allowed spec:   containers:   - image: nginx     name: nginx     securityContext:       readOnlyRootFilesystem: true

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-readonlyrootfilesystem   name: nginx-readonlyrootfilesystem-disallowed spec:   containers:   - image: nginx     name: nginx     securityContext:       readOnlyRootFilesystem: false

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-readonlyrootfilesystem   name: nginx-readonlyrootfilesystem-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx     securityContext:       readOnlyRootFilesystem: false

K8sPSPSELinuxV2

SELinux V2 v1.0.3

定义 pod 容器的 seLinuxOptions 配置的许可名单。对应于要求使用 SELinux 配置的 PodSecurityPolicy。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedSELinuxOptions <array>: An allow-list of SELinux options     # configurations.     allowedSELinuxOptions:       # <list item: object>: An allowed configuration of SELinux options for a       # pod container.       - # level <string>: An SELinux level.         level: <string>         # role <string>: An SELinux role.         role: <string>         # type <string>: An SELinux type.         type: <string>         # user <string>: An SELinux user.         user: <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

psp-selinux-v2

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSELinuxV2 metadata:   name: psp-selinux-v2 spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     allowedSELinuxOptions:     - level: s0:c123,c456       role: object_r       type: svirt_sandbox_file_t       user: system_u

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-selinux   name: nginx-selinux-allowed spec:   containers:   - image: nginx     name: nginx     securityContext:       seLinuxOptions:         level: s0:c123,c456         role: object_r         type: svirt_sandbox_file_t         user: system_u

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-selinux   name: nginx-selinux-disallowed spec:   containers:   - image: nginx     name: nginx     securityContext:       seLinuxOptions:         level: s1:c234,c567         role: sysadm_r         type: svirt_lxc_net_t         user: sysadm_u

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-selinux   name: nginx-selinux-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx     securityContext:       seLinuxOptions:         level: s1:c234,c567         role: sysadm_r         type: svirt_lxc_net_t         user: sysadm_u

K8sPSPSeccomp

Seccomp v1.0.1

控制容器使用的 seccomp 配置文件。对应于 PodSecurityPolicy 中的 seccomp.security.alpha.kubernetes.io/allowedProfileNames 注释。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedLocalhostFiles <array>: When using securityContext naming scheme     # for seccomp and including `Localhost` this array holds the allowed     # profile JSON files. Putting a `*` in this array will allows all JSON     # files to be used. This field is required to allow `Localhost` in     # securityContext as with an empty list it will block.     allowedLocalhostFiles:       - <string>     # allowedProfiles <array>: An array of allowed profile values for seccomp     # on Pods/Containers. Can use the annotation naming scheme:     # `runtime/default`, `docker/default`, `unconfined` and/or     # `localhost/some-profile.json`. The item `localhost/*` will allow any     # localhost based profile. Can also use the securityContext naming scheme:     # `RuntimeDefault`, `Unconfined` and/or `Localhost`. For securityContext     # `Localhost`, use the parameter `allowedLocalhostProfiles` to list the     # allowed profile JSON files. The policy code will translate between the     # two schemes so it is not necessary to use both. Putting a `*` in this     # array allows all Profiles to be used. This field is required since with     # an empty list this policy will block all workloads.     allowedProfiles:       - <string>     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>

示例

psp-seccomp

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPSeccomp metadata:   name: psp-seccomp spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     allowedProfiles:     - runtime/default     - docker/default

允许

apiVersion: v1 kind: Pod metadata:   annotations:     container.seccomp.security.alpha.kubernetes.io/nginx: runtime/default   labels:     app: nginx-seccomp   name: nginx-seccomp-allowed spec:   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: Pod metadata:   annotations:     seccomp.security.alpha.kubernetes.io/pod: runtime/default   labels:     app: nginx-seccomp   name: nginx-seccomp-allowed2 spec:   containers:   - image: nginx     name: nginx

不允许

apiVersion: v1 kind: Pod metadata:   annotations:     seccomp.security.alpha.kubernetes.io/pod: unconfined   labels:     app: nginx-seccomp   name: nginx-seccomp-disallowed2 spec:   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: Pod metadata:   annotations:     container.seccomp.security.alpha.kubernetes.io/nginx: unconfined   labels:     app: nginx-seccomp   name: nginx-seccomp-disallowed spec:   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: Pod metadata:   annotations:     container.seccomp.security.alpha.kubernetes.io/nginx: unconfined   labels:     app: nginx-seccomp   name: nginx-seccomp-disallowed spec:   ephemeralContainers:   - image: nginx     name: nginx

K8sPSPVolumeTypes

Volume Types v1.0.2

将可装载卷的类型限制为用户指定的类型。对应于 PodSecurityPolicy 中的 volumes 字段。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # volumes <array>: `volumes` is an array of volume types. All volume types     # can be enabled using `*`.     volumes:       - <string>

示例

psp-volume-types

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPVolumeTypes metadata:   name: psp-volume-types spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     volumes:     - configMap     - emptyDir     - projected     - secret     - downwardAPI     - persistentVolumeClaim     - flexVolume

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-volume-types   name: nginx-volume-types-allowed spec:   containers:   - image: nginx     name: nginx     volumeMounts:     - mountPath: /cache       name: cache-volume   - image: nginx     name: nginx2     volumeMounts:     - mountPath: /cache2       name: demo-vol   volumes:   - emptyDir: {}     name: cache-volume   - emptyDir: {}     name: demo-vol

不允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx-volume-types   name: nginx-volume-types-disallowed spec:   containers:   - image: nginx     name: nginx     volumeMounts:     - mountPath: /cache       name: cache-volume   - image: nginx     name: nginx2     volumeMounts:     - mountPath: /cache2       name: demo-vol   volumes:   - hostPath:       path: /tmp     name: cache-volume   - emptyDir: {}     name: demo-vol

K8sPSPWindowsHostProcess

Restricts Windows HostProcess containers / pods. v1.0.0

限制 Windows HostProcess 容器 / pod 的运行。如需了解详情，请参阅 https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

restrict-windows-hostprocess

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPWindowsHostProcess metadata:   name: restrict-windows-hostprocess spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   name: nanoserver-ping-loop spec:   containers:   - command:     - ping     - -t     - 127.0.0.1     image: mcr.microsoft.com/windows/nanoserver:1809     name: ping-loop   nodeSelector:     kubernetes.io/os: windows

不允许

apiVersion: v1 kind: Pod metadata:   name: nanoserver-ping-loop-hostprocess-container spec:   containers:   - command:     - ping     - -t     - 127.0.0.1     image: mcr.microsoft.com/windows/nanoserver:1809     name: ping-test     securityContext:       windowsOptions:         hostProcess: true         runAsUserName: NT AUTHORITY\SYSTEM   hostNetwork: true   nodeSelector:     kubernetes.io/os: windows

apiVersion: v1 kind: Pod metadata:   name: nanoserver-ping-loop-hostprocess-pod spec:   containers:   - command:     - ping     - -t     - 127.0.0.1     image: mcr.microsoft.com/windows/nanoserver:1809     name: ping-test   hostNetwork: true   nodeSelector:     kubernetes.io/os: windows   securityContext:     windowsOptions:       hostProcess: true       runAsUserName: NT AUTHORITY\SYSTEM

K8sPSSRunAsNonRoot

Requires containers run as non-root users. v1.0.0

要求容器以非根用户身份运行。如需了解详情，请参阅 https://kubernetes.io/docs/concepts/security/pod-security-standards/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

restrict-runasnonroot

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSSRunAsNonRoot metadata:   name: restrict-runasnonroot spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   name: nginx-pod-allowed spec:   containers:   - image: nginx     name: nginx-container-allowed     securityContext:       runAsNonRoot: true   securityContext:     runAsNonRoot: true

apiVersion: v1 kind: Pod metadata:   name: nginx-allowed spec:   containers:   - image: nginx     name: nginx-allowed   securityContext:     runAsNonRoot: true

不允许

apiVersion: v1 kind: Pod metadata:   name: nginx-pod-allowed spec:   containers:   - image: nginx     name: nginx-container-disallowed     securityContext:       runAsNonRoot: false   securityContext:     runAsNonRoot: true

apiVersion: v1 kind: Pod metadata:   name: nginx-pod-disallowed spec:   containers:   - image: nginx     name: nginx-container-allowed     securityContext:       runAsNonRoot: true   securityContext:     runAsNonRoot: false

apiVersion: v1 kind: Pod metadata:   name: nginx-pod-disallowed spec:   containers:   - image: nginx     name: nginx-container-disallowed   securityContext:     runAsNonRoot: false

K8sPodDisruptionBudget

Pod Disruption Budget v1.0.3

部署 PodDisruptionBudgets 或实现副本子资源的资源（例如 Deployment、ReplicationController、ReplicaSet、StatefulSet）时，禁止以下场景：1. PodDisruptionBudgets 部署，其中 .spec.maxUnavailable == 0 2。PodDisruptionBudgets 部署，其中 .spec.minAvailable == .spec.具有副本子资源的资源的副本数。这会阻止 PodDisruptionBudgets 阻止主动中断（例如节点排空） https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "policy"         version: "v1"         kind: "PodDisruptionBudget"

示例

pod-distruption-budget

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodDisruptionBudget metadata:   name: pod-distruption-budget spec:   match:     kinds:     - apiGroups:       - apps       kinds:       - Deployment       - ReplicaSet       - StatefulSet     - apiGroups:       - policy       kinds:       - PodDisruptionBudget     - apiGroups:       - ""       kinds:       - ReplicationController

允许

apiVersion: policy/v1 kind: PodDisruptionBudget metadata:   name: nginx-pdb-allowed   namespace: default spec:   maxUnavailable: 1   selector:     matchLabels:       foo: bar

apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment-allowed-1   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: allowed-deployment-1   template:     metadata:       labels:         app: nginx         example: allowed-deployment-1     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata:   name: inventory-nginx-pdb-allowed-1   namespace: default spec:   minAvailable: 2   selector:     matchLabels:       app: nginx       example: allowed-deployment-1

apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment-allowed-2   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: allowed-deployment-2   template:     metadata:       labels:         app: nginx         example: allowed-deployment-2     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata:   name: inventory-nginx-pdb-allowed-2   namespace: default spec:   maxUnavailable: 1   selector:     matchLabels:       app: nginx       example: allowed-deployment-2

apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment-allowed-3   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: allowed-deployment-3   template:     metadata:       labels:         app: nginx         example: allowed-deployment-3     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata:   name: inventory-nginx-pdb-allowed-3   namespace: default spec:   minAvailable: 2   selector:     matchLabels:       app: nginx

apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: non-matching-nginx   name: nginx-deployment-allowed-4   namespace: default spec:   replicas: 1   selector:     matchLabels:       app: non-matching-nginx       example: allowed-deployment-4   template:     metadata:       labels:         app: non-matching-nginx         example: allowed-deployment-4     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata:   name: inventory-mongo-pdb-allowed-3   namespace: default spec:   minAvailable: 2   selector:     matchLabels:       app: mongo       example: non-matching-deployment-3

不允许

apiVersion: policy/v1 kind: PodDisruptionBudget metadata:   name: nginx-pdb-disallowed   namespace: default spec:   maxUnavailable: 0   selector:     matchLabels:       foo: bar

apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: nginx-deployment-disallowed   namespace: default spec:   replicas: 3   selector:     matchLabels:       app: nginx       example: disallowed-deployment   template:     metadata:       labels:         app: nginx         example: disallowed-deployment     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80 --- # Referential Data apiVersion: policy/v1 kind: PodDisruptionBudget metadata:   name: inventory-nginx-pdb-disallowed   namespace: default spec:   minAvailable: 3   selector:     matchLabels:       app: nginx       example: disallowed-deployment

K8sPodResourcesBestPractices

Requires Containers are not Best-effort and Following Burstable Best Practices v1.0.5

要求容器并非尽力而为（通过设置 CPU 和内存请求）并遵循突发性最佳实践（内存请求必须完全相同的限制）。您也可以酌情配置注解键，以允许跳过各种验证。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: A list of exempt Images.     exemptImages:       - <string>     # skipBestEffortValidationAnnotationKey <string>: Optional annotation key     # to skip best-effort container validation.     skipBestEffortValidationAnnotationKey: <string>     # skipBurstableValidationAnnotationKey <string>: Optional annotation key to     # skip burstable container validation.     skipBurstableValidationAnnotationKey: <string>     # skipResourcesBestPracticesValidationAnnotationKey <string>: Optional     # annotation key to skip both best-effort and burstable validation.     skipResourcesBestPracticesValidationAnnotationKey: <string>

示例

gke-pod-resources-best-practices

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodResourcesBestPractices metadata:   name: gke-pod-resources-best-practices spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     skipBestEffortValidationAnnotationKey: skip_besteffort_validation     skipBurstableValidationAnnotationKey: skip_burstable_validation     skipResourcesBestPracticesValidationAnnotationKey: skip_resources_best_practices_validation

允许

apiVersion: v1 kind: Pod metadata:   name: pod-setting-cpu-requests-memory-limits spec:   containers:   - image: nginx     name: nginx     resources:       limits:         memory: 500Mi       requests:         cpu: 250m

apiVersion: v1 kind: Pod metadata:   name: pod-setting-limits-only spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 250m         memory: 100Mi

apiVersion: v1 kind: Pod metadata:   name: pod-setting-requests-memory-limits spec:   containers:   - image: nginx     name: nginx     resources:       limits:         memory: 100Mi       requests:         cpu: 250m         memory: 100Mi

apiVersion: v1 kind: Pod metadata:   annotations:     skip_besteffort_validation: "true"     skip_burstable_validation: "true"     skip_resources_best_practices_validation: "false"   name: pod-skip-validation spec:   containers:   - image: nginx     name: nginx

不允许

apiVersion: v1 kind: Pod metadata:   name: pod-not-setting-cpu-burstable-on-memory spec:   containers:   - image: nginx     name: nginx     resources:       limits:         memory: 500Mi       requests:         memory: 100Mi

apiVersion: v1 kind: Pod metadata:   name: pod-not-setting-requests spec:   containers:   - image: nginx     name: nginx   restartPolicy: OnFailure

apiVersion: v1 kind: Pod metadata:   name: pod-setting-cpu-not-burstable-on-memory spec:   containers:   - image: nginx     name: nginx     resources:       limits:         memory: 500Mi       requests:         cpu: 250m         memory: 100Mi

apiVersion: v1 kind: Pod metadata:   name: pod-setting-memory-requests-cpu-limits spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 30m       requests:         memory: 100Mi

apiVersion: v1 kind: Pod metadata:   name: pod-setting-only-cpu-limits spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 250m

apiVersion: v1 kind: Pod metadata:   name: pod-setting-only-cpu-requests spec:   containers:   - image: nginx     name: nginx     resources:       requests:         cpu: 250m

apiVersion: v1 kind: Pod metadata:   name: pod-setting-only-cpu spec:   containers:   - image: nginx     name: nginx     resources:       limits:         cpu: 500m       requests:         cpu: 250m

apiVersion: v1 kind: Pod metadata:   name: pod-setting-only-memory-limits spec:   containers:   - image: nginx     name: nginx     resources:       limits:         memory: 250Mi

apiVersion: v1 kind: Pod metadata:   name: pod-setting-only-memory-requests spec:   containers:   - image: nginx     name: nginx     resources:       requests:         memory: 100Mi

apiVersion: v1 kind: Pod metadata:   name: pod-setting-only-memory spec:   containers:   - image: nginx     name: nginx     resources:       limits:         memory: 100Mi       requests:         memory: 100Mi

K8sPodsRequireSecurityContext

Pods Require Security Context v1.1.1

要求所有 Pod 都定义 securityContext。要求 Pod 中定义的所有容器都在 Pod 或容器级层定义 SecurityContext。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: A list of exempt Images.     exemptImages:       - <string>

示例

pods-require-security-context-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sPodsRequireSecurityContext metadata:   name: pods-require-security-context-sample spec:   enforcementAction: dryrun   parameters:     exemptImages:     - nginix-exempt     - alpine*

允许

apiVersion: v1 kind: Pod metadata:   name: allowed-example spec:   containers:   - image: nginx     name: nginx     securityContext:       runAsUser: 2000

apiVersion: v1 kind: Pod metadata:   name: allowed-example-exemptImage spec:   containers:   - image: nginix-exempt     name: nginx

apiVersion: v1 kind: Pod metadata:   name: allowed-example-exemptImage-wildcard spec:   containers:   - image: alpine17     name: alpine

不允许

apiVersion: v1 kind: Pod metadata:   name: disallowed-example spec:   containers:   - image: nginx     name: nginx

K8sProhibitRoleWildcardAccess

Prohibit Role Wildcard Access v1.0.5

要求 Role 和 ClusterRole 不得对通配符“”值设置资源访问权限，但作为豁免项提供的豁免 Role 和 ClusterRole 除外。不限制对子资源的通配符访问，例如“/status”。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptions <object>: The list of exempted Roles and/or ClusterRoles name     # that are allowed to set  resource access to a wildcard.     exemptions:       clusterRoles:         - # name <string>: The name of the ClusterRole to be exempted.           name: <string>           # regexMatch <boolean>: The flag to allow a regular expression           # based match on the name.           regexMatch: <boolean>       roles:         - # name <string>: The name of the Role to be exempted.           name: <string>           # namespace <string>: The namespace of the Role to be exempted.           namespace: <string>

示例

prohibit-role-wildcard-access-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata:   name: prohibit-role-wildcard-access-sample spec:   enforcementAction: dryrun

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: cluster-role-example rules: - apiGroups:   - ""   resources:   - pods   verbs:   - get

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: cluster-role-bad-example rules: - apiGroups:   - ""   resources:   - pods   verbs:   - '*'

prohibit-wildcard-except-exempted-cluster-role

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sProhibitRoleWildcardAccess metadata:   name: prohibit-wildcard-except-exempted-cluster-role spec:   enforcementAction: dryrun   parameters:     exemptions:       clusterRoles:       - name: cluster-role-allowed-example       roles:       - name: role-allowed-example         namespace: role-ns-allowed-example

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: cluster-role-allowed-example rules: - apiGroups:   - ""   resources:   - pods   verbs:   - '*'

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:   name: role-allowed-example   namespace: role-ns-allowed-example rules: - apiGroups:   - ""   resources:   - pods   verbs:   - '*'

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: cluster-role-not-allowed-example rules: - apiGroups:   - ""   resources:   - pods   verbs:   - '*'

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:   name: role-not-allowed-example   namespace: role-ns-not-allowed-example rules: - apiGroups:   - ""   resources:   - pods   verbs:   - '*'

K8sReplicaLimits

Replica Limits v1.0.2

要求包含 spec.replicas 字段（Deployments、ReplicaSets 等）的对象指定的副本数量在所定义的范围内。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # ranges <array>: Allowed ranges for numbers of replicas.  Values are     # inclusive.     ranges:       # <list item: object>: A range of allowed replicas.  Values are       # inclusive.       - # max_replicas <integer>: The maximum number of replicas allowed,         # inclusive.         max_replicas: <integer>         # min_replicas <integer>: The minimum number of replicas allowed,         # inclusive.         min_replicas: <integer>

示例

replica-limits

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sReplicaLimits metadata:   name: replica-limits spec:   match:     kinds:     - apiGroups:       - apps       kinds:       - Deployment   parameters:     ranges:     - max_replicas: 50       min_replicas: 3

允许

apiVersion: apps/v1 kind: Deployment metadata:   name: allowed-deployment spec:   replicas: 3   selector:     matchLabels:       app: nginx   template:     metadata:       labels:         app: nginx     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

不允许

apiVersion: apps/v1 kind: Deployment metadata:   name: disallowed-deployment spec:   replicas: 100   selector:     matchLabels:       app: nginx   template:     metadata:       labels:         app: nginx     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

K8sRequireAdmissionController

Require Admission Controller v1.0.0

需要 Pod 安全准入或外部政策控制系统

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # permittedValidatingWebhooks <array>: List of permitted validating     # webhooks which are valid external policy control systems     permittedValidatingWebhooks:       - <string>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "admissionregistration.k8s.io"         version: "v1" OR "v1beta1"         kind: "ValidatingWebhookConfiguration"

示例

require-admission-controller

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireAdmissionController metadata:   name: require-admission-controller spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Namespace

允许

apiVersion: v1 kind: Namespace metadata:   labels:     pod-security.kubernetes.io/enforce: baseline     pod-security.kubernetes.io/enforce-version: v1.28   name: allowed-namespace

不允许

apiVersion: v1 kind: Namespace metadata:   name: disallowed-namespace

K8sRequireBinAuthZ

需要 Binary Authorization v1.0.2

要求 Binary Authorization 验证准入 webhook。无论 enforcementAction 值如何，使用此 ConstraintTemplate 的限制条件都将仅进行审核。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "admissionregistration.k8s.io"         version: "v1" OR "v1beta1"         kind: "ValidatingWebhookConfiguration"

示例

require-binauthz

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireBinAuthZ metadata:   name: require-binauthz spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - ""       kinds:       - Namespace

允许

apiVersion: v1 kind: Namespace metadata:   name: default --- # Referential Data apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata:   name: binauthz-admission-controller webhooks: - admissionReviewVersions:   - v1   - v1beta1   clientConfig:     url: https://binaryauthorization.googleapis.com/internal/projects/ap-bps-experimental-gke/policy/locations/us-central1/clusters/acm-test-cluster:admissionReview   name: imagepolicywebhook.image-policy.k8s.io   rules:   - operations:     - CREATE     - UPDATE   - apiVersion:     - v1   sideEffects: None

不允许

apiVersion: v1 kind: Namespace metadata:   name: default

K8sRequireCosNodeImage

Require COS Node Image v1.1.1

强制在节点上使用 Google 的 Container-Optimized OS。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptOsImages <array>: A list of exempt OS Images.     exemptOsImages:       - <string>

示例

nodes-have-consistent-time

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireCosNodeImage metadata:   name: nodes-have-consistent-time spec:   enforcementAction: dryrun   parameters:     exemptOsImages:     - Debian     - Ubuntu*

允许

apiVersion: v1 kind: Node metadata:   name: allowed-example status:   nodeInfo:     osImage: Container-Optimized OS from Google

apiVersion: v1 kind: Node metadata:   name: example-exempt status:   nodeInfo:     osImage: Debian

apiVersion: v1 kind: Node metadata:   name: example-exempt-wildcard status:   nodeInfo:     osImage: Ubuntu 18.04.5 LTS

不允许

apiVersion: v1 kind: Node metadata:   name: disallowed-example status:   nodeInfo:     osImage: Debian GNUv1.0

K8sRequireDaemonsets

Required Daemonsets v1.1.2

要求指定的 daemonset 列表存在。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # requiredDaemonsets <array>: A list of names and namespaces of the     # required daemonsets.     requiredDaemonsets:       - # name <string>: The name of the required daemonset.         name: <string>         # namespace <string>: The namespace for the required daemonset.         namespace: <string>     # restrictNodeSelector <boolean>: The daemonsets cannot include     # `NodeSelector`.     restrictNodeSelector: <boolean>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "extensions"         version: "v1beta1"         kind: "DaemonSet"       OR       - group: "apps"         version: "v1beta2" OR "v1"         kind: "DaemonSet"

示例

require-daemonset

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDaemonsets metadata:   name: require-daemonset spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - ""       kinds:       - Namespace   parameters:     requiredDaemonsets:     - name: clamav       namespace: pci-dss-av     restrictNodeSelector: true

允许

apiVersion: v1 kind: Namespace metadata:   name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata:   name: other   namespace: pci-dss-av spec:   selector:     matchLabels:       name: other   template:     spec:       containers:       - image: us.gcr.io/{your-project-id}/other:latest         name: other --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata:   labels:     k8s-app: clamav-host-scanner   name: clamav   namespace: pci-dss-av spec:   selector:     matchLabels:       name: clamav   template:     metadata:       labels:         name: clamav     spec:       containers:       - image: us.gcr.io/{your-project-id}/clamav:latest         livenessProbe:           exec:             command:             - /health.sh           initialDelaySeconds: 60           periodSeconds: 30         name: clamav-scanner         resources:           limits:             memory: 3Gi           requests:             cpu: 500m             memory: 2Gi         volumeMounts:         - mountPath: /data           name: data-vol         - mountPath: /host-fs           name: host-fs           readOnly: true         - mountPath: /logs           name: logs       terminationGracePeriodSeconds: 30       tolerations:       - effect: NoSchedule         key: node-role.kubernetes.io/master       volumes:       - emptyDir: {}         name: data-vol       - hostPath:           path: /         name: host-fs       - hostPath:           path: /var/log/clamav         name: logs

不允许

apiVersion: v1 kind: Namespace metadata:   name: pci-dss-av

apiVersion: v1 kind: Namespace metadata:   name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata:   name: other   namespace: pci-dss-av spec:   selector:     matchLabels:       name: other   template:     spec:       containers:       - image: us.gcr.io/{your-project-id}/other:latest         name: other

apiVersion: v1 kind: Namespace metadata:   name: pci-dss-av --- # Referential Data apiVersion: apps/v1 kind: DaemonSet metadata:   name: clamav   namespace: pci-dss-av spec:   selector:     matchLabels:       name: clamav   template:     spec:       containers:       - image: us.gcr.io/{your-project-id}/other:latest         name: clamav       nodeSelector:         cloud.google.com/gke-spot: "true"

K8sRequireDefaultDenyEgressPolicy

Require Default Deny Egress Policy v1.0.3

要求集群中定义的每个命名空间都具有出站流量的默认拒绝 NetworkPolicy。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "extensions"         version: "v1beta1"         kind: "NetworkPolicy"       OR       - group: "networking.k8s.io"         version: "v1"         kind: "NetworkPolicy"

示例

require-default-deny-network-policies

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireDefaultDenyEgressPolicy metadata:   name: require-default-deny-network-policies spec:   enforcementAction: dryrun

允许

apiVersion: v1 kind: Namespace metadata:   name: example-namespace --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:   name: default-deny-egress   namespace: example-namespace spec:   podSelector: {}   policyTypes:   - Egress

不允许

apiVersion: v1 kind: Namespace metadata:   name: example-namespace

apiVersion: v1 kind: Namespace metadata:   name: example-namespace2 --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:   name: default-deny-egress   namespace: example-namespace spec:   podSelector: {}   policyTypes:   - Egress

K8sRequireNamespaceNetworkPolicies

Require Namespace Network Policies v1.0.6

要求集群中定义的每个命名空间都具有一个 NetworkPolicy。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "extensions"         version: "v1beta1"         kind: "NetworkPolicy"       OR       - group: "networking.k8s.io"         version: "v1"         kind: "NetworkPolicy"

示例

require-namespace-network-policies-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireNamespaceNetworkPolicies metadata:   name: require-namespace-network-policies-sample spec:   enforcementAction: dryrun

允许

apiVersion: v1 kind: Namespace metadata:   name: require-namespace-network-policies-example --- # Referential Data apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:   name: test-network-policy   namespace: require-namespace-network-policies-example

不允许

apiVersion: v1 kind: Namespace metadata:   name: require-namespace-network-policies-example

K8sRequireValidRangesForNetworks

Require Valid Ranges for Networks v1.0.2

强制执行网络入站流量和出站流量允许的 CIDR 地址块。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedEgress <array>: IP ranges in CIDR format (0.0.0.0/32) that are     # allowed for egress.     allowedEgress:       - <string>     # allowedIngress <array>: IP ranges in CIDR format (0.0.0.0/32) that are     # allowed for ingress.     allowedIngress:       - <string>

示例

require-valid-network-ranges

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequireValidRangesForNetworks metadata:   name: require-valid-network-ranges spec:   enforcementAction: dryrun   parameters:     allowedEgress:     - 10.0.0.0/32     allowedIngress:     - 10.0.0.0/24

允许

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:   name: test-network-policy   namespace: default spec:   egress:   - ports:     - port: 5978       protocol: TCP     to:     - ipBlock:         cidr: 10.0.0.0/32   ingress:   - from:     - ipBlock:         cidr: 10.0.0.0/29     - ipBlock:         cidr: 10.0.0.100/29     - namespaceSelector:         matchLabels:           project: myproject     - podSelector:         matchLabels:           role: frontend     ports:     - port: 6379       protocol: TCP   podSelector:     matchLabels:       role: db   policyTypes:   - Ingress   - Egress

不允许

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:   name: test-network-policy-disallowed   namespace: default spec:   egress:   - ports:     - port: 5978       protocol: TCP     to:     - ipBlock:         cidr: 1.1.2.0/31   ingress:   - from:     - ipBlock:         cidr: 1.1.2.0/24     - ipBlock:         cidr: 2.1.2.0/24     - namespaceSelector:         matchLabels:           project: myproject     - podSelector:         matchLabels:           role: frontend     ports:     - port: 6379       protocol: TCP   podSelector:     matchLabels:       role: db   policyTypes:   - Ingress   - Egress

K8sRequiredAnnotations

Required Annotations v1.0.1

要求资源包含指定的注解，其值与提供的正则表达式匹配。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # annotations <array>: A list of annotations and values the object must     # specify.     annotations:       - # allowedRegex <string>: If specified, a regular expression the         # annotation's value must match. The value must contain at least one         # match for the regular expression.         allowedRegex: <string>         # key <string>: The required annotation.         key: <string>     message: <string>

示例

all-must-have-certain-set-of-annotations

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredAnnotations metadata:   name: all-must-have-certain-set-of-annotations spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Service   parameters:     annotations:     - allowedRegex: ^([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}|[a-z]{1,39})$       key: a8r.io/owner     - allowedRegex: ^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$       key: a8r.io/runbook     message: All services must have a `a8r.io/owner` and `a8r.io/runbook` annotations.

允许

apiVersion: v1 kind: Service metadata:   annotations:     a8r.io/owner: [email protected]     a8r.io/runbook: https://confluence.contoso.com/dev-team-alfa/runbooks   name: allowed-service spec:   ports:   - name: http     port: 80     targetPort: 8080   selector:     app: foo

不允许

apiVersion: v1 kind: Service metadata:   name: disallowed-service spec:   ports:   - name: http     port: 80     targetPort: 8080   selector:     app: foo

K8sRequiredLabels

Required Labels v1.0.1

要求资源包含指定的标签，其值与提供的正则表达式匹配。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # labels <array>: A list of labels and values the object must specify.     labels:       - # allowedRegex <string>: If specified, a regular expression the         # annotation's value must match. The value must contain at least one         # match for the regular expression.         allowedRegex: <string>         # key <string>: The required label.         key: <string>     message: <string>

示例

all-must-have-owner

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredLabels metadata:   name: all-must-have-owner spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Namespace   parameters:     labels:     - allowedRegex: ^[a-zA-Z]+.agilebank.demo$       key: owner     message: All namespaces must have an `owner` label that points to your company       username

允许

apiVersion: v1 kind: Namespace metadata:   labels:     owner: user.agilebank.demo   name: allowed-namespace

不允许

apiVersion: v1 kind: Namespace metadata:   name: disallowed-namespace

K8sRequiredProbes

Required Probes v1.0.1

要求 Pod 具有就绪和/或活跃探测。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # probeTypes <array>: The probe must define a field listed in `probeType`     # in order to satisfy the constraint (ex. `tcpSocket` satisfies     # `['tcpSocket', 'exec']`)     probeTypes:       - <string>     # probes <array>: A list of probes that are required (ex: `readinessProbe`)     probes:       - <string>

示例

must-have-probes

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredProbes metadata:   name: must-have-probes spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     probeTypes:     - tcpSocket     - httpGet     - exec     probes:     - readinessProbe     - livenessProbe

允许

apiVersion: v1 kind: Pod metadata:   name: test-pod1 spec:   containers:   - image: tomcat     livenessProbe:       initialDelaySeconds: 5       periodSeconds: 10       tcpSocket:         port: 80     name: tomcat     ports:     - containerPort: 8080     readinessProbe:       initialDelaySeconds: 5       periodSeconds: 10       tcpSocket:         port: 8080   volumes:   - emptyDir: {}     name: cache-volume

不允许

apiVersion: v1 kind: Pod metadata:   name: test-pod1 spec:   containers:   - image: nginx:1.7.9     name: nginx-1     ports:     - containerPort: 80     volumeMounts:     - mountPath: /tmp/cache       name: cache-volume   - image: tomcat     name: tomcat     ports:     - containerPort: 8080     readinessProbe:       initialDelaySeconds: 5       periodSeconds: 10       tcpSocket:         port: 8080   volumes:   - emptyDir: {}     name: cache-volume

apiVersion: v1 kind: Pod metadata:   name: test-pod2 spec:   containers:   - image: nginx:1.7.9     livenessProbe:       initialDelaySeconds: 5       periodSeconds: 10       tcpSocket:         port: 80     name: nginx-1     ports:     - containerPort: 80     volumeMounts:     - mountPath: /tmp/cache       name: cache-volume   - image: tomcat     name: tomcat     ports:     - containerPort: 8080     readinessProbe:       initialDelaySeconds: 5       periodSeconds: 10       tcpSocket:         port: 8080   volumes:   - emptyDir: {}     name: cache-volume

K8sRequiredResources

Required Resources v1.0.1

要求容器设置已定义的资源。https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exemptImages <array>: Any container that uses an image that matches an     # entry in this list will be excluded from enforcement. Prefix-matching can     # be signified with `*`. For example: `my-image-*`. It is recommended that     # users use the fully-qualified Docker image name (e.g. start with a domain     # name) in order to avoid unexpectedly exempting images from an untrusted     # repository.     exemptImages:       - <string>     # limits <array>: A list of limits that should be enforced (`cpu`,     # `memory`, or both).     limits:       # Allowed Values: cpu, memory       - <string>     # requests <array>: A list of requests that should be enforced (`cpu`,     # `memory`, or both).     requests:       # Allowed Values: cpu, memory       - <string>

示例

container-must-have-limits-and-requests

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata:   name: container-must-have-limits-and-requests spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     limits:     - cpu     - memory     requests:     - cpu     - memory

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 1Gi       requests:         cpu: 100m         memory: 1Gi

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       requests:         cpu: 100m         memory: 2Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         memory: 2Gi       requests:         cpu: 100m

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         memory: 2Gi

container-must-have-cpu-requests-memory-limits-and-requests

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata:   name: container-must-have-cpu-requests-memory-limits-and-requests spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     limits:     - memory     requests:     - cpu     - memory

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 1Gi       requests:         cpu: 100m         memory: 1Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         memory: 2Gi       requests:         cpu: 100m         memory: 2Gi

不允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       requests:         cpu: 100m         memory: 2Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         memory: 2Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources: {}

no-enforcements

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredResources metadata:   name: no-enforcements spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod

允许

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-allowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         cpu: 100m         memory: 1Gi       requests:         cpu: 100m         memory: 1Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       requests:         cpu: 100m         memory: 2Gi

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources:       limits:         memory: 2Gi       requests:         cpu: 100m

apiVersion: v1 kind: Pod metadata:   labels:     owner: me.agilebank.demo   name: opa-disallowed spec:   containers:   - args:     - run     - --server     - --addr=localhost:8080     image: openpolicyagent/opa:0.9.2     name: opa     resources: {}

K8sRestrictAdmissionController

Restrict Admission Controller v1.0.0

将动态准入控制器限制为允许使用的控制器

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # permittedMutatingWebhooks <array>: List of permitted mutating webhooks     # (mutating admission controllers)     permittedMutatingWebhooks:       - <string>     # permittedValidatingWebhooks <array>: List of permitted validating     # webhooks (validating admission controllers)     permittedValidatingWebhooks:       - <string>

示例

restrict-admission-controller

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAdmissionController metadata:   name: restrict-admission-controller spec:   match:     kinds:     - apiGroups:       - admissionregistration.k8s.io       kinds:       - MutatingWebhookConfiguration       - ValidatingWebhookConfiguration   parameters:     permittedMutatingWebhooks:     - allowed-mutating-webhook     permittedValidatingWebhooks:     - allowed-validating-webhook

允许

apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata:   name: allowed-validating-webhook

不允许

apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata:   name: disallowed-validating-webhook

K8sRestrictAutomountServiceAccountTokens

Restrict Service Account Tokens v1.0.1

限制服务账号令牌的使用。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

restrict-serviceaccounttokens

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictAutomountServiceAccountTokens metadata:   name: restrict-serviceaccounttokens spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod       - ServiceAccount

允许

apiVersion: v1 kind: Pod metadata:   name: allowed-example-pod spec:   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: ServiceAccount metadata:   name: disallowed-example-serviceaccount

不允许

apiVersion: v1 kind: Pod metadata:   name: disallowed-example-pod spec:   automountServiceAccountToken: true   containers:   - image: nginx     name: nginx

apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata:   name: allowed-example-serviceaccount

K8sRestrictLabels

Restrict Labels v1.0.2

禁止资源包含指定的标签，除非特定资源存在例外。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # exceptions <array>: Objects listed here are exempt from enforcement of     # this constraint. All fields must be provided.     exceptions:       # <list item: object>: A single object's identification, based on group,       # kind, namespace, and name.       - # group <string>: The Kubernetes group of the exempt object.         group: <string>         # kind <string>: The Kubernetes kind of the exempt object.         kind: <string>         # name <string>: The name of the exempt object.         name: <string>         # namespace <string>: The namespace of the exempt object. For         # cluster-scoped resources, use the empty string `""`.         namespace: <string>     # restrictedLabels <array>: A list of label keys strings.     restrictedLabels:       - <string>

示例

restrict-label-example

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictLabels metadata:   name: restrict-label-example spec:   enforcementAction: dryrun   parameters:     exceptions:     - group: ""       kind: Pod       name: allowed-example       namespace: default     restrictedLabels:     - label-example

允许

apiVersion: v1 kind: Pod metadata:   labels:     label-example: example   name: allowed-example   namespace: default spec:   containers:   - image: nginx     name: nginx

不允许

apiVersion: v1 kind: Pod metadata:   labels:     label-example: example   name: disallowed-example   namespace: default spec:   containers:   - image: nginx     name: nginx

K8sRestrictNamespaces

Restrict Namespaces v1.0.1

限制资源使用 restrictedNamespaces 参数下列出的命名空间。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # restrictedNamespaces <array>: A list of Namespaces to restrict.     restrictedNamespaces:       - <string>

示例

restrict-default-namespace-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNamespaces metadata:   name: restrict-default-namespace-sample spec:   enforcementAction: dryrun   parameters:     restrictedNamespaces:     - default

允许

apiVersion: v1 kind: Pod metadata:   name: allowed-example   namespace: test-namespace spec:   containers:   - image: nginx     name: nginx

不允许

apiVersion: v1 kind: Pod metadata:   name: disallowed-example   namespace: default spec:   containers:   - image: nginx     name: nginx

K8sRestrictNfsUrls

Restrict NFS URLs v1.0.1

除非另有指定，否则禁止资源包含 NFS 网址。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedNfsUrls <array>: A list of allowed NFS URLs     allowedNfsUrls:       - <string>

示例

restrict-label-example

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictNfsUrls metadata:   name: restrict-label-example spec:   enforcementAction: dryrun   parameters:     allowedNfsUrls:     - my-nfs-server.example.com/my-nfs-volume     - my-nfs-server.example.com/my-wildcard-nfs-volume/*

允许

apiVersion: v1 kind: Pod metadata:   labels:     label-example: example   name: allowed-example   namespace: default spec:   containers:   - image: nginx     name: nginx

apiVersion: v1 kind: Pod metadata:   labels:     label-example: example   name: allowed-example-nfs   namespace: default spec:   containers:   - image: nginx     name: nginx   - name: test-volume     nfs:       path: /my-nfs-volume       server: my-nfs-server.example.com

apiVersion: v1 kind: Pod metadata:   labels:     label-example: example   name: allowed-example-nfs-wildcard   namespace: default spec:   containers:   - image: nginx     name: nginx   - name: test-volume     nfs:       path: /my-nfs-volume/my-wildcard-nfs-volume/wildcard_matched_path       server: my-nfs-server.example.com

不允许

apiVersion: v1 kind: Pod metadata:   labels:     label-example: example   name: disallowed-example-nfs   namespace: default spec:   containers:   - image: nginx     name: nginx   volumes:   - name: test-volume     nfs:       path: /my-nfs-volume       server: disallowed-nfs-server.example.com

apiVersion: v1 kind: Pod metadata:   labels:     label-example: example   name: disallowed-example-nfs-mixed   namespace: default spec:   containers:   - image: nginx     name: nginx   volumes:   - name: test-volume-allowed     nfs:       path: /my-nfs-volume       server: my-nfs-server.example.com   - name: test-volume-disallowed     nfs:       path: /my-nfs-volume       server: disallowed-nfs-server.example.com

K8sRestrictRbacSubjects

Restrict RBAC Subjects v1.0.3

将 RBAC 主体中的名称限制为只能使用指定的值。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedSubjects <array>: The list of names permitted in RBAC subjects.     allowedSubjects:       - # name <string>: The exact-name or the pattern of the allowed subject         name: <string>         # regexMatch <boolean>: The flag to allow a regular expression based         # match on the name.         regexMatch: <boolean>

示例

restrict-rbac-subjects

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRbacSubjects metadata:   name: restrict-rbac-subjects spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - rbac.authorization.k8s.io       kinds:       - RoleBinding       - ClusterRoleBinding   parameters:     allowedSubjects:     - name: system:masters     - name: ^.+@gcp-sa-[a-z-]+.iam.gserviceaccount.com$       regexMatch: true     - name: ^[email protected]$       regexMatch: true     - name: ^[email protected]$       regexMatch: true

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: good-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io   kind: User   name: [email protected] - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:masters - apiGroup: rbac.authorization.k8s.io   kind: User   name: [email protected]

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: bad-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io   kind: User   name: [email protected] - apiGroup: rbac.authorization.k8s.io   kind: User   name: [email protected]

K8sRestrictRoleBindings

Restrict Role Bindings v1.0.3

将 ClusterRoleBinding 和 RoleBinding 中指定的主题限制为允许的主题列表。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedSubjects <array>: The list of subjects that are allowed to bind to     # the restricted role.     allowedSubjects:       - # apiGroup <string>: The Kubernetes API group of the subject.         apiGroup: <string>         # kind <string>: The Kubernetes kind of the subject.         kind: <string>         # name <string>: The name of the subject which is matched exactly as         # provided as well as based on a regular expression.         name: <string>         # regexMatch <boolean>: The flag to allow a regular expression based         # match on the name.         regexMatch: <boolean>     # restrictedRole <object>: The role that cannot be bound to unless     # expressly allowed.     restrictedRole:       # apiGroup <string>: The Kubernetes API group of the role.       apiGroup: <string>       # kind <string>: The Kubernetes kind of the role.       kind: <string>       # name <string>: The name of the role.       name: <string>

示例

restrict-clusteradmin-rolebindings-sample

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata:   name: restrict-clusteradmin-rolebindings-sample spec:   enforcementAction: dryrun   parameters:     allowedSubjects:     - apiGroup: rbac.authorization.k8s.io       kind: Group       name: system:masters     restrictedRole:       apiGroup: rbac.authorization.k8s.io       kind: ClusterRole       name: cluster-admin

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: good-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:masters

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: bad-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io   kind: Group   name: system:unauthenticated

restrict-clusteradmin-rolebindings-regex

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata:   name: restrict-clusteradmin-rolebindings-regex spec:   enforcementAction: dryrun   parameters:     allowedSubjects:     - apiGroup: rbac.authorization.k8s.io       kind: User       name: ^service-[0-9][email protected]$       regexMatch: true     restrictedRole:       apiGroup: rbac.authorization.k8s.io       kind: ClusterRole       name: cluster-admin

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: good-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io   kind: User   name: service-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   name: bad-clusterrolebinding roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io   kind: User   name: someotherservice-123456789@gcp-sa-anthosconfigmanagement.iam.gserviceaccount.com

K8sRestrictRoleRules

Restrict Role and ClusterRole rules. v1.0.4

限制可在 Role 和 ClusterRole 对象上设置的规则。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedRules <array>: AllowedRules is the list of rules that are allowed     # on Role or ClusterRole objects. If set, any item off this list will be     # rejected.     allowedRules:       - # apiGroups <array>: APIGroups is the name of the APIGroup that         # contains the resources. If multiple API groups are specified, any         # action requested against one of the enumerated resources in any API         # group will be allowed. "" represents the core API group and "*"         # represents all API groups.         apiGroups:           - <string>         # resources <array>: Resources is a list of resources this rule         # applies to. '*' represents all resources.         resources:           - <string>         # verbs <array>: Verbs is a list of Verbs that apply to ALL the         # ResourceKinds contained in this rule. '*' represents all verbs.         verbs:           - <string>     # disallowedRules <array>: DisallowedRules is the list of rules that are     # NOT allowed on Role or ClusterRole objects. If set, any item on this list     # will be rejected.     disallowedRules:       - # apiGroups <array>: APIGroups is the name of the APIGroup that         # contains the resources. If multiple API groups are specified, any         # action requested against one of the enumerated resources in any API         # group will be disallowed. "" represents the core API group and "*"         # represents all API groups.         apiGroups:           - <string>         # resources <array>: Resources is a list of resources this rule         # applies to. '*' represents all resources.         resources:           - <string>         # verbs <array>: Verbs is a list of Verbs that apply to ALL the         # ResourceKinds contained in this rule. '*' represents all verbs.         verbs:           - <string>     # exemptions <object>: Exemptions is the list of Roles and/or ClusterRoles     # names that are allowed to violate this policy.     exemptions:       clusterRoles:         - # name <string>: Name is the name or a pattern of the ClusterRole           # to be exempted.           name: <string>           # regexMatch <boolean>: RegexMatch is the flag to toggle exact vs           # regex match of the ClusterRole name.           regexMatch: <boolean>       roles:         - # name <string>: Name is the name of the Role to be exempted.           name: <string>           # namespace <string>: Namespace is the namespace of the Role to be           # exempted.           namespace: <string>

示例

restrict-pods-exec

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleRules metadata:   name: restrict-pods-exec spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - rbac.authorization.k8s.io       kinds:       - Role       - ClusterRole   parameters:     disallowedRules:     - apiGroups:       - ""       resources:       - pods/exec       verbs:       - create

允许

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:   name: allowed-role-example rules: - apiGroups:   - ""   resources:   - pods   verbs:   - get   - list   - watch

不允许

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: disallowed-cluster-role-example rules: - apiGroups:   - ""   resources:   - pods/exec   verbs:   - '*'

K8sStorageClass

Storage Class v1.1.2

要求在使用时指定存储类别。仅支持 Gatekeeper 3.9+ 和非临时容器。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedStorageClasses <array>: An optional allow-list of storage classes.     #  If specified, any storage class not in the `allowedStorageClasses`     # parameter is disallowed.     allowedStorageClasses:       - <string>     includeStorageClassesInMessage: <boolean>

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "storage.k8s.io"         version: "v1"         kind: "StorageClass"

示例

storageclass

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata:   name: storageclass spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - PersistentVolumeClaim     - apiGroups:       - apps       kinds:       - StatefulSet   parameters:     includeStorageClassesInMessage: true

允许

apiVersion: v1 kind: PersistentVolumeClaim metadata:   name: ok spec:   accessModes:   - ReadWriteOnce   resources:     requests:       storage: 8Gi   storageClassName: somestorageclass   volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:   name: somestorageclass provisioner: foo

apiVersion: apps/v1 kind: StatefulSet metadata:   name: volumeclaimstorageclass spec:   replicas: 1   selector:     matchLabels:       app: volumeclaimstorageclass   serviceName: volumeclaimstorageclass   template:     metadata:       labels:         app: volumeclaimstorageclass     spec:       containers:       - image: registry.k8s.io/nginx-slim:0.8         name: main         volumeMounts:         - mountPath: /usr/share/nginx/html           name: data   volumeClaimTemplates:   - metadata:       name: data     spec:       accessModes:       - ReadWriteOnce       resources:         requests:           storage: 1Gi       storageClassName: somestorageclass --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:   name: somestorageclass provisioner: foo

不允许

apiVersion: v1 kind: PersistentVolumeClaim metadata:   name: badstorageclass spec:   accessModes:   - ReadWriteOnce   resources:     requests:       storage: 8Gi   storageClassName: badstorageclass   volumeMode: Filesystem

apiVersion: apps/v1 kind: StatefulSet metadata:   name: badvolumeclaimstorageclass spec:   replicas: 1   selector:     matchLabels:       app: badvolumeclaimstorageclass   serviceName: badvolumeclaimstorageclass   template:     metadata:       labels:         app: badvolumeclaimstorageclass     spec:       containers:       - image: registry.k8s.io/nginx-slim:0.8         name: main         volumeMounts:         - mountPath: /usr/share/nginx/html           name: data   volumeClaimTemplates:   - metadata:       name: data     spec:       accessModes:       - ReadWriteOnce       resources:         requests:           storage: 1Gi       storageClassName: badstorageclass

apiVersion: v1 kind: PersistentVolumeClaim metadata:   name: nostorageclass spec:   accessModes:   - ReadWriteOnce   resources:     requests:       storage: 8Gi   volumeMode: Filesystem

apiVersion: apps/v1 kind: StatefulSet metadata:   name: novolumeclaimstorageclass spec:   replicas: 1   selector:     matchLabels:       app: novolumeclaimstorageclass   serviceName: novolumeclaimstorageclass   template:     metadata:       labels:         app: novolumeclaimstorageclass     spec:       containers:       - image: registry.k8s.io/nginx-slim:0.8         name: main         volumeMounts:         - mountPath: /usr/share/nginx/html           name: data   volumeClaimTemplates:   - metadata:       name: data     spec:       accessModes:       - ReadWriteOnce       resources:         requests:           storage: 1Gi

allowed-storageclass

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sStorageClass metadata:   name: allowed-storageclass spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - PersistentVolumeClaim     - apiGroups:       - apps       kinds:       - StatefulSet   parameters:     allowedStorageClasses:     - allowed-storage-class     includeStorageClassesInMessage: true

允许

apiVersion: v1 kind: PersistentVolumeClaim metadata:   name: allowed-storage-class-pvc spec:   accessModes:   - ReadWriteOnce   resources:     requests:       storage: 8Gi   storageClassName: allowed-storage-class   volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:   name: allowed-storage-class provisioner: foo

不允许

apiVersion: v1 kind: PersistentVolumeClaim metadata:   name: disallowed-storage-class-pvc spec:   accessModes:   - ReadWriteOnce   resources:     requests:       storage: 8Gi   storageClassName: disallowed-storage-class   volumeMode: Filesystem --- # Referential Data allowVolumeExpansion: true apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:   name: allowed-storage-class provisioner: foo

K8sUniqueIngressHost

Unique Ingress Host v1.0.4

要求所有 Ingress 规则主机都具有唯一性。系统不会处理主机名通配符：https://kubernetes.io/docs/concepts/services-networking/ingress/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: "extensions"         version: "v1beta1"         kind: "Ingress"       OR       - group: "networking.k8s.io"         version: "v1beta1" OR "v1"         kind: "Ingress"

示例

unique-ingress-host

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueIngressHost metadata:   name: unique-ingress-host spec:   match:     kinds:     - apiGroups:       - extensions       - networking.k8s.io       kinds:       - Ingress

允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: ingress-host-allowed   namespace: default spec:   rules:   - host: example-allowed-host.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix   - host: example-allowed-host1.example.com     http:       paths:       - backend:           service:             name: nginx2             port:               number: 80         path: /         pathType: Prefix

不允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: ingress-host-disallowed   namespace: default spec:   rules:   - host: example-host.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: ingress-host-example   namespace: default spec:   rules:   - host: example-host.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: ingress-host-disallowed2   namespace: default spec:   rules:   - host: example-host2.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix   - host: example-host3.example.com     http:       paths:       - backend:           service:             name: nginx2             port:               number: 80         path: /         pathType: Prefix --- # Referential Data apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   name: ingress-host-example2   namespace: default spec:   rules:   - host: example-host2.example.com     http:       paths:       - backend:           service:             name: nginx             port:               number: 80         path: /         pathType: Prefix

K8sUniqueServiceSelector

Unique Service Selector v1.0.2

要求服务在命名空间内具有唯一的选择器。如果选择器具有相同的键和值，则它们会被视为相同的选择器。选择器可以共享键值对，只要它们之间至少有一个不同的键值对即可。 https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

参照限制条件

此限制条件是参照限制条件。在使用之前，您必须启用参照限制条件并创建配置，以告知 Policy Controller 要监视的对象种类。

您的 Policy Controller Config 将要求一个类似于以下内容的 syncOnly 条目：

spec:   sync:     syncOnly:       - group: ""         version: "v1"         kind: "Service"

示例

unique-service-selector

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sUniqueServiceSelector metadata:   labels:     owner: admin.agilebank.demo   name: unique-service-selector

允许

apiVersion: v1 kind: Service metadata:   name: gatekeeper-test-service-disallowed   namespace: default spec:   ports:   - port: 443   selector:     key: other-value

不允许

apiVersion: v1 kind: Service metadata:   name: gatekeeper-test-service-disallowed   namespace: default spec:   ports:   - port: 443   selector:     key: value --- # Referential Data apiVersion: v1 kind: Service metadata:   name: gatekeeper-test-service-example   namespace: default spec:   ports:   - port: 443   selector:     key: value

NoUpdateServiceAccount

Block updating Service Account v1.0.1

阻止在 Pod 上抽象的资源上更新服务账号。此政策在审核模式下被忽略。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedGroups <array>: Groups that should be allowed to bypass the     # policy.     allowedGroups:       - <string>     # allowedUsers <array>: Users that should be allowed to bypass the policy.     allowedUsers:       - <string>

示例

no-update-kube-system-service-account

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: NoUpdateServiceAccount metadata:   name: no-update-kube-system-service-account spec:   match:     kinds:     - apiGroups:       - ""       kinds:       - ReplicationController     - apiGroups:       - apps       kinds:       - ReplicaSet       - Deployment       - StatefulSet       - DaemonSet     - apiGroups:       - batch       kinds:       - CronJob     namespaces:     - kube-system   parameters:     allowedGroups: []     allowedUsers: []

允许

apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: policy-test   name: policy-test   namespace: kube-system spec:   replicas: 1   selector:     matchLabels:       app: policy-test-deploy   template:     metadata:       labels:         app: policy-test-deploy     spec:       containers:       - command:         - /bin/bash         - -c         - sleep 99999         image: ubuntu         name: policy-test       serviceAccountName: policy-test-sa-1

PolicyStrictOnly

Require STRICT Istio mTLS Policy v1.0.4

要求在使用 PeerAuthentication 时始终指定 STRICT Istio 双向 TLS。此限制条件还可确保已弃用的 Policy 和 MeshPolicy 资源也强制执行 STRICT 双向 TLS。请参阅：https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/#lock-down-mutual-tls-for-the-entire-mesh

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

peerauthentication-strict-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata:   name: peerauthentication-strict-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - PeerAuthentication     namespaces:     - default

允许

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mode-strict   namespace: default spec:   mtls:     mode: STRICT

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mode-strict-port-level   namespace: default spec:   mtls:     mode: STRICT   portLevelMtls:     "8080":       mode: STRICT

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mode-strict-port-unset   namespace: default spec:   mtls:     mode: STRICT   portLevelMtls:     "8080":       mode: UNSET

不允许

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: empty-mtls   namespace: default spec:   mtls: {}

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: unspecified-mtls   namespace: default

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mode-null   namespace: default spec:   mtls:     mode: null

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mtls-null   namespace: default spec:   mtls: null

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mode-permissive   namespace: default spec:   mtls:     mode: PERMISSIVE

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mode-strict-port-permissive   namespace: default spec:   mtls:     mode: STRICT   portLevelMtls:     "8080":       mode: PERMISSIVE

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata:   name: mode-strict-port-permissive   namespace: default spec:   mtls:     mode: STRICT   portLevelMtls:     "8080":       mode: PERMISSIVE     "8081":       mode: STRICT

deprecated-policy-strict-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: PolicyStrictOnly metadata:   name: deprecated-policy-strict-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - authentication.istio.io       kinds:       - Policy     namespaces:     - default

允许

apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:   name: default-mode-strict   namespace: default spec:   peers:   - mtls:       mode: STRICT

不允许

apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:   name: default-mtls-empty   namespace: default spec:   peers:   - mtls: {}

apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:   name: default-mtls-null   namespace: default spec:   peers:   - mtls: null

apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:   name: peers-empty   namespace: default spec:   peers: []

apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:   name: policy-no-peers   namespace: default spec:   targets:   - name: httpbin

apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:   name: policy-permissive   namespace: default spec:   peers:   - mtls:       mode: PERMISSIVE

RestrictNetworkExclusions

Restrict Network Exclusions v1.0.2

控制可以从 Istio 网络捕获中排除的入站端口、出站端口和出站 IP 范围。Istio 代理不会处理绕过 Istio 网络捕获的端口和 IP 范围，它们不受 Istio mTLS 身份验证、授权政策和其他 Istio 功能的约束。此限制条件可用于对以下注解的使用施加限制：

traffic.sidecar.istio.io/excludeInboundPorts
traffic.sidecar.istio.io/excludeOutboundPorts
traffic.sidecar.istio.io/excludeOutboundIPRanges

请参阅 https://istio.io/latest/docs/reference/config/annotations/。

限制出站 IP 范围时，限制条件会计算排除的 IP 范围是匹配还是允许的 IP 范围排除项的子集。

使用此限制条件时，必须始终将所有入站端口、出站端口和出站 IP 范围包含在内，方法是将相应的“include”注解设置为 "*" 或保持未设置。不允许将以下任何注解设置为 "*" 以外的任何值：

traffic.sidecar.istio.io/includeInboundPorts
traffic.sidecar.istio.io/includeOutboundPorts
traffic.sidecar.istio.io/includeOutboundIPRanges

此限制条件始终允许排除端口 15020，因为 Istio Sidecar 注入器会始终将其添加到 traffic.sidecar.istio.io/excludeInboundPorts 注解，以便用于健康检查。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # allowedInboundPortExclusions <array>: A list of ports that this     # constraint will allow in the     # `traffic.sidecar.istio.io/excludeInboundPorts` annotation.     allowedInboundPortExclusions:       - <string>     # allowedOutboundIPRangeExclusions <array>: A list of IP ranges that this     # constraint will allow in the     # `traffic.sidecar.istio.io/excludeOutboundIPRanges` annotation. The     # constraint calculates whether excluded IP ranges match or are a subset of     # the ranges in this list.     allowedOutboundIPRangeExclusions:       - <string>     # allowedOutboundPortExclusions <array>: A list of ports that this     # constraint will allow in the     # `traffic.sidecar.istio.io/excludeOutboundPorts` annotation.     allowedOutboundPortExclusions:       - <string>

示例

restrict-network-exclusions

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: RestrictNetworkExclusions metadata:   name: restrict-network-exclusions spec:   enforcementAction: deny   match:     kinds:     - apiGroups:       - ""       kinds:       - Pod   parameters:     allowedInboundPortExclusions:     - "80"     allowedOutboundIPRangeExclusions:     - 169.254.169.254/32     allowedOutboundPortExclusions:     - "8888"

允许

apiVersion: v1 kind: Pod metadata:   labels:     app: nginx   name: nothing-excluded spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 80

apiVersion: v1 kind: Pod metadata:   annotations:     traffic.sidecar.istio.io/excludeInboundPorts: "80"     traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32     traffic.sidecar.istio.io/excludeOutboundPorts: "8888"   labels:     app: nginx   name: allowed-port-and-ip-exclusions spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 80

apiVersion: v1 kind: Pod metadata:   annotations:     traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32     traffic.sidecar.istio.io/includeOutboundIPRanges: '*'   labels:     app: nginx   name: all-ip-ranges-included-with-one-allowed-ip-excluded spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 80

apiVersion: v1 kind: Pod metadata:   annotations:     traffic.sidecar.istio.io/includeInboundPorts: '*'     traffic.sidecar.istio.io/includeOutboundIPRanges: '*'     traffic.sidecar.istio.io/includeOutboundPorts: '*'   labels:     app: nginx   name: everything-included-with-no-exclusions spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 80

不允许

apiVersion: v1 kind: Pod metadata:   annotations:     traffic.sidecar.istio.io/excludeOutboundIPRanges: 1.1.2.0/24   labels:     app: nginx   name: disallowed-ip-range-exclusion spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 80     - containerPort: 443

apiVersion: v1 kind: Pod metadata:   annotations:     traffic.sidecar.istio.io/excludeOutboundIPRanges: 169.254.169.254/32,1.1.2.0/24   labels:     app: nginx   name: one-disallowed-ip-exclusion-and-one-allowed-exclusion spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 80     - containerPort: 443

apiVersion: v1 kind: Pod metadata:   annotations:     traffic.sidecar.istio.io/includeInboundPorts: 80,443     traffic.sidecar.istio.io/includeOutboundIPRanges: 169.254.169.254/32     traffic.sidecar.istio.io/includeOutboundPorts: "8888"   labels:     app: nginx   name: disallowed-specific-port-and-ip-inclusions spec:   containers:   - image: nginx     name: nginx     ports:     - containerPort: 80

SourceNotAllAuthz

Require Istio AuthorizationPolicy Source not all v1.0.1

要求 Istio AuthorizationPolicy 规则将来源主体设置为“*”以外的内容。 https://istio.io/latest/docs/reference/config/security/authorization-policy/

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]

示例

sourcenotall-authz-constraint

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: SourceNotAllAuthz metadata:   name: sourcenotall-authz-constraint spec:   enforcementAction: dryrun   match:     kinds:     - apiGroups:       - security.istio.io       kinds:       - AuthorizationPolicy

允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: source-principals-good   namespace: foo spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin       version: v1

不允许

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: source-principals-dne   namespace: foo spec:   rules:   - from:     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin       version: v1

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: source-principals-all   namespace: foo spec:   rules:   - from:     - source:         principals:         - '*'     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin       version: v1

apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:   name: source-principals-someall   namespace: foo spec:   rules:   - from:     - source:         principals:         - cluster.local/ns/default/sa/sleep         - '*'     - source:         namespaces:         - test     to:     - operation:         methods:         - GET         paths:         - /info*     - operation:         methods:         - POST         paths:         - /data     when:     - key: request.auth.claims[iss]       values:       - https://accounts.google.com   selector:     matchLabels:       app: httpbin       version: v1

VerifyDeprecatedAPI

Verify deprecated APIs v1.0.0

验证已弃用的 Kubernetes API，确保所有 API 版本均为最新版本。此模板不适用于审核，因为审核会检查集群内已存在且具有未弃用 API 版本的资源。

限制条件架构

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata:   name: example spec:   # match <object>: lets you configure which resources are in scope for this   # constraint. For more information, see the Policy Controller Constraint   # match documentation:   # https://cloud.google.com/anthos-config-management/docs/reference/match   match:     [match schema]   parameters:     # k8sVersion <number>: kubernetes version     k8sVersion: <number>     # kvs <array>: Deprecated api versions and corresponding kinds     kvs:       - # deprecatedAPI <string>: deprecated api         deprecatedAPI: <string>         # kinds <array>: impacted list of kinds         kinds:           - <string>         # targetAPI <string>: target api         targetAPI: <string>

示例

verify-1.16

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata:   name: verify-1.16 spec:   match:     kinds:     - apiGroups:       - apps       kinds:       - Deployment       - ReplicaSet       - StatefulSet       - DaemonSet     - apiGroups:       - extensions       kinds:       - PodSecurityPolicy       - ReplicaSet       - Deployment       - DaemonSet       - NetworkPolicy   parameters:     k8sVersion: 1.16     kvs:     - deprecatedAPI: apps/v1beta1       kinds:       - Deployment       - ReplicaSet       - StatefulSet       targetAPI: apps/v1     - deprecatedAPI: extensions/v1beta1       kinds:       - ReplicaSet       - Deployment       - DaemonSet       targetAPI: apps/v1     - deprecatedAPI: extensions/v1beta1       kinds:       - PodSecurityPolicy       targetAPI: policy/v1beta1     - deprecatedAPI: apps/v1beta2       kinds:       - ReplicaSet       - StatefulSet       - Deployment       - DaemonSet       targetAPI: apps/v1     - deprecatedAPI: extensions/v1beta1       kinds:       - NetworkPolicy       targetAPI: networking.k8s.io/v1

允许

apiVersion: apps/v1 kind: Deployment metadata:   labels:     app: nginx   name: allowed-deployment spec:   replicas: 3   selector:     matchLabels:       app: nginx   template:     metadata:       labels:         app: nginx     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

不允许

apiVersion: apps/v1beta1 kind: Deployment metadata:   labels:     app: nginx   name: disallowed-deployment spec:   replicas: 3   selector:     matchLabels:       app: nginx   template:     metadata:       labels:         app: nginx     spec:       containers:       - image: nginx:1.14.2         name: nginx         ports:         - containerPort: 80

verify-1.22

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata:   name: verify-1.22 spec:   match:     kinds:     - apiGroups:       - admissionregistration.k8s.io       kinds:       - MutatingWebhookConfiguration       - ValidatingWebhookConfiguration     - apiGroups:       - apiextensions.k8s.io       kinds:       - CustomResourceDefinition     - apiGroups:       - apiregistration.k8s.io       kinds:       - APIService     - apiGroups:       - authentication.k8s.io       kinds:       - TokenReview     - apiGroups:       - authorization.k8s.io       kinds:       - SubjectAccessReview     - apiGroups:       - certificates.k8s.io       kinds:       - CertificateSigningRequest     - apiGroups:       - coordination.k8s.io       kinds:       - Lease     - apiGroups:       - extensions       - networking.k8s.io       kinds:       - Ingress     - apiGroups:       - networking.k8s.io       kinds:       - IngressClass     - apiGroups:       - rbac.authorization.k8s.io       kinds:       - ClusterRole       - ClusterRoleBinding       - Role       - RoleBinding     - apiGroups:       - scheduling.k8s.io       kinds:       - PriorityClass     - apiGroups:       - storage.k8s.io       kinds:       - CSIDriver       - CSINode       - StorageClass       - VolumeAttachment   parameters:     k8sVersion: 1.22     kvs:     - deprecatedAPI: admissionregistration.k8s.io/v1beta1       kinds:       - MutatingWebhookConfiguration       - ValidatingWebhookConfiguration       targetAPI: admissionregistration.k8s.io/v1     - deprecatedAPI: apiextensions.k8s.io/v1beta1       kinds:       - CustomResourceDefinition       targetAPI: apiextensions.k8s.io/v1     - deprecatedAPI: apiregistration.k8s.io/v1beta1       kinds:       - APIService       targetAPI: apiregistration.k8s.io/v1     - deprecatedAPI: authentication.k8s.io/v1beta1       kinds:       - TokenReview       targetAPI: authentication.k8s.io/v1     - deprecatedAPI: authorization.k8s.io/v1beta1       kinds:       - SubjectAccessReview       targetAPI: authorization.k8s.io/v1     - deprecatedAPI: certificates.k8s.io/v1beta1       kinds:       - CertificateSigningRequest       targetAPI: certificates.k8s.io/v1     - deprecatedAPI: coordination.k8s.io/v1beta1       kinds:       - Lease       targetAPI: coordination.k8s.io/v1     - deprecatedAPI: extensions/v1beta1       kinds:       - Ingress       targetAPI: networking.k8s.io/v1     - deprecatedAPI: networking.k8s.io/v1beta1       kinds:       - Ingress       - IngressClass       targetAPI: networking.k8s.io/v1     - deprecatedAPI: rbac.authorization.k8s.io/v1beta1       kinds:       - ClusterRole       - ClusterRoleBinding       - Role       - RoleBinding       targetAPI: rbac.authorization.k8s.io/v1     - deprecatedAPI: scheduling.k8s.io/v1beta1       kinds:       - PriorityClass       targetAPI: scheduling.k8s.io/v1     - deprecatedAPI: storage.k8s.io/v1beta1       kinds:       - CSIDriver       - CSINode       - StorageClass       - VolumeAttachment       targetAPI: storage.k8s.io/v1

允许

apiVersion: networking.k8s.io/v1 kind: Ingress metadata:   annotations:     nginx.ingress.kubernetes.io/rewrite-target: /   name: allowed-ingress spec:   ingressClassName: nginx-example   rules:   - http:       paths:       - backend:           service:             name: test             port:               number: 80         path: /testpath         pathType: Prefix

不允许

apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata:   annotations:     nginx.ingress.kubernetes.io/rewrite-target: /   name: disallowed-ingress spec:   ingressClassName: nginx-example   rules:   - http:       paths:       - backend:           service:             name: test             port:               number: 80         path: /testpath         pathType: Prefix

verify-1.25

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata:   name: verify-1.25 spec:   match:     kinds:     - apiGroups:       - batch       kinds:       - CronJob     - apiGroups:       - discovery.k8s.io       kinds:       - EndpointSlice     - apiGroups:       - events.k8s.io       kinds:       - Event     - apiGroups:       - autoscaling       kinds:       - HorizontalPodAutoscaler     - apiGroups:       - policy       kinds:       - PodDisruptionBudget       - PodSecurityPolicy     - apiGroups:       - node.k8s.io       kinds:       - RuntimeClass   parameters:     k8sVersion: 1.25     kvs:     - deprecatedAPI: batch/v1beta1       kinds:       - CronJob       targetAPI: batch/v1     - deprecatedAPI: discovery.k8s.io/v1beta1       kinds:       - EndpointSlice       targetAPI: discovery.k8s.io/v1     - deprecatedAPI: events.k8s.io/v1beta1       kinds:       - Event       targetAPI: events.k8s.io/v1     - deprecatedAPI: autoscaling/v2beta1       kinds:       - HorizontalPodAutoscaler       targetAPI: autoscaling/v2     - deprecatedAPI: policy/v1beta1       kinds:       - PodDisruptionBudget       targetAPI: policy/v1     - deprecatedAPI: policy/v1beta1       kinds:       - PodSecurityPolicy       targetAPI: None     - deprecatedAPI: node.k8s.io/v1beta1       kinds:       - RuntimeClass       targetAPI: node.k8s.io/v1

允许

apiVersion: batch/v1 kind: CronJob metadata:   name: allowed-cronjob   namespace: default spec:   jobTemplate:     spec:       template:         spec:           containers:           - command:             - /bin/sh             - -c             - date; echo Hello from the Kubernetes cluster             image: busybox:1.28             imagePullPolicy: IfNotPresent             name: hello           restartPolicy: OnFailure   schedule: '* * * * *'

不允许

apiVersion: batch/v1beta1 kind: CronJob metadata:   name: disallowed-cronjob   namespace: default spec:   jobTemplate:     spec:       template:         spec:           containers:           - command:             - /bin/sh             - -c             - date; echo Hello from the Kubernetes cluster             image: busybox:1.28             imagePullPolicy: IfNotPresent             name: hello           restartPolicy: OnFailure   schedule: '* * * * *'

verify-1.26

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata:   name: verify-1.26 spec:   match:     kinds:     - apiGroups:       - flowcontrol.apiserver.k8s.io       kinds:       - FlowSchema       - PriorityLevelConfiguration     - apiGroups:       - autoscaling       kinds:       - HorizontalPodAutoscaler   parameters:     k8sVersion: 1.26     kvs:     - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta1       kinds:       - FlowSchema       - PriorityLevelConfiguration       targetAPI: flowcontrol.apiserver.k8s.io/v1beta3     - deprecatedAPI: autoscaling/v2beta2       kinds:       - HorizontalPodAutoscaler       targetAPI: autoscaling/v2

允许

apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata:   name: allowed-flowcontrol   namespace: default spec:   matchingPrecedence: 1000   priorityLevelConfiguration:     name: exempt   rules:   - nonResourceRules:     - nonResourceURLs:       - /healthz       - /livez       - /readyz       verbs:       - '*'     subjects:     - group:         name: system:unauthenticated       kind: Group

不允许

apiVersion: flowcontrol.apiserver.k8s.io/v1beta1 kind: FlowSchema metadata:   name: disallowed-flowcontrol   namespace: default spec:   matchingPrecedence: 1000   priorityLevelConfiguration:     name: exempt   rules:   - nonResourceRules:     - nonResourceURLs:       - /healthz       - /livez       - /readyz       verbs:       - '*'     subjects:     - group:         name: system:unauthenticated       kind: Group

verify-1.27

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata:   name: verify-1.27 spec:   match:     kinds:     - apiGroups:       - storage.k8s.io       kinds:       - CSIStorageCapacity   parameters:     k8sVersion: 1.27     kvs:     - deprecatedAPI: storage.k8s.io/v1beta1       kinds:       - CSIStorageCapacity       targetAPI: storage.k8s.io/v1

允许

apiVersion: storage.k8s.io/v1 kind: CSIStorageCapacity metadata:   name: allowed-csistoragecapacity storageClassName: standard

不允许

apiVersion: storage.k8s.io/v1beta1 kind: CSIStorageCapacity metadata:   name: allowed-csistoragecapacity   namespace: default storageClassName: standard

verify-1.29

限制

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: VerifyDeprecatedAPI metadata:   name: verify-1.29 spec:   match:     kinds:     - apiGroups:       - flowcontrol.apiserver.k8s.io       kinds:       - FlowSchema       - PriorityLevelConfiguration   parameters:     k8sVersion: 1.29     kvs:     - deprecatedAPI: flowcontrol.apiserver.k8s.io/v1beta2       kinds:       - FlowSchema       - PriorityLevelConfiguration       targetAPI: flowcontrol.apiserver.k8s.io/v1beta3

允许

apiVersion: flowcontrol.apiserver.k8s.io/v1beta3 kind: FlowSchema metadata:   name: allowed-flowcontrol   namespace: default spec:   matchingPrecedence: 1000   priorityLevelConfiguration:     name: exempt   rules:   - nonResourceRules:     - nonResourceURLs:       - /healthz       - /livez       - /readyz       verbs:       - '*'     subjects:     - group:         name: system:unauthenticated       kind: Group

不允许

apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 kind: FlowSchema metadata:   name: disallowed-flowcontrol   namespace: default spec:   matchingPrecedence: 1000   priorityLevelConfiguration:     name: exempt   rules:   - nonResourceRules:     - nonResourceURLs:       - /healthz       - /livez       - /readyz       verbs:       - '*'     subjects:     - group:         name: system:unauthenticated       kind: Group

后续步骤

详细了解政策控制器
安装政策控制器
了解如何使用限制条件代替 PodSecurityPolicy
在 gatekeeper-library 代码库中查看限制条件模板的开源库

限制条件模板库 使用集合让一切井井有条 根据您的偏好保存内容并对其进行分类。

可用的限制条件模板

AllowedServicePortName

限制条件架构

示例

port-name-constraint

限制

允许

不允许

AsmAuthzPolicyDefaultDeny

限制条件架构

参照限制条件

示例

asm-authz-policy-default-deny-with-input-constraint

限制

允许

不允许

asm-authz-policy-default-deny-no-input-constraint

限制

允许

不允许

AsmAuthzPolicyDisallowedPrefix

限制条件架构

示例

asm-authz-policy-disallowed-prefix-constraint

限制

允许

不允许

AsmAuthzPolicyEnforceSourcePrincipals

限制条件架构

示例

asm-authz-policy-enforce-source-principals-constraint

限制

允许

不允许

AsmAuthzPolicyNormalization

限制条件架构

示例

asm-authz-policy-normalization-sample

限制

允许

不允许

AsmAuthzPolicySafePattern

限制条件架构

示例

asm-authz-policy-safe-pattern-sample

限制

允许

不允许

AsmIngressgatewayLabel

限制条件架构

示例

asm-ingressgateway-label-sample

限制

允许

不允许

AsmPeerAuthnMeshStrictMtls

限制条件架构

参照限制条件

示例

asm-peer-authn-mesh-strict-mtls-with-input-constraint

限制

允许

不允许

asm-peer-authn-mesh-strict-mtls-no-input-constraint

限制

允许

不允许

AsmPeerAuthnStrictMtls

限制条件架构

示例

asm-peer-authn-strict-mtls-constraint

限制

允许

不允许

AsmRequestAuthnProhibitedOutputHeaders

限制条件架构

示例

asm-request-authn-prohibited-output-headers-constraint

限制

限制条件模板库