OperationPolicy

Scope: Cluster
Version: v1alpha1

Describes an operation policy for a cluster.

Each CustomResource OperationPolicy describes rules for objects in a cluster.

  • specobject

    Required value

    • spec.enforcementActionstring

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • spec.matchobject

      Required value

      • spec.match.labelSelectorobject

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressionsarray of objects

          List of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
          • spec.match.labelSelector.matchExpressions.keystring

            Required value

          • spec.match.labelSelector.matchExpressions.operatorstring

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.valuesarray of strings
        • spec.match.labelSelector.matchLabelsobject

          List of labels which Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.match.namespaceSelectorobject

        Required value

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNamesarray of strings

          Include all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelectorobject

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects

            List of label expressions for namespaces.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.match.namespaceSelector.labelSelector.matchExpressions.keystring

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
          • spec.match.namespaceSelector.labelSelector.matchLabelsobject

            List of labels which a namespace should have.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.match.namespaceSelector.matchNamesarray of strings

          Include only a particular set of namespaces. Supports glob pattern.

    • spec.policiesobject

      Required value

      • spec.policies.allowedReposarray of strings

        The list of prefixes a container image is allowed to have.

        • Element of the arraystring

          Example:

          registry.deckhouse.io
      • spec.policies.checkContainerDuplicatesboolean

        Check container names and env variables for duplicates.

      • spec.policies.checkHostNetworkDNSPolicyboolean

        Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.

      • spec.policies.disallowedImageTagsarray of strings

        Requires container images to have an image tag different from the ones in the specified list.

        Example:

        disallowedImageTags: latest
      • spec.policies.imagePullPolicystring

        Required image pull policy for containers.

        Allowed values: Always, IfNotPresent

      • spec.policies.maxRevisionHistoryLimitinteger

        A maximum value for a revision history.

      • spec.policies.priorityClassNamesarray of strings

        List of allowed priority class names.

      • spec.policies.replicaLimitsobject

        A range of allowed replicas. Values are inclusive.

        • spec.policies.replicaLimits.maxReplicasinteger

          The maximum number of replicas allowed, inclusive.

        • spec.policies.replicaLimits.minReplicasinteger

          The minimum number of replicas allowed, inclusive.

      • spec.policies.requiredAnnotationsobject

        A list of annotations and values the object must specify.

        • spec.policies.requiredAnnotations.annotationsarray of objects
          • spec.policies.requiredAnnotations.annotations.allowedRegexstring

            If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredAnnotations.annotations.keystring

            The required annotation.

        • spec.policies.requiredAnnotations.watchKindsarray of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the annotations on.

          • Element of the arraystring

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment

            "/Pod"

            networking.k8s.io/Ingress
      • spec.policies.requiredLabelsobject

        A list of labels and values the object must specify.

        • spec.policies.requiredLabels.labelsarray of objects
          • spec.policies.requiredLabels.labels.allowedRegexstring

            If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredLabels.labels.keystring

            The required label.

        • spec.policies.requiredLabels.watchKindsarray of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.

          • Element of the arraystring

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment

            "/Pod"

            networking.k8s.io/Ingress
      • spec.policies.requiredProbesarray of strings

        The list of probes that are required (e.g. readinessProbe)

        Examples:

        requiredProbes: livenessProbe

        requiredProbes: readinessProbe
        • Element of the arraystring

          Allowed values: livenessProbe, readinessProbe, startupProbe

      • spec.policies.requiredResourcesobject

        Requires containers to have defined resources set.

        • spec.policies.requiredResources.limitsarray of strings

          A list of limits that should be enforced (CPU, memory, or both).

          Default: ["memory"]

          • Element of the arraystring

            Allowed values: cpu, memory

        • spec.policies.requiredResources.requestsarray of strings

          A list of requests that should be enforced (CPU, memory, or both).

          Default: ["cpu","memory"]

          • Element of the arraystring

            Allowed values: cpu, memory

SecurityPolicy

Scope: Cluster
Version: v1alpha1

Describes a security policy for a cluster.

Each SecurityPolicy custom resource describes rules for the objects in the cluster.

  • specobject

    Required value

    • spec.enforcementActionstring

      An enforcement action as a result of the constraint:

      • Deny — Deny action.
      • Dryrun — No action. Used for debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — No action; similar to Dryrun. Provides information about the constraint that would result in a denial if the Deny action is used.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • spec.matchobject

      Required value

      Container filtering rules. Use selectors to specify the pods and containers to which you want to apply the policy.

      • spec.match.labelSelectorobject

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressionsarray of objects

          The list of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
          • spec.match.labelSelector.matchExpressions.keystring

            Required value

          • spec.match.labelSelector.matchExpressions.operatorstring

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.valuesarray of strings
        • spec.match.labelSelector.matchLabelsobject

          The list of the labels that the Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.match.namespaceSelectorobject

        Required value

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNamesarray of strings

          Includes all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelectorobject

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects

            The list of label expressions for namespaces.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.match.namespaceSelector.labelSelector.matchExpressions.keystring

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
          • spec.match.namespaceSelector.labelSelector.matchLabelsobject

            The list of the labels that the namespace should have.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.match.namespaceSelector.matchNamesarray of strings

          Includes only a particular set of namespaces. Supports glob pattern.

    • spec.policiesobject

      Required value

      Policies that pods and containers must comply with.

      • spec.policies.allowHostIPCboolean

        Allows sharing the host’s IPC namespace with containers.

      • spec.policies.allowHostNetworkboolean

        Allows containers to use the host’s network.

      • spec.policies.allowHostPIDboolean

        Allows sharing the host’s PID namespace with containers.

      • spec.policies.allowPrivilegeEscalationboolean

        Allows container processes to gain more privileges than its parent process.

      • spec.policies.allowPrivilegedboolean

        Allows running containers in a privileged mode.

      • spec.policies.allowedAppArmorarray of strings

        The list of AppArmor profiles the containers are permitted to use.

        Examples:

        allowedAppArmor: runtime/default

        allowedAppArmor: unconfined
        • Element of the arraystring

          An AppArmor profile.

      • spec.policies.allowedCapabilitiesarray of strings

        The list of capabilities that the containers are permitted to use.

        To allow all capabilities, use ALL.

        Examples:

        allowedCapabilities: SETGID

        allowedCapabilities: SETUID

        allowedCapabilities: NET_BIND_SERVICE
        • Element of the arraystring

          A linux capability.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.allowedClusterRolesarray of strings

        A list of allowed cluster roles to bind to users.

      • spec.policies.allowedFlexVolumesarray of objects

        The list of Flex Volume drivers the containers are permitted to use.

        • spec.policies.allowedFlexVolumes.driverstring

          A driver name.

      • spec.policies.allowedHostPathsarray of objects

        The list of allowed hostpath prefixes. An empty list means any path can be used.

        Example:

        allowedHostPaths:
  pathPrefix: "/dev"
  readOnly: true
        • spec.policies.allowedHostPaths.pathPrefixstring

          Required value

          The path prefix to match against the host volume.

          It does not support the * mask. Trailing slashes are trimmed when validating the path prefix with a host path.

          For example, the /foo prefix allows /foo, /foo/ and /foo/bar path, but doesn’t allow /food or /etc/foo path.

        • spec.policies.allowedHostPaths.readOnlyboolean

          When set to true, allows host volumes to be matched against the pathPrefix only if all the volume mounts are read-only.

          Default: false

      • spec.policies.allowedHostPortsarray of objects

        The list of hostPort ranges allowed by the rule.

        • spec.policies.allowedHostPorts.maxinteger

          Max value for the hostPort.

        • spec.policies.allowedHostPorts.mininteger

          Min value for the hostPort.

      • spec.policies.allowedProcMountstring

        Allows /proc mount type for containers.

        Allowed values: Default, Unmasked

        Example:

        allowedProcMount: Unmasked.
      • spec.policies.allowedUnsafeSysctlsarray of strings

        The list of explicitly allowed unsafe sysctls.

        To allow all unsafe sysctls, use *.

        Examples:

        allowedUnsafeSysctls: kernel.msg*

        allowedUnsafeSysctls: net.core.somaxconn
      • spec.policies.allowedVolumesarray of strings

        The set of the permitted volume plugins.

        Examples:

        allowedVolumes: hostPath

        allowedVolumes: persistentVolumeClaim
        • Element of the arraystring

          Allowed values: *, none, awsElasticBlockStore, azureDisk, azureFile, cephFS, cinder, configMap, csi, downwardAPI, emptyDir, fc, flexVolume, flocker, gcePersistentDisk, gitRepo, glusterfs, hostPath, iscsi, nfs, persistentVolumeClaim, photonPersistentDisk, portworxVolume, projected, quobyte, rbd, scaleIO, secret, storageos, vsphereVolume

      • spec.policies.automountServiceAccountTokenboolean

        Allows pods to run with automountServiceAccountToken enabled.

      • spec.policies.forbiddenSysctlsarray of strings

        The list of forbidden sysctls.

        Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).

        Examples:

        forbiddenSysctls: kernel.msg*

        forbiddenSysctls: net.core.somaxconn
      • spec.policies.fsGroupobject

        Specifies which fsGroup values the security context is permitted to use.

        • spec.policies.fsGroup.rangesarray of objects

          The list of fsGroup ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.fsGroup.ranges.maxinteger

            Max ID value.

          • spec.policies.fsGroup.ranges.mininteger

            Min ID value.

        • spec.policies.fsGroup.rulestring

          Required value

          Specifies the strategy of the fsGroup selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.readOnlyRootFilesystemboolean

        If set to true, only the pods with the read-only root filesystem across all containers will be permitted to run. See the Kubernetes documentation for more details.

      • spec.policies.requiredDropCapabilitiesarray of strings

        The list of capabilities that have to be dropped from the containers.

        To exclude all capabilities, use ALL’.

        Examples:

        requiredDropCapabilities: SETGID

        requiredDropCapabilities: SETUID

        requiredDropCapabilities: NET_BIND_SERVICE
        • Element of the arraystring

          A linux capability to drop from the containers’ specs.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.runAsGroupobject

        Specifies which runAsGroup values the security context is permitted to use.

        • spec.policies.runAsGroup.rangesarray of objects

          The list of group ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.runAsGroup.ranges.maxinteger

            Max ID value.

          • spec.policies.runAsGroup.ranges.mininteger

            Min ID value.

        • spec.policies.runAsGroup.rulestring

          Required value

          Specifies the strategy of the group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.runAsUserobject

        Specifies which runAsUser values the security context is permitted to use.

        • spec.policies.runAsUser.rangesarray of objects

          The list of user ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.runAsUser.ranges.maxinteger

            Max ID value.

          • spec.policies.runAsUser.ranges.mininteger

            Min ID value.

        • spec.policies.runAsUser.rulestring

          Required value

          Specifies the strategy of the user ID selection.

          Allowed values: MustRunAs, MustRunAsNonRoot, RunAsAny

      • spec.policies.seLinuxarray of objects

        Specifies which SElinux labels the security context is permitted to use.

        • spec.policies.seLinux.levelstring

          A SELinux level label that applies to the container.

        • spec.policies.seLinux.rolestring

          A SELinux role label that applies to the container.

        • spec.policies.seLinux.typestring

          A SELinux type label that applies to the container.

        • spec.policies.seLinux.userstring

          A SELinux user label that applies to the container.

      • spec.policies.seccompProfilesobject

        Specifies the list of allowed profiles that can be set for the Pod or container’s seccomp annotations.

        • spec.policies.seccompProfiles.allowedLocalhostFilesarray of strings

          Defines the local seccomp profiles (in JSON format) that can be used if Localhost is set in the allowedProfiles parameter.

          An empty list prohibits the use of any local profiles.

        • spec.policies.seccompProfiles.allowedProfilesarray of strings

          The list of allowed profile values for seccomp on Pods/containers.

      • spec.policies.supplementalGroupsobject

        Specifies what supplemental groups are allowed to be used by the security context.

        • spec.policies.supplementalGroups.rangesarray of objects

          The list of supplemental group ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.supplementalGroups.ranges.maxinteger

            Max ID value.

          • spec.policies.supplementalGroups.ranges.mininteger

            Min ID value.

        • spec.policies.supplementalGroups.rulestring

          Required value

          Specifies the strategy of the supplemental group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny