OperationPolicy
Scope: Cluster
Version: v1alpha1
Describes an operation policy for a cluster.
Each CustomResource OperationPolicy
describes rules for objects in a cluster.
- specobject
Required value
- spec.enforcementActionstring
The enforcement action to control what to do with the result of the constraint.
- Deny — Deny action.
- Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
- Warn — Same as
Dryrun
. In addition to the event information, it provides some info on why that constraint would have been denied if you had setDeny
instead ofWarn
.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.matchobject
Required value
- spec.match.labelSelectorobject
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressionsarray of objects
List of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.keystring
Required value
- spec.match.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.valuesarray of strings
- spec.match.labelSelector.matchExpressions.keystring
- spec.match.labelSelector.matchLabelsobject
List of labels which Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelectorobject
Required value
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNamesarray of strings
Include all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelectorobject
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
List of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
- spec.match.namespaceSelector.labelSelector.matchLabelsobject
List of labels which a namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelector.matchNamesarray of strings
Include only a particular set of namespaces. Supports glob pattern.
- spec.match.namespaceSelector.excludeNamesarray of strings
- spec.match.labelSelectorobject
- spec.policiesobject
Required value
- spec.policies.allowedReposarray of strings
The list of prefixes a container image is allowed to have.
- Element of the arraystring
Example:
registry.deckhouse.io
- Element of the arraystring
- spec.policies.checkContainerDuplicatesboolean
Check container names and env variables for duplicates.
- spec.policies.checkHostNetworkDNSPolicyboolean
Check
ClusterFirstWithHostNet
dnsPolicy is set for Pods withhostNetwork: true
. - array of strings
Requires container images to have an image tag different from the ones in the specified list.
Example:
disallowedImageTags: latest
- spec.policies.imagePullPolicystring
Required image pull policy for containers.
Allowed values:
Always
,IfNotPresent
- spec.policies.maxRevisionHistoryLimitinteger
A maximum value for a revision history.
- spec.policies.priorityClassNamesarray of strings
List of allowed priority class names.
- spec.policies.replicaLimitsobject
A range of allowed replicas. Values are inclusive.
- spec.policies.replicaLimits.maxReplicasinteger
The maximum number of replicas allowed, inclusive.
- spec.policies.replicaLimits.minReplicasinteger
The minimum number of replicas allowed, inclusive.
- spec.policies.replicaLimits.maxReplicasinteger
- spec.policies.requiredAnnotationsobject
A list of annotations and values the object must specify.
- spec.policies.requiredAnnotations.annotationsarray of objects
- spec.policies.requiredAnnotations.annotations.allowedRegexstring
If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredAnnotations.annotations.keystring
The required annotation.
- spec.policies.requiredAnnotations.annotations.allowedRegexstring
- spec.policies.requiredAnnotations.watchKindsarray of strings
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the annotations on.- Element of the arraystring
Pattern:
^[a-z]*/[a-zA-Z]+$
Examples:
apps/Deployment
"/Pod"
networking.k8s.io/Ingress
- Element of the arraystring
- spec.policies.requiredAnnotations.annotationsarray of objects
- spec.policies.requiredLabelsobject
A list of labels and values the object must specify.
- spec.policies.requiredLabels.labelsarray of objects
- spec.policies.requiredLabels.labels.allowedRegexstring
If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredLabels.labels.keystring
The required label.
- spec.policies.requiredLabels.labels.allowedRegexstring
- spec.policies.requiredLabels.watchKindsarray of strings
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the labels on.- Element of the arraystring
Pattern:
^[a-z]*/[a-zA-Z]+$
Examples:
apps/Deployment
"/Pod"
networking.k8s.io/Ingress
- Element of the arraystring
- spec.policies.requiredLabels.labelsarray of objects
- spec.policies.requiredProbesarray of strings
The list of probes that are required (e.g.
readinessProbe
)Examples:
requiredProbes: livenessProbe
requiredProbes: readinessProbe
- Element of the arraystring
Allowed values:
livenessProbe
,readinessProbe
,startupProbe
- Element of the arraystring
- spec.policies.requiredResourcesobject
Requires containers to have defined resources set.
- spec.policies.requiredResources.limitsarray of strings
A list of limits that should be enforced (CPU, memory, or both).
Default:
["memory"]
- Element of the arraystring
Allowed values:
cpu
,memory
- Element of the arraystring
- spec.policies.requiredResources.requestsarray of strings
A list of requests that should be enforced (CPU, memory, or both).
Default:
["cpu","memory"]
- Element of the arraystring
Allowed values:
cpu
,memory
- Element of the arraystring
- spec.policies.requiredResources.limitsarray of strings
- spec.policies.allowedReposarray of strings
- spec.enforcementActionstring
SecurityPolicy
Scope: Cluster
Version: v1alpha1
Describes a security policy for a cluster.
Each SecurityPolicy
custom resource describes rules for the objects in the cluster.
- specobject
Required value
- spec.enforcementActionstring
An enforcement action as a result of the constraint:
Deny
— Deny action.Dryrun
— No action. Used for debugging. Information about the event can be viewed in Grafana or in the console via kubectl.Warn
— No action; similar toDryrun
. Provides information about the constraint that would result in a denial if theDeny
action is used.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.matchobject
Required value
Container filtering rules. Use selectors to specify the pods and containers to which you want to apply the policy.
- spec.match.labelSelectorobject
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressionsarray of objects
The list of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.keystring
Required value
- spec.match.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.valuesarray of strings
- spec.match.labelSelector.matchExpressions.keystring
- spec.match.labelSelector.matchLabelsobject
The list of the labels that the Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelectorobject
Required value
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNamesarray of strings
Includes all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelectorobject
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
The list of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
- spec.match.namespaceSelector.labelSelector.matchLabelsobject
The list of the labels that the namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelector.matchNamesarray of strings
Includes only a particular set of namespaces. Supports glob pattern.
- spec.match.namespaceSelector.excludeNamesarray of strings
- spec.match.labelSelectorobject
- spec.policiesobject
Required value
Policies that pods and containers must comply with.
- spec.policies.allowHostIPCboolean
Allows sharing the host’s IPC namespace with containers.
- spec.policies.allowHostNetworkboolean
Allows containers to use the host’s network.
- spec.policies.allowHostPIDboolean
Allows sharing the host’s PID namespace with containers.
- spec.policies.allowPrivilegeEscalationboolean
Allows container processes to gain more privileges than its parent process.
- spec.policies.allowPrivilegedboolean
Allows running containers in a privileged mode.
- spec.policies.allowedAppArmorarray of strings
The list of AppArmor profiles the containers are permitted to use.
Examples:
allowedAppArmor: runtime/default
allowedAppArmor: unconfined
- Element of the arraystring
An AppArmor profile.
- Element of the arraystring
- spec.policies.allowedCapabilitiesarray of strings
The list of capabilities that the containers are permitted to use.
To allow all capabilities, use
ALL
.Examples:
allowedCapabilities: SETGID
allowedCapabilities: SETUID
allowedCapabilities: NET_BIND_SERVICE
- Element of the arraystring
A linux capability.
Allowed values:
ALL
,SETPCAP
,SYS_MODULE
,SYS_RAWIO
,SYS_PACCT
,SYS_ADMIN
,SYS_NICE
,SYS_RESOURCE
,SYS_TIME
,SYS_TTY_CONFIG
,MKNOD
,AUDIT_WRITE
,AUDIT_CONTROL
,MAC_OVERRIDE
,MAC_ADMIN
,NET_ADMIN
,SYSLOG
,CHOWN
,NET_RAW
,DAC_OVERRIDE
,FOWNER
,DAC_READ_SEARCH
,FSETID
,KILL
,SETGID
,SETUID
,LINUX_IMMUTABLE
,NET_BIND_SERVICE
,NET_BROADCAST
,IPC_LOCK
,IPC_OWNER
,SYS_CHROOT
,SYS_PTRACE
,SYS_BOOT
,LEASE
,SETFCAP
,WAKE_ALARM
,BLOCK_SUSPEND
- Element of the arraystring
- spec.policies.allowedClusterRolesarray of strings
A list of allowed cluster roles to bind to users.
- spec.policies.allowedFlexVolumesarray of objects
The list of Flex Volume drivers the containers are permitted to use.
- spec.policies.allowedFlexVolumes.driverstring
A driver name.
- spec.policies.allowedFlexVolumes.driverstring
- spec.policies.allowedHostPathsarray of objects
The list of allowed hostpath prefixes. An empty list means any path can be used.
Example:
allowedHostPaths: pathPrefix: "/dev" readOnly: true
- spec.policies.allowedHostPaths.pathPrefixstring
Required value
The path prefix to match against the host volume.
It does not support the
*
mask. Trailing slashes are trimmed when validating the path prefix with a host path.For example, the
/foo
prefix allows/foo
,/foo/
and/foo/bar
path, but doesn’t allow/food
or/etc/foo
path. - spec.policies.allowedHostPaths.readOnlyboolean
When set to true, allows host volumes to be matched against the pathPrefix only if all the volume mounts are read-only.
Default:
false
- spec.policies.allowedHostPaths.pathPrefixstring
- spec.policies.allowedHostPortsarray of objects
The list of
hostPort
ranges allowed by the rule.- spec.policies.allowedHostPorts.maxinteger
Max value for the
hostPort
. - spec.policies.allowedHostPorts.mininteger
Min value for the
hostPort
.
- spec.policies.allowedHostPorts.maxinteger
- spec.policies.allowedProcMountstring
Allows
/proc
mount type for containers.Allowed values:
Default
,Unmasked
Example:
allowedProcMount: Unmasked.
- spec.policies.allowedUnsafeSysctlsarray of strings
The list of explicitly allowed unsafe sysctls.
To allow all unsafe sysctls, use
*
.Examples:
allowedUnsafeSysctls: kernel.msg*
allowedUnsafeSysctls: net.core.somaxconn
- spec.policies.allowedVolumesarray of strings
The set of the permitted volume plugins.
Examples:
allowedVolumes: hostPath
allowedVolumes: persistentVolumeClaim
- Element of the arraystring
Allowed values:
*
,none
,awsElasticBlockStore
,azureDisk
,azureFile
,cephFS
,cinder
,configMap
,csi
,downwardAPI
,emptyDir
,fc
,flexVolume
,flocker
,gcePersistentDisk
,gitRepo
,glusterfs
,hostPath
,iscsi
,nfs
,persistentVolumeClaim
,photonPersistentDisk
,portworxVolume
,projected
,quobyte
,rbd
,scaleIO
,secret
,storageos
,vsphereVolume
- Element of the arraystring
- spec.policies.automountServiceAccountTokenboolean
Allows pods to run with
automountServiceAccountToken
enabled. - spec.policies.forbiddenSysctlsarray of strings
The list of forbidden sysctls.
Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).
Examples:
forbiddenSysctls: kernel.msg*
forbiddenSysctls: net.core.somaxconn
- spec.policies.fsGroupobject
Specifies which
fsGroup
values the security context is permitted to use.- spec.policies.fsGroup.rangesarray of objects
The list of
fsGroup
ID ranges that are allowed in `MustRunAs’ mode.- spec.policies.fsGroup.ranges.maxinteger
Max ID value.
- spec.policies.fsGroup.ranges.mininteger
Min ID value.
- spec.policies.fsGroup.ranges.maxinteger
- spec.policies.fsGroup.rulestring
Required value
Specifies the strategy of the
fsGroup
selection.Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.fsGroup.rangesarray of objects
- spec.policies.readOnlyRootFilesystemboolean
If set to true, only the pods with the read-only root filesystem across all containers will be permitted to run. See the Kubernetes documentation for more details.
- spec.policies.requiredDropCapabilitiesarray of strings
The list of capabilities that have to be dropped from the containers.
To exclude all capabilities, use
ALL
’.Examples:
requiredDropCapabilities: SETGID
requiredDropCapabilities: SETUID
requiredDropCapabilities: NET_BIND_SERVICE
- Element of the arraystring
A linux capability to drop from the containers’ specs.
Allowed values:
ALL
,SETPCAP
,SYS_MODULE
,SYS_RAWIO
,SYS_PACCT
,SYS_ADMIN
,SYS_NICE
,SYS_RESOURCE
,SYS_TIME
,SYS_TTY_CONFIG
,MKNOD
,AUDIT_WRITE
,AUDIT_CONTROL
,MAC_OVERRIDE
,MAC_ADMIN
,NET_ADMIN
,SYSLOG
,CHOWN
,NET_RAW
,DAC_OVERRIDE
,FOWNER
,DAC_READ_SEARCH
,FSETID
,KILL
,SETGID
,SETUID
,LINUX_IMMUTABLE
,NET_BIND_SERVICE
,NET_BROADCAST
,IPC_LOCK
,IPC_OWNER
,SYS_CHROOT
,SYS_PTRACE
,SYS_BOOT
,LEASE
,SETFCAP
,WAKE_ALARM
,BLOCK_SUSPEND
- Element of the arraystring
- spec.policies.runAsGroupobject
Specifies which
runAsGroup
values the security context is permitted to use.- spec.policies.runAsGroup.rangesarray of objects
The list of group ID ranges that are allowed in `MustRunAs’ mode.
- spec.policies.runAsGroup.ranges.maxinteger
Max ID value.
- spec.policies.runAsGroup.ranges.mininteger
Min ID value.
- spec.policies.runAsGroup.ranges.maxinteger
- spec.policies.runAsGroup.rulestring
Required value
Specifies the strategy of the group ID selection.
Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.runAsGroup.rangesarray of objects
- spec.policies.runAsUserobject
Specifies which
runAsUser
values the security context is permitted to use.- spec.policies.runAsUser.rangesarray of objects
The list of user ID ranges that are allowed in `MustRunAs’ mode.
- spec.policies.runAsUser.ranges.maxinteger
Max ID value.
- spec.policies.runAsUser.ranges.mininteger
Min ID value.
- spec.policies.runAsUser.ranges.maxinteger
- spec.policies.runAsUser.rulestring
Required value
Specifies the strategy of the user ID selection.
Allowed values:
MustRunAs
,MustRunAsNonRoot
,RunAsAny
- spec.policies.runAsUser.rangesarray of objects
- spec.policies.seLinuxarray of objects
Specifies which SElinux labels the security context is permitted to use.
- spec.policies.seLinux.levelstring
A SELinux level label that applies to the container.
- spec.policies.seLinux.rolestring
A SELinux role label that applies to the container.
- spec.policies.seLinux.typestring
A SELinux type label that applies to the container.
- spec.policies.seLinux.userstring
A SELinux user label that applies to the container.
- spec.policies.seLinux.levelstring
- spec.policies.seccompProfilesobject
Specifies the list of allowed profiles that can be set for the Pod or container’s seccomp annotations.
- spec.policies.seccompProfiles.allowedLocalhostFilesarray of strings
Defines the local seccomp profiles (in JSON format) that can be used if
Localhost
is set in theallowedProfiles
parameter.An empty list prohibits the use of any local profiles.
- spec.policies.seccompProfiles.allowedProfilesarray of strings
The list of allowed profile values for seccomp on Pods/containers.
- spec.policies.seccompProfiles.allowedLocalhostFilesarray of strings
- spec.policies.supplementalGroupsobject
Specifies what supplemental groups are allowed to be used by the security context.
- spec.policies.supplementalGroups.rangesarray of objects
The list of supplemental group ID ranges that are allowed in `MustRunAs’ mode.
- spec.policies.supplementalGroups.ranges.maxinteger
Max ID value.
- spec.policies.supplementalGroups.ranges.mininteger
Min ID value.
- spec.policies.supplementalGroups.ranges.maxinteger
- spec.policies.supplementalGroups.rulestring
Required value
Specifies the strategy of the supplemental group ID selection.
Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.supplementalGroups.rangesarray of objects
- spec.policies.allowHostIPCboolean
- spec.enforcementActionstring