OperationPolicy
Scope: Cluster
Version: v1alpha1
Describes an operation policy for a cluster.
Each CustomResource OperationPolicy
describes rules for objects in a cluster.
- spec
Required value
- spec.enforcementAction
The enforcement action to control what to do with the result of the constraint.
Deny
— Deny action.Dryrun
— No action. It is used when debugging. Information about the event can be viewed in Grafana in dashboardSecurity/Admission policy engine
.Warn
— Same asDryrun
. In addition to the event information, it provides some info on why that constraint would have been denied if you had setDeny
instead ofWarn
.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.match
Required value
- spec.match.labelSelector
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressions
List of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.key
Required value
- spec.match.labelSelector.matchExpressions.operator
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.values
- spec.match.labelSelector.matchLabels
List of labels which Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector
Required value
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNames
Include all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelector
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressions
List of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.key
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operator
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.values
- spec.match.namespaceSelector.labelSelector.matchLabels
List of labels which a namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.matchNames
Include only a particular set of namespaces. Supports glob pattern.
- spec.policies
Required value
- spec.policies.allowedRepos
The list of prefixes a container image is allowed to have.
- Element of the array
Example:
registry.deckhouse.io
- spec.policies.checkContainerDuplicates
Check container names and env variables for duplicates.
- spec.policies.checkHostNetworkDNSPolicy
Check
ClusterFirstWithHostNet
dnsPolicy is set for Pods withhostNetwork: true
. - array of strings
Requires container images to have an image tag different from the ones in the specified list.
Example:
disallowedImageTags: latest
- spec.policies.imagePullPolicy
Required image pull policy for containers.
Allowed values:
Always
,IfNotPresent
- spec.policies.ingressClassNames
List of allowed ingress class names.
- spec.policies.maxRevisionHistoryLimit
A maximum value for a revision history.
- spec.policies.priorityClassNames
List of allowed priority class names.
- spec.policies.replicaLimits
A range of allowed replicas. Values are inclusive.
- spec.policies.replicaLimits.maxReplicas
The maximum number of replicas allowed, inclusive.
- spec.policies.replicaLimits.minReplicas
The minimum number of replicas allowed, inclusive.
- spec.policies.requiredAnnotations
A list of annotations and values the object must specify.
- spec.policies.requiredAnnotations.annotations
- spec.policies.requiredAnnotations.annotations.allowedRegex
If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredAnnotations.annotations.key
The required annotation.
- spec.policies.requiredAnnotations.watchKinds
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the annotations on.- Element of the array
Pattern:
^[a-z]*/[a-zA-Z]+$
Examples:
apps/Deployment
"/Pod"
networking.k8s.io/Ingress
- spec.policies.requiredLabels
A list of labels and values the object must specify.
- spec.policies.requiredLabels.labels
- spec.policies.requiredLabels.labels.allowedRegex
If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredLabels.labels.key
The required label.
- spec.policies.requiredLabels.watchKinds
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the labels on.- Element of the array
Pattern:
^[a-z]*/[a-zA-Z]+$
Examples:
apps/Deployment
"/Pod"
networking.k8s.io/Ingress
- spec.policies.requiredProbes
The list of probes that are required (e.g.
readinessProbe
andlivenessProbe
)Example:
requiredProbes: - readinessProbe - livenessProbe
- Element of the array
Allowed values:
livenessProbe
,readinessProbe
,startupProbe
- spec.policies.requiredResources
Requires containers to have defined resources set.
- spec.policies.requiredResources.limits
A list of limits that should be enforced (CPU, memory, or both).
Default:
["memory"]
- Element of the array
Allowed values:
cpu
,memory
- spec.policies.requiredResources.requests
A list of requests that should be enforced (CPU, memory, or both).
Default:
["cpu","memory"]
- Element of the array
Allowed values:
cpu
,memory
- spec.policies.storageClassNames
List of allowed storage class names.
SecurityPolicy
Scope: Cluster
Version: v1alpha1
Describes a security policy for a cluster.
Each SecurityPolicy
custom resource describes rules for the objects in the cluster.
- spec
Required value
- spec.enforcementAction
An enforcement action as a result of the constraint:
Deny
— Deny action.Dryrun
— No action. Used for debugging. Information about the event can be viewed in Grafana in dashboardSecurity/Admission policy engine
.Warn
— No action; similar toDryrun
. Provides information about the constraint that would result in a denial if theDeny
action is used.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.match
Required value
Container filtering rules. Use selectors to specify the pods and containers to which you want to apply the policy.
- spec.match.labelSelector
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressions
The list of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.key
Required value
- spec.match.labelSelector.matchExpressions.operator
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.values
- spec.match.labelSelector.matchLabels
The list of the labels that the Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector
Required value
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNames
Includes all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelector
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressions
The list of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.key
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operator
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.values
- spec.match.namespaceSelector.labelSelector.matchLabels
The list of the labels that the namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.matchNames
Includes only a particular set of namespaces. Supports glob pattern.
- spec.policies
Required value
Policies that pods and containers must comply with.
- spec.policies.allowHostIPC
Allows sharing the host’s IPC namespace with containers.
- spec.policies.allowHostNetwork
Allows containers to use the host’s network.
- spec.policies.allowHostPID
Allows sharing the host’s PID namespace with containers.
- spec.policies.allowPrivilegeEscalation
Allows container processes to gain more privileges than its parent process.
- spec.policies.allowPrivileged
Allows running containers in a privileged mode.
- spec.policies.allowedAppArmor
The list of AppArmor profiles the containers are permitted to use.
Examples:
allowedAppArmor: runtime/default
allowedAppArmor: unconfined
- Element of the array
An AppArmor profile.
- spec.policies.allowedCapabilities
The list of capabilities that the containers are permitted to use.
To allow all capabilities, use
ALL
.Examples:
allowedCapabilities: SETGID
allowedCapabilities: SETUID
allowedCapabilities: NET_BIND_SERVICE
- Element of the array
A linux capability.
Allowed values:
ALL
,SETPCAP
,SYS_MODULE
,SYS_RAWIO
,SYS_PACCT
,SYS_ADMIN
,SYS_NICE
,SYS_RESOURCE
,SYS_TIME
,SYS_TTY_CONFIG
,MKNOD
,AUDIT_WRITE
,AUDIT_CONTROL
,MAC_OVERRIDE
,MAC_ADMIN
,NET_ADMIN
,SYSLOG
,CHOWN
,NET_RAW
,DAC_OVERRIDE
,FOWNER
,DAC_READ_SEARCH
,FSETID
,KILL
,SETGID
,SETUID
,LINUX_IMMUTABLE
,NET_BIND_SERVICE
,NET_BROADCAST
,IPC_LOCK
,IPC_OWNER
,SYS_CHROOT
,SYS_PTRACE
,SYS_BOOT
,LEASE
,SETFCAP
,WAKE_ALARM
,BLOCK_SUSPEND
- spec.policies.allowedClusterRoles
A list of allowed cluster roles to bind to users.
- spec.policies.allowedFlexVolumes
The list of Flex Volume drivers the containers are permitted to use.
- spec.policies.allowedFlexVolumes.driver
A driver name.
- spec.policies.allowedHostPaths
The list of allowed hostpath prefixes. An empty list means any path can be used.
Example:
allowedHostPaths: pathPrefix: "/dev" readOnly: true
- spec.policies.allowedHostPaths.pathPrefix
Required value
The path prefix to match against the host volume.
It does not support the
*
mask. Trailing slashes are trimmed when validating the path prefix with a host path.For example, the
/foo
prefix allows/foo
,/foo/
and/foo/bar
path, but doesn’t allow/food
or/etc/foo
path. - spec.policies.allowedHostPaths.readOnly
When set to true, allows host volumes to be matched against the pathPrefix only if all the volume mounts are read-only.
Default:
false
- spec.policies.allowedHostPorts
The list of
hostPort
ranges allowed by the rule.- spec.policies.allowedHostPorts.max
Max value for the
hostPort
. - spec.policies.allowedHostPorts.min
Min value for the
hostPort
.
- spec.policies.allowedProcMount
Allows
/proc
mount type for containers.Allowed values:
Default
,Unmasked
Example:
allowedProcMount: Unmasked.
- spec.policies.allowedUnsafeSysctls
The list of explicitly allowed unsafe sysctls.
To allow all unsafe sysctls, use
*
.Examples:
allowedUnsafeSysctls: kernel.msg*
allowedUnsafeSysctls: net.core.somaxconn
- spec.policies.allowedVolumes
The set of the permitted volume plugins.
Examples:
allowedVolumes: hostPath
allowedVolumes: persistentVolumeClaim
- Element of the array
Allowed values:
*
,none
,awsElasticBlockStore
,azureDisk
,azureFile
,cephFS
,cinder
,configMap
,csi
,downwardAPI
,emptyDir
,fc
,flexVolume
,flocker
,gcePersistentDisk
,gitRepo
,glusterfs
,hostPath
,iscsi
,nfs
,persistentVolumeClaim
,photonPersistentDisk
,portworxVolume
,projected
,quobyte
,rbd
,scaleIO
,secret
,storageos
,vsphereVolume
- spec.policies.automountServiceAccountToken
Allows pods to run with
automountServiceAccountToken
enabled. - spec.policies.forbiddenSysctls
The list of forbidden sysctls.
Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).
Examples:
forbiddenSysctls: kernel.msg*
forbiddenSysctls: net.core.somaxconn
- spec.policies.fsGroup
Specifies which
fsGroup
values the security context is permitted to use.- spec.policies.fsGroup.ranges
The list of
fsGroup
ID ranges that are allowed in `MustRunAs’ mode.- spec.policies.fsGroup.ranges.max
Max ID value.
- spec.policies.fsGroup.ranges.min
Min ID value.
- spec.policies.fsGroup.rule
Required value
Specifies the strategy of the
fsGroup
selection.Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.readOnlyRootFilesystem
If set to true, only the pods with the read-only root filesystem across all containers will be permitted to run. See the Kubernetes documentation for more details.
- spec.policies.requiredDropCapabilities
The list of capabilities that have to be dropped from the containers.
To exclude all capabilities, use
ALL
’.Examples:
requiredDropCapabilities: SETGID
requiredDropCapabilities: SETUID
requiredDropCapabilities: NET_BIND_SERVICE
- Element of the array
A linux capability to drop from the containers’ specs.
Allowed values:
ALL
,SETPCAP
,SYS_MODULE
,SYS_RAWIO
,SYS_PACCT
,SYS_ADMIN
,SYS_NICE
,SYS_RESOURCE
,SYS_TIME
,SYS_TTY_CONFIG
,MKNOD
,AUDIT_WRITE
,AUDIT_CONTROL
,MAC_OVERRIDE
,MAC_ADMIN
,NET_ADMIN
,SYSLOG
,CHOWN
,NET_RAW
,DAC_OVERRIDE
,FOWNER
,DAC_READ_SEARCH
,FSETID
,KILL
,SETGID
,SETUID
,LINUX_IMMUTABLE
,NET_BIND_SERVICE
,NET_BROADCAST
,IPC_LOCK
,IPC_OWNER
,SYS_CHROOT
,SYS_PTRACE
,SYS_BOOT
,LEASE
,SETFCAP
,WAKE_ALARM
,BLOCK_SUSPEND
- spec.policies.runAsGroup
Specifies which
runAsGroup
values the security context is permitted to use.- spec.policies.runAsGroup.ranges
The list of group ID ranges that are allowed in `MustRunAs’ mode.
- spec.policies.runAsGroup.ranges.max
Max ID value.
- spec.policies.runAsGroup.ranges.min
Min ID value.
- spec.policies.runAsGroup.rule
Required value
Specifies the strategy of the group ID selection.
Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.runAsUser
Specifies which
runAsUser
values the security context is permitted to use.- spec.policies.runAsUser.ranges
The list of user ID ranges that are allowed in `MustRunAs’ mode.
- spec.policies.runAsUser.ranges.max
Max ID value.
- spec.policies.runAsUser.ranges.min
Min ID value.
- spec.policies.runAsUser.rule
Required value
Specifies the strategy of the user ID selection.
Allowed values:
MustRunAs
,MustRunAsNonRoot
,RunAsAny
- spec.policies.seLinux
Specifies which SElinux labels the security context is permitted to use.
- spec.policies.seLinux.level
A SELinux level label that applies to the container.
- spec.policies.seLinux.role
A SELinux role label that applies to the container.
- spec.policies.seLinux.type
A SELinux type label that applies to the container.
- spec.policies.seLinux.user
A SELinux user label that applies to the container.
- spec.policies.seccompProfiles
Specifies the list of allowed profiles that can be set for the Pod or container’s seccomp annotations.
- spec.policies.seccompProfiles.allowedLocalhostFiles
Defines the local seccomp profiles (in JSON format) that can be used if
Localhost
is set in theallowedProfiles
parameter.An empty list prohibits the use of any local profiles.
- spec.policies.seccompProfiles.allowedProfiles
The list of allowed profile values for seccomp on Pods/containers.
- spec.policies.supplementalGroups
Specifies what supplemental groups are allowed to be used by the security context.
- spec.policies.supplementalGroups.ranges
The list of supplemental group ID ranges that are allowed in `MustRunAs’ mode.
- spec.policies.supplementalGroups.ranges.max
Max ID value.
- spec.policies.supplementalGroups.ranges.min
Min ID value.
- spec.policies.supplementalGroups.rule
Required value
Specifies the strategy of the supplemental group ID selection.
Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.verifyImageSignatures
List of policies to verify container images signatures.
Container images must be signed using Cosign.
This feature is available in enterprise edition only.
Example:
verifyImageSignatures: - reference: docker.io/myrepo/* publicKeys: - |- -----BEGIN PUBLIC KEY----- ..... -----END PUBLIC KEY----- - reference: company.registry.com/* dockerCfg: "<Base64_dockerCfg>" publicKeys: - |- -----BEGIN PUBLIC KEY----- ..... -----END PUBLIC KEY-----
- spec.policies.verifyImageSignatures.ca
A custom certificate authority to use when connecting to the container image repository.
- spec.policies.verifyImageSignatures.dockerCfg
A string in Base64 with authentication data for the container image repository.
If the container images are available anonymously, it is not specified.
- spec.policies.verifyImageSignatures.publicKeys
Required value
The list of Cosign compliant public keys.
- spec.policies.verifyImageSignatures.reference
Required value
Absolute address or template for container images.
If it contains the
*
symbol, it is considered a template for container image addresses. The*
symbol can only appear once and only at the end. For example, for the valuecompany.registry.com/*
, any container images from the repositorycompany.registry.com
will be checked with the specified keys and access parameters.If it does not contain the
*
symbol, it is considered an absolute address for a container image. For example, for the valuecompany.registry.com/nginx
, only the nginx image from the repositorycompany.registry.com
will be checked with the specified keys and access parameters.Pattern:
^[a-z0-9\.\-:@\/]*\*?$
Examples:
reference: docker.io/myuser/*
reference: "*"