OperationPolicy

Scope: Cluster
Version: v1alpha1

Describes an operation policy for a cluster.

Each CustomResource OperationPolicy describes rules for objects in a cluster.

  • spec
    object

    Required value

    • spec.enforcementAction
      string

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • spec.match
      object

      Required value

      • spec.match.labelSelector
        object

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressions
          array of objects

          List of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
          • spec.match.labelSelector.matchExpressions.key
            string

            Required value

          • spec.match.labelSelector.matchExpressions.operator
            string

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.values
            array of strings
        • spec.match.labelSelector.matchLabels
          object

          List of labels which Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.match.namespaceSelector
        object

        Required value

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNames
          array of strings

          Include all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelector
          object

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressions
            array of objects

            List of label expressions for namespaces.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.match.namespaceSelector.labelSelector.matchExpressions.key
              string

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operator
              string

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.values
              array of strings
          • spec.match.namespaceSelector.labelSelector.matchLabels
            object

            List of labels which a namespace should have.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.match.namespaceSelector.matchNames
          array of strings

          Include only a particular set of namespaces. Supports glob pattern.

    • spec.policies
      object

      Required value

      • spec.policies.allowedRepos
        array of strings

        The list of prefixes a container image is allowed to have.

        • Element of the array
          string

          Example:

          registry.deckhouse.io
      • spec.policies.checkContainerDuplicates
        boolean

        Check container names and env variables for duplicates.

      • spec.policies.checkHostNetworkDNSPolicy
        boolean

        Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.

      • spec.policies.disallowedImageTags
        array of strings

        Requires container images to have an image tag different from the ones in the specified list.

        Example:

        disallowedImageTags: latest
      • spec.policies.imagePullPolicy
        string

        Required image pull policy for containers.

        Allowed values: Always, IfNotPresent

      • spec.policies.maxRevisionHistoryLimit
        integer

        A maximum value for a revision history.

      • spec.policies.priorityClassNames
        array of strings

        List of allowed priority class names.

      • spec.policies.replicaLimits
        object

        A range of allowed replicas. Values are inclusive.

        • spec.policies.replicaLimits.maxReplicas
          integer

          The maximum number of replicas allowed, inclusive.

        • spec.policies.replicaLimits.minReplicas
          integer

          The minimum number of replicas allowed, inclusive.

      • spec.policies.requiredAnnotations
        object

        A list of annotations and values the object must specify.

        • spec.policies.requiredAnnotations.annotations
          array of objects
          • spec.policies.requiredAnnotations.annotations.allowedRegex
            string

            If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredAnnotations.annotations.key
            string

            The required annotation.

        • spec.policies.requiredAnnotations.watchKinds
          array of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the annotations on.

          • Element of the array
            string

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment

            "/Pod"

            networking.k8s.io/Ingress
      • spec.policies.requiredLabels
        object

        A list of labels and values the object must specify.

        • spec.policies.requiredLabels.labels
          array of objects
          • spec.policies.requiredLabels.labels.allowedRegex
            string

            If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredLabels.labels.key
            string

            The required label.

        • spec.policies.requiredLabels.watchKinds
          array of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.

          • Element of the array
            string

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment

            "/Pod"

            networking.k8s.io/Ingress
      • spec.policies.requiredProbes
        array of strings

        The list of probes that are required (e.g. readinessProbe)

        Examples:

        requiredProbes: livenessProbe

        requiredProbes: readinessProbe
        • Element of the array
          string

          Allowed values: livenessProbe, readinessProbe, startupProbe

      • spec.policies.requiredResources
        object

        Requires containers to have defined resources set.

        • spec.policies.requiredResources.limits
          array of strings

          A list of limits that should be enforced (CPU, memory, or both).

          Default: ["memory"]

          • Element of the array
            string

            Allowed values: cpu, memory

        • spec.policies.requiredResources.requests
          array of strings

          A list of requests that should be enforced (CPU, memory, or both).

          Default: ["cpu","memory"]

          • Element of the array
            string

            Allowed values: cpu, memory

SecurityPolicy

Scope: Cluster
Version: v1alpha1

Describes a security policy for a cluster.

Each CustomResource SecurityPolicy describes rules for objects in a cluster.

  • spec
    object

    Required value

    • spec.enforcementAction
      string

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • spec.match
      object

      Required value

      • spec.match.labelSelector
        object

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressions
          array of objects

          List of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
          • spec.match.labelSelector.matchExpressions.key
            string

            Required value

          • spec.match.labelSelector.matchExpressions.operator
            string

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.values
            array of strings
        • spec.match.labelSelector.matchLabels
          object

          List of labels which Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.match.namespaceSelector
        object

        Required value

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNames
          array of strings

          Include all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelector
          object

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressions
            array of objects

            List of label expressions for namespaces.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.match.namespaceSelector.labelSelector.matchExpressions.key
              string

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operator
              string

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.values
              array of strings
          • spec.match.namespaceSelector.labelSelector.matchLabels
            object

            List of labels which a namespace should have.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.match.namespaceSelector.matchNames
          array of strings

          Include only a particular set of namespaces. Supports glob pattern.

    • spec.policies
      object

      Required value

      • spec.policies.allowHostIPC
        boolean

        Allows sharing the host’s IPC namespace with containers.

      • spec.policies.allowHostNetwork
        boolean

        Allows containers to use the host’s network.

      • spec.policies.allowHostPID
        boolean

        Allows sharing the host’s PID namespace with containers.

      • spec.policies.allowPrivilegeEscalation
        boolean

        Allows container processes to gain more privileges than its parent process.

      • spec.policies.allowPrivileged
        boolean

        Allows running containers in a privileged mode.

      • spec.policies.allowedAppArmor
        array of strings

        List of allowed AppArmor profiles for use by containers.

        Examples:

        allowedAppArmor: runtime/default

        allowedAppArmor: unconfined
        • Element of the array
          string

          AppArmor profile.

      • spec.policies.allowedCapabilities
        array of strings

        List of capabilities that containers are able to use.

        To allow all capabilities you may use ALL.

        Examples:

        allowedCapabilities: SETGID

        allowedCapabilities: SETUID

        allowedCapabilities: NET_BIND_SERVICE
        • Element of the array
          string

          Allowed linux capabilities.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.allowedFlexVolumes
        array of objects

        Whitelist of allowed Flex Volume drivers.

        • spec.policies.allowedFlexVolumes.driver
          string

          A driver name.

      • spec.policies.allowedHostPaths
        array of objects

        The list of allowed hostpath prefixes. An empty list means any path can be used.

        Example:

        allowedHostPaths:
  pathPrefix: "/dev"
  readOnly: true
        • spec.policies.allowedHostPaths.pathPrefix
          string

          Required value

          Path prefix that the host volume must match.

          It does not support the * mask. Trailing slashes are trimmed when validating the path prefix with a host path.

          For example, the /foo prefix allows /foo, /foo/ and /foo/bar path, but doesn’t allow /food or /etc/foo path.

        • spec.policies.allowedHostPaths.readOnly
          boolean

          When set to true, will allow host volumes matching the pathPrefix only if all the volume mounts are readOnly.

          Default: false

      • spec.policies.allowedHostPorts
        array of objects

        The list of hostPort ranges allowed by the rule.

        • spec.policies.allowedHostPorts.max
          integer

          Max value for the hostPort

        • spec.policies.allowedHostPorts.min
          integer

          Min value for the hostPort

      • spec.policies.allowedProcMount
        string

        The allowed /proc mount type for containers.

        Allowed values: Default, Unmasked

        Example:

        allowedProcMount: Unmasked.
      • spec.policies.allowedUnsafeSysctls
        array of strings

        The list of explicitly allowed unsafe sysctls.

        To allow all unsafe sysctls you may use *.

        Examples:

        allowedUnsafeSysctls: kernel.msg*

        allowedUnsafeSysctls: net.core.somaxconn
      • spec.policies.allowedVolumes
        array of strings

        The set of volume plugins allowed to use.

        Examples:

        allowedVolumes: hostPath

        allowedVolumes: persistentVolumeClaim
        • Element of the array
          string

          Allowed values: *, none, awsElasticBlockStore, azureDisk, azureFile, cephFS, cinder, configMap, csi, downwardAPI, emptyDir, fc, flexVolume, flocker, gcePersistentDisk, gitRepo, glusterfs, hostPath, iscsi, nfs, persistentVolumeClaim, photonPersistentDisk, portworxVolume, projected, quobyte, rbd, scaleIO, secret, storageos, vsphereVolume

      • spec.policies.forbiddenSysctls
        array of strings

        The list of forbidden sysctls.

        Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).

        Examples:

        forbiddenSysctls: kernel.msg*

        forbiddenSysctls: net.core.somaxconn
      • spec.policies.fsGroup
        object

        Specifies what fs group is allowed to be used by the security context.

        • spec.policies.fsGroup.ranges
          array of objects

          List of acceptable ranges for the fs group ID to use with MustRunAs.

          • spec.policies.fsGroup.ranges.max
            integer

            Max ID value.

          • spec.policies.fsGroup.ranges.min
            integer

            Min ID value.

        • spec.policies.fsGroup.rule
          string

          Required value

          Specifes the strategy of the fs group selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.readOnlyRootFilesystem
        boolean

        Defines if it’s possible to run containers with non-read only file system.

      • spec.policies.requiredDropCapabilities
        array of strings

        The set of capabilities that have to be dropped from containers.

        To exclude all capabilities you may use ALL’.

        Examples:

        requiredDropCapabilities: SETGID

        requiredDropCapabilities: SETUID

        requiredDropCapabilities: NET_BIND_SERVICE
        • Element of the array
          string

          Linux capabilities to drop from containers’ specs.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.runAsGroup
        object

        Specifies what runAsGroup value is allowed to be used by the security context.

        • spec.policies.runAsGroup.ranges
          array of objects

          List of acceptable ranges for the group ID to use with MustRunAs.

          • spec.policies.runAsGroup.ranges.max
            integer

            Max ID value.

          • spec.policies.runAsGroup.ranges.min
            integer

            Min ID value.

        • spec.policies.runAsGroup.rule
          string

          Required value

          Specifies the strategy of the group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.runAsUser
        object

        Specifies what runAsUser value is allowed to be used by the security context.

        • spec.policies.runAsUser.ranges
          array of objects

          List of acceptable ranges for the user ID to use with MustRunAs.

          • spec.policies.runAsUser.ranges.max
            integer

            Max ID value.

          • spec.policies.runAsUser.ranges.min
            integer

            Min ID value.

        • spec.policies.runAsUser.rule
          string

          Required value

          Specifies the strategy of the user ID selection.

          Allowed values: MustRunAs, MustRunAsNonRoot, RunAsAny

      • spec.policies.seLinux
        array of objects

        Specifies what SElinux labels are allowed to be set in the security context.

        • spec.policies.seLinux.level
          string

          Level is SELinux level label that applies to the container.

        • spec.policies.seLinux.role
          string

          Role is SELinux role label that applies to the container.

        • spec.policies.seLinux.type
          string

          Type is SELinux type label that applies to the container.

        • spec.policies.seLinux.user
          string

          User is SELinux user label that applies to the container.

      • spec.policies.seccompProfiles
        object

        This field specifies the list of allowed profiles that may be set for the Pod or container’s seccomp annotations.

        • spec.policies.seccompProfiles.allowedLocalhostFiles
          array of strings

          When using securityContext naming scheme for seccomp and including Localhost this array holds the allowed profile JSON files.

          An empty list prohibits the use of any local profiles.

        • spec.policies.seccompProfiles.allowedProfiles
          array of strings

          The list of allowed profile values for seccomp on Pods/containers.

      • spec.policies.supplementalGroups
        object

        Specifies what supplemental groups are allowed to be used by the security context.

        • spec.policies.supplementalGroups.ranges
          array of objects

          List of acceptable ranges for the supplemental group ID to use with MustRunAs.

          • spec.policies.supplementalGroups.ranges.max
            integer

            Max ID value.

          • spec.policies.supplementalGroups.ranges.min
            integer

            Min ID value.

        • spec.policies.supplementalGroups.rule
          string

          Required value

          Specifies the strategy of the supplemental group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny