Как расширить политики Pod Security Standards? | How to extend Pod Security Standards policies? |
|
|
Чтобы расширить политику Pod Security Standards, добавив к существующим проверкам политики свои собственные, необходимо:
| To extend the Pod Security Standards policy by adding your checks to existing checks, you need to:
|
Пример шаблона для проверки адреса репозитория образа контейнера: | Example of the |
yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets:
| yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets:
|
violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } | violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } |
violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } | violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } |
Пример привязки проверки к политике | Example of binding a check to the |
yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds:
| yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds:
|
Пример демонстрирует настройку проверки адреса репозитория в поле | The example demonstrates the configuration of checking the repository address in the |
Подробнее о шаблонах и языке политик можно узнать в документации Gatekeeper. | The Gatekeeper documentation may find more info about templates and policy language. |
Больше примеров описания проверок для расширения политики можно найти в библиотеке Gatekeeper. | Find more examples of checks for policy extension in the Gatekeeper Library. |
Что, если несколько политик (операционных или безопасности) применяются на один объект? | What if there are multiple policies (operational or security) that are applied to the same object? |
В таком случае необходимо, чтобы конфигурация объекта соответствовала всем политикам, которые на него распространяются. | In that case the object’s specification have to fulfil all the requirements imposed by the policies. |
Например, рассмотрим две следующие политики безопасности: | For example, consider the following two security policies: |
yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities:
| yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities:
|
Тогда для выполнения требований приведенных политик безопасности в спецификации контейнера нужно указать: | Then, in order to fulfill the requirements of the above security policies, the following settings must be set in a container specification: |
yaml securityContext: capabilities: drop:
| yaml securityContext: capabilities: drop:
|