The admission-policy-engine module: custom resources

Required value

• spec.enforcementActionstring

  The enforcement action to control what to do with the result of the constraint.

  • Deny — Deny action.
  • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
  • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

  Default: "Deny"

  Allowed values: Warn, Deny, Dryrun

• spec.matchobject

  Required value

  • spec.match.labelSelectorobject

    Specifies the label selector to filter Pods with.

    You can get more into here.

    • spec.match.labelSelector.matchExpressionsarray of objects

      List of label expressions for Pods.

      Example:

      matchExpressions:
      - key: tier
        operator: In
        values:
        - production
        - staging
      

      • spec.match.labelSelector.matchExpressions.keystring

        Required value

      • spec.match.labelSelector.matchExpressions.operatorstring

        Required value

        Allowed values: In, NotIn, Exists, DoesNotExist

      • spec.match.labelSelector.matchExpressions.valuesarray of strings
    • spec.match.labelSelector.matchLabelsobject

      List of labels which Pod should have.

      Example:

      matchLabels:
        foo: bar
        baz: who
      

  • spec.match.namespaceSelectorobject

    Required value

    Specifies the Namespace selector to filter objects with.

    • spec.match.namespaceSelector.excludeNamesarray of strings

      Include all namespaces except a particular set. Support glob pattern.

    • spec.match.namespaceSelector.labelSelectorobject

      Specifies the label selector to filter namespaces.

      You can get more info in the documentation.

      • spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects

        List of label expressions for namespaces.

        Example:

        matchExpressions:
        - key: tier
          operator: In
          values:
          - production
          - staging
        

        • spec.match.namespaceSelector.labelSelector.matchExpressions.keystring

          Required value

        • spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring

          Required value

          Allowed values: In, NotIn, Exists, DoesNotExist

        • spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
      • spec.match.namespaceSelector.labelSelector.matchLabelsobject

        List of labels which a namespace should have.

        Example:

        matchLabels:
          foo: bar
          baz: who
        

    • spec.match.namespaceSelector.matchNamesarray of strings

      Include only a particular set of namespaces. Supports glob pattern.

• spec.policiesobject

  Required value

  • spec.policies.allowedReposarray of strings

    The list of prefixes a container image is allowed to have.

    • Element of the arraystring

      Example:

      - registry.deckhouse.io
      

  • spec.policies.checkContainerDuplicatesboolean

    Check container names and env variables for duplicates.

  • spec.policies.checkHostNetworkDNSPolicyboolean

    Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.

  • spec.policies.disallowedImageTagsarray of strings

    Requires container images to have an image tag different from the ones in the specified list.

    Example:

    disallowedImageTags:
    - latest
    

  • spec.policies.imagePullPolicystring

    Required image pull policy for containers.

    Allowed values: Always, IfNotPresent

  • spec.policies.maxRevisionHistoryLimitinteger

    A maximum value for a revision history.

  • spec.policies.priorityClassNamesarray of strings

    List of allowed priority class names.

  • spec.policies.requiredAnnotationsobject

    A list of annotations and values the object must specify.

    • spec.policies.requiredAnnotations.annotationsarray of objects
      • spec.policies.requiredAnnotations.annotations.allowedRegexstring

        If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.

      • spec.policies.requiredAnnotations.annotations.keystring

        The required annotation.

    • spec.policies.requiredAnnotations.watchKindsarray of strings

      The list of kubernetes objects in the format $apiGroup/$kind to watch the annotations on.

      • Element of the arraystring

        Pattern: ^[a-z]*/[a-zA-Z]+$

        Example:

        - apps/Deployment
        - "/Pod"
        - networking.k8s.io/Ingress
        

  • spec.policies.requiredLabelsobject

    A list of labels and values the object must specify.

    • spec.policies.requiredLabels.labelsarray of objects
      • spec.policies.requiredLabels.labels.allowedRegexstring

        If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.

      • spec.policies.requiredLabels.labels.keystring

        The required label.

    • spec.policies.requiredLabels.watchKindsarray of strings

      The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.

      • Element of the arraystring

        Pattern: ^[a-z]*/[a-zA-Z]+$

        Example:

        - apps/Deployment
        - "/Pod"
        - networking.k8s.io/Ingress
        

  • spec.policies.requiredProbesarray of strings

    The list of probes that are required (e.g. readinessProbe)

    Example:

    requiredProbes:
    - livenessProbe
    - readinessProbe
    

    • Element of the arraystring

      Allowed values: livenessProbe, readinessProbe, startupProbe

  • spec.policies.requiredResourcesobject

    Requires containers to have defined resources set.

    • spec.policies.requiredResources.limitsarray of strings

      A list of limits that should be enforced (CPU, memory, or both).

      Default: ["memory"]

      • Element of the arraystring

        Allowed values: cpu, memory

    • spec.policies.requiredResources.requestsarray of strings

      A list of requests that should be enforced (CPU, memory, or both).

      Default: ["cpu","memory"]

      • Element of the arraystring

        Allowed values: cpu, memory

Required value

• spec.enforcementActionstring

  The enforcement action to control what to do with the result of the constraint.

  • Deny — Deny action.
  • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
  • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

  Default: "Deny"

  Allowed values: Warn, Deny, Dryrun

• spec.matchobject

  Required value

  • spec.match.labelSelectorobject

    Specifies the label selector to filter Pods with.

    You can get more into here.

    • spec.match.labelSelector.matchExpressionsarray of objects

      List of label expressions for Pods.

      Example:

      matchExpressions:
      - key: tier
        operator: In
        values:
        - production
        - staging
      

      • spec.match.labelSelector.matchExpressions.keystring

        Required value

      • spec.match.labelSelector.matchExpressions.operatorstring

        Required value

        Allowed values: In, NotIn, Exists, DoesNotExist

      • spec.match.labelSelector.matchExpressions.valuesarray of strings
    • spec.match.labelSelector.matchLabelsobject

      List of labels which Pod should have.

      Example:

      matchLabels:
        foo: bar
        baz: who
      

  • spec.match.namespaceSelectorobject

    Required value

    Specifies the Namespace selector to filter objects with.

    • spec.match.namespaceSelector.excludeNamesarray of strings

      Include all namespaces except a particular set. Support glob pattern.

    • spec.match.namespaceSelector.labelSelectorobject

      Specifies the label selector to filter namespaces.

      You can get more info in the documentation.

      • spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects

        List of label expressions for namespaces.

        Example:

        matchExpressions:
        - key: tier
          operator: In
          values:
          - production
          - staging
        

        • spec.match.namespaceSelector.labelSelector.matchExpressions.keystring

          Required value

        • spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring

          Required value

          Allowed values: In, NotIn, Exists, DoesNotExist

        • spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
      • spec.match.namespaceSelector.labelSelector.matchLabelsobject

        List of labels which a namespace should have.

        Example:

        matchLabels:
          foo: bar
          baz: who
        

    • spec.match.namespaceSelector.matchNamesarray of strings

      Include only a particular set of namespaces. Supports glob pattern.

• spec.policiesobject

  Required value

  • spec.policies.allowHostIPCboolean

    Allows sharing the host’s IPC namespace with containers.

  • spec.policies.allowHostNetworkboolean

    Allows containers to use the host’s network.

  • spec.policies.allowHostPIDboolean

    Allows sharing the host’s PID namespace with containers.

  • spec.policies.allowPrivilegeEscalationboolean

    Allows container processes to gain more privileges than its parent process.

  • spec.policies.allowPrivilegedboolean

    Allows running containers in a privileged mode.

  • spec.policies.allowedAppArmorarray of strings

    List of allowed AppArmor profiles for use by containers.

    Example:

    allowedAppArmor:
    - runtime/default
    - unconfined
    

    • Element of the arraystring

      AppArmor profile.

  • spec.policies.allowedCapabilitiesarray of strings

    List of capabilities that containers are able to use.

    To allow all capabilities you may use ALL.

    Example:

    allowedCapabilities:
    - SETGID
    - SETUID
    - NET_BIND_SERVICE
    

    • Element of the arraystring

      Allowed linux capabilities.

      Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

  • spec.policies.allowedFlexVolumesarray of objects

    Whitelist of allowed Flex Volume drivers.

    • spec.policies.allowedFlexVolumes.driverstring

      A driver name.

  • spec.policies.allowedHostPathsarray of objects

    The list of allowed hostpath prefixes. An empty list means any path can be used.

    Example:

    allowedHostPaths:
    - pathPrefix: "/dev"
      readOnly: true
    

    • spec.policies.allowedHostPaths.pathPrefixstring

      Required value

      Path prefix that the host volume must match.

      It does not support the * mask. Trailing slashes are trimmed when validating the path prefix with a host path.

      For example, the /foo prefix allows /foo, /foo/ and /foo/bar path, but doesn’t allow /food or /etc/foo path.

    • spec.policies.allowedHostPaths.readOnlyboolean

      When set to true, will allow host volumes matching the pathPrefix only if all the volume mounts are readOnly.

      Default: false

  • spec.policies.allowedHostPortsarray of objects

    The list of hostPort ranges allowed by the rule.

    • spec.policies.allowedHostPorts.maxinteger

      Max value for the hostPort

    • spec.policies.allowedHostPorts.mininteger

      Min value for the hostPort

  • spec.policies.allowedProcMountstring

    The allowed /proc mount type for containers.

    Allowed values: Default, Unmasked

    Example:

    allowedProcMount: Unmasked.
    

  • spec.policies.allowedUnsafeSysctlsarray of strings

    The list of explicitly allowed unsafe sysctls.

    To allow all unsafe sysctls you may use *.

    Example:

    allowedUnsafeSysctls:
    - kernel.msg*
    - net.core.somaxconn
    

  • spec.policies.allowedVolumesarray of strings

    The set of volume plugins allowed to use.

    Example:

    allowedVolumes:
    - hostPath
    - persistentVolumeClaim
    

    • Element of the arraystring

      Allowed values: *, none, awsElasticBlockStore, azureDisk, azureFile, cephFS, cinder, configMap, csi, downwardAPI, emptyDir, fc, flexVolume, flocker, gcePersistentDisk, gitRepo, glusterfs, hostPath, iscsi, nfs, persistentVolumeClaim, photonPersistentDisk, portworxVolume, projected, quobyte, rbd, scaleIO, secret, storageos, vsphereVolume

  • spec.policies.forbiddenSysctlsarray of strings

    The list of forbidden sysctls.

    Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).

    Example:

    forbiddenSysctls:
    - kernel.msg*
    - net.core.somaxconn
    

  • spec.policies.fsGroupobject

    Specifies what fs group is allowed to be used by the security context.

    • spec.policies.fsGroup.rangesarray of objects

      List of acceptable ranges for the fs group ID to use with MustRunAs.

      • spec.policies.fsGroup.ranges.maxinteger

        Max ID value.

      • spec.policies.fsGroup.ranges.mininteger

        Min ID value.

    • spec.policies.fsGroup.rulestring

      Required value

      Specifes the strategy of the fs group selection.

      Allowed values: MustRunAs, MayRunAs, RunAsAny

  • spec.policies.readOnlyRootFilesystemboolean

    Defines if it’s possible to run containers with non-read only file system.

  • spec.policies.requiredDropCapabilitiesarray of strings

    The set of capabilities that have to be dropped from containers.

    To exclude all capabilities you may use ALL’.

    Example:

    requiredDropCapabilities:
    - SETGID
    - SETUID
    - NET_BIND_SERVICE
    

    • Element of the arraystring

      Linux capabilities to drop from containers’ specs.

      Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

  • spec.policies.runAsGroupobject

    Specifies what runAsGroup value is allowed to be used by the security context.

    • spec.policies.runAsGroup.rangesarray of objects

      List of acceptable ranges for the group ID to use with MustRunAs.

      • spec.policies.runAsGroup.ranges.maxinteger

        Max ID value.

      • spec.policies.runAsGroup.ranges.mininteger

        Min ID value.

    • spec.policies.runAsGroup.rulestring

      Required value

      Specifies the strategy of the group ID selection.

      Allowed values: MustRunAs, MayRunAs, RunAsAny

  • spec.policies.runAsUserobject

    Specifies what runAsUser value is allowed to be used by the security context.

    • spec.policies.runAsUser.rangesarray of objects

      List of acceptable ranges for the user ID to use with MustRunAs.

      • spec.policies.runAsUser.ranges.maxinteger

        Max ID value.

      • spec.policies.runAsUser.ranges.mininteger

        Min ID value.

    • spec.policies.runAsUser.rulestring

      Required value

      Specifies the strategy of the user ID selection.

      Allowed values: MustRunAs, MustRunAsNonRoot, RunAsAny

  • spec.policies.seLinuxarray of objects

    Specifies what SElinux labels are allowed to be set in the security context.

    • spec.policies.seLinux.levelstring

      Level is SELinux level label that applies to the container.

    • spec.policies.seLinux.rolestring

      Role is SELinux role label that applies to the container.

    • spec.policies.seLinux.typestring

      Type is SELinux type label that applies to the container.

    • spec.policies.seLinux.userstring

      User is SELinux user label that applies to the container.

  • spec.policies.seccompProfilesobject

    This field specifies the list of allowed profiles that may be set for the Pod or container’s seccomp annotations.

    • spec.policies.seccompProfiles.allowedLocalhostFilesarray of strings

      When using securityContext naming scheme for seccomp and including Localhost this array holds the allowed profile JSON files.

      An empty list prohibits the use of any local profiles.

    • spec.policies.seccompProfiles.allowedProfilesarray of strings

      The list of allowed profile values for seccomp on Pods/containers.

  • spec.policies.supplementalGroupsobject

    Specifies what supplemental groups are allowed to be used by the security context.

    • spec.policies.supplementalGroups.rangesarray of objects

      List of acceptable ranges for the supplemental group ID to use with MustRunAs.

      • spec.policies.supplementalGroups.ranges.maxinteger

        Max ID value.

      • spec.policies.supplementalGroups.ranges.mininteger

        Min ID value.

    • spec.policies.supplementalGroups.rulestring

      Required value

      Specifies the strategy of the supplemental group ID selection.

      Allowed values: MustRunAs, MayRunAs, RunAsAny