OperationPolicy

Scope: Cluster
Version: v1alpha1

Describes an operation policy for a cluster.

Each CustomResource OperationPolicy describes rules for objects in a cluster.

  • spec
    object

    Required value

    • spec.enforcementAction
      string

      The enforcement action to control what to do with the result of the constraint.

      • Deny — Deny action.
      • Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana in dashboard Security/Admission policy engine.
      • Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.

      Default: Deny

      Allowed values: Warn, Deny, Dryrun

    • spec.match
      object

      Required value

      • spec.match.labelSelector
        object

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressions
          array of objects

          List of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
          • spec.match.labelSelector.matchExpressions.key
            string

            Required value

          • spec.match.labelSelector.matchExpressions.operator
            string

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.values
            array of strings
        • spec.match.labelSelector.matchLabels
          object

          List of labels which Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.match.namespaceSelector
        object

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNames
          array of strings

          Include all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelector
          object

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressions
            array of objects

            List of label expressions for namespaces.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.match.namespaceSelector.labelSelector.matchExpressions.key
              string

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operator
              string

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.values
              array of strings
          • spec.match.namespaceSelector.labelSelector.matchLabels
            object

            List of labels which a namespace should have.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.match.namespaceSelector.matchNames
          array of strings

          Include only a particular set of namespaces. Supports glob pattern.

    • spec.policies
      object

      Required value

      • spec.policies.allowedRepos
        array of strings

        The list of prefixes a container image is allowed to have.

        • Element of the array
          string

          Example:

          registry.deckhouse.io
      • spec.policies.checkContainerDuplicates
        boolean

        Check container names and env variables for duplicates.

      • spec.policies.checkHostNetworkDNSPolicy
        boolean

        Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.

      • spec.policies.disallowedImageTags
        array of strings

        Requires container images to have an image tag different from the ones in the specified list.

        Example:

        disallowedImageTags: latest
      • spec.policies.disallowedTolerations
        array of objects

        Deny Pods that have tolerations from the ones in the specified list.

        See more in the Kubernetes documentation.

        • spec.policies.disallowedTolerations.effect
          string

          Allowed values: NoSchedule, PreferNoSchedule, NoExecute

        • spec.policies.disallowedTolerations.key
          string
        • spec.policies.disallowedTolerations.operator
          string

          Allowed values: Exists, Equal

        • spec.policies.disallowedTolerations.value
          string
      • spec.policies.imagePullPolicy
        string

        Required image pull policy for containers.

        Allowed values: Always, IfNotPresent

      • spec.policies.ingressClassNames
        array of strings

        List of allowed ingress class names.

      • spec.policies.maxRevisionHistoryLimit
        integer

        A maximum value for a revision history.

      • spec.policies.priorityClassNames
        array of strings

        List of allowed priority class names.

      • spec.policies.replicaLimits
        object

        A range of allowed replicas. Values are inclusive.

        • spec.policies.replicaLimits.maxReplicas
          integer

          The maximum number of replicas allowed, inclusive.

        • spec.policies.replicaLimits.minReplicas
          integer

          The minimum number of replicas allowed, inclusive.

      • spec.policies.requiredAnnotations
        object

        A list of annotations and values the object must specify.

        • spec.policies.requiredAnnotations.annotations
          array of objects
          • spec.policies.requiredAnnotations.annotations.allowedRegex
            string

            If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredAnnotations.annotations.key
            string

            The required annotation.

        • spec.policies.requiredAnnotations.watchKinds
          array of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the annotations on.

          • Element of the array
            string

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment

            "/Pod"

            networking.k8s.io/Ingress
      • spec.policies.requiredLabels
        object

        A list of labels and values the object must specify.

        • spec.policies.requiredLabels.labels
          array of objects
          • spec.policies.requiredLabels.labels.allowedRegex
            string

            If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.

          • spec.policies.requiredLabels.labels.key
            string

            The required label.

        • spec.policies.requiredLabels.watchKinds
          array of strings

          The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.

          • Element of the array
            string

            Pattern: ^[a-z]*/[a-zA-Z]+$

            Examples:

            apps/Deployment

            "/Pod"

            networking.k8s.io/Ingress
      • spec.policies.requiredProbes
        array of strings

        The list of probes that are required (e.g. readinessProbe and livenessProbe)

        Example:

        requiredProbes:
- readinessProbe
- livenessProbe
        • Element of the array
          string

          Allowed values: livenessProbe, readinessProbe, startupProbe

      • spec.policies.requiredResources
        object

        Requires containers to have defined resources set.

        • spec.policies.requiredResources.limits
          array of strings

          A list of limits that should be enforced (CPU, memory, or both).

          • Element of the array
            string

            Allowed values: cpu, memory

        • spec.policies.requiredResources.requests
          array of strings

          A list of requests that should be enforced (CPU, memory, or both).

          • Element of the array
            string

            Allowed values: cpu, memory

      • spec.policies.storageClassNames
        array of strings

        List of allowed storage class names.

SecurityPolicy

Scope: Cluster
Version: v1alpha1

Describes a security policy for a cluster.

Each SecurityPolicy custom resource describes rules for the objects in the cluster.

  • spec
    object

    Required value

    • spec.enforcementAction
      string

      An enforcement action as a result of the constraint:

      • Deny — Deny action.
      • Dryrun — No action. Used for debugging. Information about the event can be viewed in Grafana in dashboard Security/Admission policy engine.
      • Warn — No action; similar to Dryrun. Provides information about the constraint that would result in a denial if the Deny action is used.

      Default: Deny

      Allowed values: Warn, Deny, Dryrun

    • spec.match
      object

      Required value

      Container filtering rules. Use selectors to specify the pods and containers to which you want to apply the policy.

      • spec.match.labelSelector
        object

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressions
          array of objects

          The list of label expressions for Pods.

          Example:

          matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
          • spec.match.labelSelector.matchExpressions.key
            string

            Required value

          • spec.match.labelSelector.matchExpressions.operator
            string

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.values
            array of strings
        • spec.match.labelSelector.matchLabels
          object

          The list of the labels that the Pod should have.

          Example:

          matchLabels:
  foo: bar
  baz: who
      • spec.match.namespaceSelector
        object

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNames
          array of strings

          Includes all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelector
          object

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressions
            array of objects

            The list of label expressions for namespaces.

            Example:

            matchExpressions:
- key: tier
  operator: In
  values:
  - production
  - staging
            • spec.match.namespaceSelector.labelSelector.matchExpressions.key
              string

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operator
              string

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.values
              array of strings
          • spec.match.namespaceSelector.labelSelector.matchLabels
            object

            The list of the labels that the namespace should have.

            Example:

            matchLabels:
  foo: bar
  baz: who
        • spec.match.namespaceSelector.matchNames
          array of strings

          Includes only a particular set of namespaces. Supports glob pattern.

    • spec.policies
      object

      Required value

      Policies that pods and containers must comply with.

      • spec.policies.allowHostIPC
        boolean

        Allows sharing the host’s IPC namespace with containers.

      • spec.policies.allowHostNetwork
        boolean

        Allows containers to use the host’s network.

      • spec.policies.allowHostPID
        boolean

        Allows sharing the host’s PID namespace with containers.

      • spec.policies.allowPrivilegeEscalation
        boolean

        Allows container processes to gain more privileges than its parent process.

        By default (if not specified) — false. This means that if the field is omitted or explicitly set to false, the container is denied any privilege escalation. If you want to allow elevated privileges, set this parameter to true.

      • spec.policies.allowPrivileged
        boolean

        Allows running containers in a privileged mode.

        By default (if not specified) — false. This means that if the field is omitted or explicitly set to false, the container is denied any privilege escalation. If you want to allow elevated privileges, set this parameter to true.

      • spec.policies.allowRbacWildcards
        boolean

        Allows using wildcards (*) in namespaced Role and RoleBinding resources.

        ClusterRole and ClusterRoleBinding are not validated by SecurityPolicy.

        By default (if not specified) — true. This means that if the field is omitted or explicitly set to true, using wildcards is allowed. If you want to deny wildcards, set this parameter to false.

        Default: true

      • spec.policies.allowedAppArmor
        array of strings

        The list of AppArmor profiles the containers are permitted to use.

        Example:

        allowedAppArmor:
- runtime/default
- unconfined
        • Element of the array
          string

          An AppArmor profile.

      • spec.policies.allowedCapabilities
        array of strings

        The list of capabilities that the containers are permitted to use.

        To allow all capabilities, use ALL.

        Example:

        allowedCapabilities:
- SETGID
- SETUID
- NET_BIND_SERVICE
        • Element of the array
          string

          A linux capability.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.allowedClusterRoles
        array of strings

        A list of allowed cluster roles to bind to users.

      • spec.policies.allowedFlexVolumes
        array of objects

        The list of Flex Volume drivers the containers are permitted to use.

        • spec.policies.allowedFlexVolumes.driver
          string

          A driver name.

      • spec.policies.allowedHostPaths
        array of objects

        The list of allowed hostpath prefixes. An empty list means any path can be used.

        Example:

        allowedHostPaths:
- pathPrefix: "/dev"
  readOnly: true
        • spec.policies.allowedHostPaths.pathPrefix
          string

          Required value

          The path prefix to match against the host volume.

          It does not support the * mask. Trailing slashes are trimmed when validating the path prefix with a host path.

          For example, the /foo prefix allows /foo, /foo/ and /foo/bar path, but doesn’t allow /food or /etc/foo path.

        • spec.policies.allowedHostPaths.readOnly
          boolean

          When set to true, allows host volumes to be matched against the pathPrefix only if all the volume mounts are read-only.

          Default: false

      • spec.policies.allowedHostPorts
        array of objects

        The list of hostPort ranges allowed by the rule.

        • spec.policies.allowedHostPorts.max
          integer

          Max value for the hostPort.

        • spec.policies.allowedHostPorts.min
          integer

          Min value for the hostPort.

      • spec.policies.allowedProcMount
        string

        Allows /proc mount type for containers.

        Allowed values: Default, Unmasked

        Example:

        allowedProcMount: Unmasked.
      • spec.policies.allowedServiceTypes
        array of strings

        The list of allowed service types.

        Example:

        allowedServiceTypes:
- LoadBalancer
- ClusterIP
        • Element of the array
          string

          Allowed values: ClusterIP, NodePort, LoadBalancer, ExternalName

      • spec.policies.allowedUnsafeSysctls
        array of strings

        The list of explicitly allowed unsafe sysctls.

        To allow all unsafe sysctls, use *.

        Example:

        allowedUnsafeSysctls:
- kernel.msg*
- net.core.somaxconn
      • spec.policies.allowedVolumes
        array of strings

        The set of the permitted volume plugins.

        Example:

        allowedVolumes:
- hostPath
- persistentVolumeClaim
        • Element of the array
          string

          Allowed values: *, none, awsElasticBlockStore, azureDisk, azureFile, cephFS, cinder, configMap, csi, downwardAPI, emptyDir, ephemeral, fc, flexVolume, flocker, gcePersistentDisk, gitRepo, glusterfs, hostPath, iscsi, nfs, persistentVolumeClaim, photonPersistentDisk, portworxVolume, projected, quobyte, rbd, scaleIO, secret, storageos, vsphereVolume

      • spec.policies.automountServiceAccountToken
        boolean

        Allows pods to run with automountServiceAccountToken enabled.

      • spec.policies.blockWildcardDomains
        boolean

        Block creation of Ingress objects with * in DNS domains.

      • spec.policies.forbiddenSysctls
        array of strings

        The list of forbidden sysctls.

        Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).

        Example:

        forbiddenSysctls:
- kernel.msg*
- net.core.somaxconn
      • spec.policies.fsGroup
        object

        Specifies which fsGroup values the security context is permitted to use.

        • spec.policies.fsGroup.ranges
          array of objects

          The list of fsGroup ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.fsGroup.ranges.max
            integer

            Max ID value.

          • spec.policies.fsGroup.ranges.min
            integer

            Min ID value.

        • spec.policies.fsGroup.rule
          string

          Required value

          Specifies the strategy of the fsGroup selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.readOnlyRootFilesystem
        boolean

        If set to true, only the pods with the read-only root filesystem across all containers will be permitted to run. See the Kubernetes documentation for more details.

      • spec.policies.requiredDropCapabilities
        array of strings

        The list of capabilities that have to be dropped from the containers.

        To exclude all capabilities, use ALL’.

        Example:

        requiredDropCapabilities:
- SETGID
- SETUID
- NET_BIND_SERVICE
        • Element of the array
          string

          A linux capability to drop from the containers’ specs.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.runAsGroup
        object

        Specifies which runAsGroup values the security context is permitted to use.

        • spec.policies.runAsGroup.ranges
          array of objects

          The list of group ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.runAsGroup.ranges.max
            integer

            Max ID value.

          • spec.policies.runAsGroup.ranges.min
            integer

            Min ID value.

        • spec.policies.runAsGroup.rule
          string

          Required value

          Specifies the strategy of the group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.runAsUser
        object

        Specifies which runAsUser values the security context is permitted to use.

        • spec.policies.runAsUser.ranges
          array of objects

          The list of user ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.runAsUser.ranges.max
            integer

            Max ID value.

          • spec.policies.runAsUser.ranges.min
            integer

            Min ID value.

        • spec.policies.runAsUser.rule
          string

          Required value

          Specifies the strategy of the user ID selection.

          Allowed values: MustRunAs, MustRunAsNonRoot, RunAsAny

      • spec.policies.seLinux
        array of objects

        Specifies which SElinux labels the security context is permitted to use.

        • spec.policies.seLinux.level
          string

          A SELinux level label that applies to the container.

        • spec.policies.seLinux.role
          string

          A SELinux role label that applies to the container.

        • spec.policies.seLinux.type
          string

          A SELinux type label that applies to the container.

        • spec.policies.seLinux.user
          string

          A SELinux user label that applies to the container.

      • spec.policies.seccompProfiles
        object

        Specifies the list of allowed profiles that can be set for the Pod or container’s seccomp annotations.

        • spec.policies.seccompProfiles.allowedLocalhostFiles
          array of strings

          Defines the local seccomp profiles (in JSON format) that can be used if Localhost is set in the allowedProfiles parameter.

          An empty list prohibits the use of any local profiles.

        • spec.policies.seccompProfiles.allowedProfiles
          array of strings

          The list of allowed profile values for seccomp on Pods/containers.

          Both formats are supported:

          • Via annotations: runtime/default, docker/default, unconfined, localhost/some-profile.json. localhost/* allows any local profile.
          • Via securityContext: RuntimeDefault, Unconfined, Localhost. For Localhost, specify the allowed profiles using the allowedLocalhostFiles parameter.

          Profile types:

          • Unconfined — no restrictions (not recommended for security reasons).
          • RuntimeDefault — the default profile provided by the container runtime (e.g., Docker, CRI-O).
          • Localhost — a custom profile defined on the host (flexible and tailored to the application).

          Using * allows all profiles. It’s not necessary to specify both formats — they are automatically mapped to each other.

      • spec.policies.supplementalGroups
        object

        Specifies what supplemental groups are allowed to be used by the security context.

        • spec.policies.supplementalGroups.ranges
          array of objects

          The list of supplemental group ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.supplementalGroups.ranges.max
            integer

            Max ID value.

          • spec.policies.supplementalGroups.ranges.min
            integer

            Min ID value.

        • spec.policies.supplementalGroups.rule
          string

          Required value

          Specifies the strategy of the supplemental group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.verifyImageSignatures
        array of objects

        Available in editions: SE+, EE

        List of policies to verify container images signatures.

        Container images must be signed using Cosign.

        Example:

        verifyImageSignatures:
- reference: docker.io/myrepo/*
  publicKeys:
  - |-
    -----BEGIN PUBLIC KEY-----
    .....
    -----END PUBLIC KEY-----
- reference: company.registry.com/*
  dockerCfg: "<Base64_dockerCfg>"
  publicKeys:
  - |-
    -----BEGIN PUBLIC KEY-----
    .....
    -----END PUBLIC KEY-----
        • spec.policies.verifyImageSignatures.ca
          string

          A custom certificate authority to use when connecting to the container image repository.

        • spec.policies.verifyImageSignatures.dockerCfg
          string

          A string in Base64 with authentication data for the container image repository.

          If the container images are available anonymously, it is not specified.

        • spec.policies.verifyImageSignatures.publicKeys
          array of strings

          Required value

          The list of Cosign compliant public keys.

        • spec.policies.verifyImageSignatures.reference
          string

          Required value

          Absolute address or template for container images.

          If it contains the * symbol, it is considered a template for container image addresses. The * symbol can only appear once and only at the end. For example, for the value company.registry.com/*, any container images from the repository company.registry.com will be checked with the specified keys and access parameters.

          If it does not contain the * symbol, it is considered an absolute address for a container image. For example, for the value company.registry.com/nginx, only the nginx image from the repository company.registry.com will be checked with the specified keys and access parameters.

          Pattern: ^[a-z0-9\.\-:@\/]*\*?$

          Examples:

          reference: docker.io/myuser/*

          reference: "*"