OperationPolicy
Scope: Cluster
Version: v1alpha1
Describes an operation policy for a cluster.
Each CustomResource OperationPolicy
describes rules for objects in a cluster.
- specobject
Required value
- spec.enforcementActionstring
The enforcement action to control what to do with the result of the constraint.
- Deny — Deny action.
- Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.
- Warn — Same as
Dryrun
. In addition to the event information, it provides some info on why that constraint would have been denied if you had setDeny
instead ofWarn
.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.matchobject
Required value
- spec.match.labelSelectorobject
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressionsarray of objects
List of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.keystring
Required value
- spec.match.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.valuesarray of strings
- spec.match.labelSelector.matchExpressions.keystring
- spec.match.labelSelector.matchLabelsobject
List of labels which Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelectorobject
Required value
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNamesarray of strings
Include all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelectorobject
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
List of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
- spec.match.namespaceSelector.labelSelector.matchLabelsobject
List of labels which a namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelector.matchNamesarray of strings
Include only a particular set of namespaces. Supports glob pattern.
- spec.match.namespaceSelector.excludeNamesarray of strings
- spec.match.labelSelectorobject
- spec.policiesobject
Required value
- spec.policies.allowedReposarray of strings
The list of prefixes a container image is allowed to have.
- Element of the arraystring
Example:
- registry.deckhouse.io
- Element of the arraystring
- spec.policies.checkContainerDuplicatesboolean
Check container names and env variables for duplicates.
- spec.policies.checkHostNetworkDNSPolicyboolean
Check
ClusterFirstWithHostNet
dnsPolicy is set for Pods withhostNetwork: true
. - array of strings
Requires container images to have an image tag different from the ones in the specified list.
Example:
disallowedImageTags: - latest
- spec.policies.imagePullPolicystring
Required image pull policy for containers.
Allowed values:
Always
,IfNotPresent
- spec.policies.maxRevisionHistoryLimitinteger
A maximum value for a revision history.
- spec.policies.priorityClassNamesarray of strings
List of allowed priority class names.
- spec.policies.requiredAnnotationsobject
A list of annotations and values the object must specify.
- spec.policies.requiredAnnotations.annotationsarray of objects
- spec.policies.requiredAnnotations.annotations.allowedRegexstring
If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredAnnotations.annotations.keystring
The required annotation.
- spec.policies.requiredAnnotations.annotations.allowedRegexstring
- spec.policies.requiredAnnotations.watchKindsarray of strings
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the annotations on.- Element of the arraystring
Pattern:
^[a-z]*/[a-zA-Z]+$
Example:
- apps/Deployment - "/Pod" - networking.k8s.io/Ingress
- Element of the arraystring
- spec.policies.requiredAnnotations.annotationsarray of objects
- spec.policies.requiredLabelsobject
A list of labels and values the object must specify.
- spec.policies.requiredLabels.labelsarray of objects
- spec.policies.requiredLabels.labels.allowedRegexstring
If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.
- spec.policies.requiredLabels.labels.keystring
The required label.
- spec.policies.requiredLabels.labels.allowedRegexstring
- spec.policies.requiredLabels.watchKindsarray of strings
The list of kubernetes objects in the format
$apiGroup/$kind
to watch the labels on.- Element of the arraystring
Pattern:
^[a-z]*/[a-zA-Z]+$
Example:
- apps/Deployment - "/Pod" - networking.k8s.io/Ingress
- Element of the arraystring
- spec.policies.requiredLabels.labelsarray of objects
- spec.policies.requiredProbesarray of strings
The list of probes that are required (e.g.
readinessProbe
)Example:
requiredProbes: - livenessProbe - readinessProbe
- Element of the arraystring
Allowed values:
livenessProbe
,readinessProbe
,startupProbe
- Element of the arraystring
- spec.policies.requiredResourcesobject
Requires containers to have defined resources set.
- spec.policies.requiredResources.limitsarray of strings
A list of limits that should be enforced (CPU, memory, or both).
Default:
["memory"]
- Element of the arraystring
Allowed values:
cpu
,memory
- Element of the arraystring
- spec.policies.requiredResources.requestsarray of strings
A list of requests that should be enforced (CPU, memory, or both).
Default:
["cpu","memory"]
- Element of the arraystring
Allowed values:
cpu
,memory
- Element of the arraystring
- spec.policies.requiredResources.limitsarray of strings
- spec.policies.allowedReposarray of strings
- spec.enforcementActionstring
SecurityPolicy
Scope: Cluster
Version: v1alpha1
Describes a security policy for a cluster.
Each CustomResource SecurityPolicy
describes rules for objects in a cluster.
- specobject
Required value
- spec.enforcementActionstring
The enforcement action to control what to do with the result of the constraint.
Deny
— Deny action.Dryrun
— No action. It is used when debugging. Information about the event can be viewed in Grafana or in the console via kubectl.Warn
— Same asDryrun
. In addition to the event information, it provides some info on why that constraint would have been denied if you had setDeny
instead ofWarn
.
Default:
"Deny"
Allowed values:
Warn
,Deny
,Dryrun
- spec.matchobject
Required value
- spec.match.labelSelectorobject
Specifies the label selector to filter Pods with.
You can get more into here.
- spec.match.labelSelector.matchExpressionsarray of objects
List of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.labelSelector.matchExpressions.keystring
Required value
- spec.match.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.labelSelector.matchExpressions.valuesarray of strings
- spec.match.labelSelector.matchExpressions.keystring
- spec.match.labelSelector.matchLabelsobject
List of labels which Pod should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelectorobject
Required value
Specifies the Namespace selector to filter objects with.
- spec.match.namespaceSelector.excludeNamesarray of strings
Include all namespaces except a particular set. Support glob pattern.
- spec.match.namespaceSelector.labelSelectorobject
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
List of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
Required value
- spec.match.namespaceSelector.labelSelector.matchExpressions.operatorstring
Required value
Allowed values:
In
,NotIn
,Exists
,DoesNotExist
- spec.match.namespaceSelector.labelSelector.matchExpressions.valuesarray of strings
- spec.match.namespaceSelector.labelSelector.matchExpressions.keystring
- spec.match.namespaceSelector.labelSelector.matchLabelsobject
List of labels which a namespace should have.
Example:
matchLabels: foo: bar baz: who
- spec.match.namespaceSelector.labelSelector.matchExpressionsarray of objects
- spec.match.namespaceSelector.matchNamesarray of strings
Include only a particular set of namespaces. Supports glob pattern.
- spec.match.namespaceSelector.excludeNamesarray of strings
- spec.match.labelSelectorobject
- spec.policiesobject
Required value
- spec.policies.allowHostIPCboolean
Allows sharing the host’s IPC namespace with containers.
- spec.policies.allowHostNetworkboolean
Allows containers to use the host’s network.
- spec.policies.allowHostPIDboolean
Allows sharing the host’s PID namespace with containers.
- spec.policies.allowPrivilegeEscalationboolean
Allows container processes to gain more privileges than its parent process.
- spec.policies.allowPrivilegedboolean
Allows running containers in a privileged mode.
- spec.policies.allowedAppArmorarray of strings
List of allowed AppArmor profiles for use by containers.
Example:
allowedAppArmor: - runtime/default - unconfined
- Element of the arraystring
AppArmor profile.
- Element of the arraystring
- spec.policies.allowedCapabilitiesarray of strings
List of capabilities that containers are able to use.
To allow all capabilities you may use
ALL
.Example:
allowedCapabilities: - SETGID - SETUID - NET_BIND_SERVICE
- Element of the arraystring
Allowed linux capabilities.
Allowed values:
ALL
,SETPCAP
,SYS_MODULE
,SYS_RAWIO
,SYS_PACCT
,SYS_ADMIN
,SYS_NICE
,SYS_RESOURCE
,SYS_TIME
,SYS_TTY_CONFIG
,MKNOD
,AUDIT_WRITE
,AUDIT_CONTROL
,MAC_OVERRIDE
,MAC_ADMIN
,NET_ADMIN
,SYSLOG
,CHOWN
,NET_RAW
,DAC_OVERRIDE
,FOWNER
,DAC_READ_SEARCH
,FSETID
,KILL
,SETGID
,SETUID
,LINUX_IMMUTABLE
,NET_BIND_SERVICE
,NET_BROADCAST
,IPC_LOCK
,IPC_OWNER
,SYS_CHROOT
,SYS_PTRACE
,SYS_BOOT
,LEASE
,SETFCAP
,WAKE_ALARM
,BLOCK_SUSPEND
- Element of the arraystring
- spec.policies.allowedFlexVolumesarray of objects
Whitelist of allowed Flex Volume drivers.
- spec.policies.allowedFlexVolumes.driverstring
A driver name.
- spec.policies.allowedFlexVolumes.driverstring
- spec.policies.allowedHostPathsarray of objects
The list of allowed hostpath prefixes. An empty list means any path can be used.
Example:
allowedHostPaths: - pathPrefix: "/dev" readOnly: true
- spec.policies.allowedHostPaths.pathPrefixstring
Required value
Path prefix that the host volume must match.
It does not support the
*
mask. Trailing slashes are trimmed when validating the path prefix with a host path.For example, the
/foo
prefix allows/foo
,/foo/
and/foo/bar
path, but doesn’t allow/food
or/etc/foo
path. - spec.policies.allowedHostPaths.readOnlyboolean
When set to true, will allow host volumes matching the pathPrefix only if all the volume mounts are readOnly.
Default:
false
- spec.policies.allowedHostPaths.pathPrefixstring
- spec.policies.allowedHostPortsarray of objects
The list of
hostPort
ranges allowed by the rule.- spec.policies.allowedHostPorts.maxinteger
Max value for the
hostPort
- spec.policies.allowedHostPorts.mininteger
Min value for the
hostPort
- spec.policies.allowedHostPorts.maxinteger
- spec.policies.allowedProcMountstring
The allowed
/proc
mount type for containers.Allowed values:
Default
,Unmasked
Example:
allowedProcMount: Unmasked.
- spec.policies.allowedUnsafeSysctlsarray of strings
The list of explicitly allowed unsafe sysctls.
To allow all unsafe sysctls you may use
*
.Example:
allowedUnsafeSysctls: - kernel.msg* - net.core.somaxconn
- spec.policies.allowedVolumesarray of strings
The set of volume plugins allowed to use.
Example:
allowedVolumes: - hostPath - persistentVolumeClaim
- Element of the arraystring
Allowed values:
*
,none
,awsElasticBlockStore
,azureDisk
,azureFile
,cephFS
,cinder
,configMap
,csi
,downwardAPI
,emptyDir
,fc
,flexVolume
,flocker
,gcePersistentDisk
,gitRepo
,glusterfs
,hostPath
,iscsi
,nfs
,persistentVolumeClaim
,photonPersistentDisk
,portworxVolume
,projected
,quobyte
,rbd
,scaleIO
,secret
,storageos
,vsphereVolume
- Element of the arraystring
- spec.policies.forbiddenSysctlsarray of strings
The list of forbidden sysctls.
Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).
Example:
forbiddenSysctls: - kernel.msg* - net.core.somaxconn
- spec.policies.fsGroupobject
Specifies what fs group is allowed to be used by the security context.
- spec.policies.fsGroup.rangesarray of objects
List of acceptable ranges for the fs group ID to use with MustRunAs.
- spec.policies.fsGroup.ranges.maxinteger
Max ID value.
- spec.policies.fsGroup.ranges.mininteger
Min ID value.
- spec.policies.fsGroup.ranges.maxinteger
- spec.policies.fsGroup.rulestring
Required value
Specifes the strategy of the fs group selection.
Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.fsGroup.rangesarray of objects
- spec.policies.readOnlyRootFilesystemboolean
Defines if it’s possible to run containers with non-read only file system.
- spec.policies.requiredDropCapabilitiesarray of strings
The set of capabilities that have to be dropped from containers.
To exclude all capabilities you may use
ALL
’.Example:
requiredDropCapabilities: - SETGID - SETUID - NET_BIND_SERVICE
- Element of the arraystring
Linux capabilities to drop from containers’ specs.
Allowed values:
ALL
,SETPCAP
,SYS_MODULE
,SYS_RAWIO
,SYS_PACCT
,SYS_ADMIN
,SYS_NICE
,SYS_RESOURCE
,SYS_TIME
,SYS_TTY_CONFIG
,MKNOD
,AUDIT_WRITE
,AUDIT_CONTROL
,MAC_OVERRIDE
,MAC_ADMIN
,NET_ADMIN
,SYSLOG
,CHOWN
,NET_RAW
,DAC_OVERRIDE
,FOWNER
,DAC_READ_SEARCH
,FSETID
,KILL
,SETGID
,SETUID
,LINUX_IMMUTABLE
,NET_BIND_SERVICE
,NET_BROADCAST
,IPC_LOCK
,IPC_OWNER
,SYS_CHROOT
,SYS_PTRACE
,SYS_BOOT
,LEASE
,SETFCAP
,WAKE_ALARM
,BLOCK_SUSPEND
- Element of the arraystring
- spec.policies.runAsGroupobject
Specifies what
runAsGroup
value is allowed to be used by the security context.- spec.policies.runAsGroup.rangesarray of objects
List of acceptable ranges for the group ID to use with
MustRunAs
.- spec.policies.runAsGroup.ranges.maxinteger
Max ID value.
- spec.policies.runAsGroup.ranges.mininteger
Min ID value.
- spec.policies.runAsGroup.ranges.maxinteger
- spec.policies.runAsGroup.rulestring
Required value
Specifies the strategy of the group ID selection.
Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.runAsGroup.rangesarray of objects
- spec.policies.runAsUserobject
Specifies what
runAsUser
value is allowed to be used by the security context.- spec.policies.runAsUser.rangesarray of objects
List of acceptable ranges for the user ID to use with
MustRunAs
.- spec.policies.runAsUser.ranges.maxinteger
Max ID value.
- spec.policies.runAsUser.ranges.mininteger
Min ID value.
- spec.policies.runAsUser.ranges.maxinteger
- spec.policies.runAsUser.rulestring
Required value
Specifies the strategy of the user ID selection.
Allowed values:
MustRunAs
,MustRunAsNonRoot
,RunAsAny
- spec.policies.runAsUser.rangesarray of objects
- spec.policies.seLinuxarray of objects
Specifies what SElinux labels are allowed to be set in the security context.
- spec.policies.seLinux.levelstring
Level is SELinux level label that applies to the container.
- spec.policies.seLinux.rolestring
Role is SELinux role label that applies to the container.
- spec.policies.seLinux.typestring
Type is SELinux type label that applies to the container.
- spec.policies.seLinux.userstring
User is SELinux user label that applies to the container.
- spec.policies.seLinux.levelstring
- spec.policies.seccompProfilesobject
This field specifies the list of allowed profiles that may be set for the Pod or container’s seccomp annotations.
- spec.policies.seccompProfiles.allowedLocalhostFilesarray of strings
When using
securityContext
naming scheme for seccomp and includingLocalhost
this array holds the allowed profile JSON files.An empty list prohibits the use of any local profiles.
- spec.policies.seccompProfiles.allowedProfilesarray of strings
The list of allowed profile values for seccomp on Pods/containers.
- spec.policies.seccompProfiles.allowedLocalhostFilesarray of strings
- spec.policies.supplementalGroupsobject
Specifies what supplemental groups are allowed to be used by the security context.
- spec.policies.supplementalGroups.rangesarray of objects
List of acceptable ranges for the supplemental group ID to use with MustRunAs.
- spec.policies.supplementalGroups.ranges.maxinteger
Max ID value.
- spec.policies.supplementalGroups.ranges.mininteger
Min ID value.
- spec.policies.supplementalGroups.ranges.maxinteger
- spec.policies.supplementalGroups.rulestring
Required value
Specifies the strategy of the supplemental group ID selection.
Allowed values:
MustRunAs
,MayRunAs
,RunAsAny
- spec.policies.supplementalGroups.rangesarray of objects
- spec.policies.allowHostIPCboolean
- spec.enforcementActionstring