Compare languages | Модуль admission-policy-engine: FAQ

Как расширить политики Pod Security Standards?	How to extend Pod Security Standards policies?
Pod Security Standards реагируют на label `security.deckhouse.io/pod-policy: restricted` или `security.deckhouse.io/pod-policy: baseline`.	Pod Security Standards respond to the `security.deckhouse.io/pod-policy: restricted` or `security.deckhouse.io/pod-policy: baseline` label.
Чтобы расширить политику Pod Security Standards, добавив к существующим проверкам политики свои собственные, необходимо: создать шаблон проверки (ресурс `ConstraintTemplate`); привязать его к политике `restricted` или `baseline`.	To extend the Pod Security Standards policy by adding your checks to existing checks, you need to: Create a constraint template for the check (a `ConstraintTemplate` resource). Bind it to the `restricted` or `baseline` policy.
Пример шаблона для проверки адреса репозитория образа контейнера:	Example of the `ConstraintTemplate` for checking a repository URL of a container image:
yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets: target: admission.k8s.gatekeeper.sh rego: \| package d8.pod_security_standards.extended	yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets: target: admission.k8s.gatekeeper.sh rego: \| package d8.pod_security_standards.extended
violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }	violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }
violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }	violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }
Пример привязки проверки к политике `restricted`:	Example of binding a check to the `restricted` policy:
yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds: apiGroups: [””] kinds: [“Pod”] namespaceSelector: matchLabels: security.deckhouse.io/pod-policy: restricted parameters: repos: “mycompany.registry.com”	yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds: apiGroups: [””] kinds: [“Pod”] namespaceSelector: matchLabels: security.deckhouse.io/pod-policy: restricted parameters: repos: “mycompany.registry.com”
Пример демонстрирует настройку проверки адреса репозитория в поле `image` у всех подов, создающихся в пространстве имен, имеющих label `security.deckhouse.io/pod-policy: restricted`. Если адрес в поле `image` создаваемого пода начинается не с `mycompany.registry.com`, под создан не будет.	The example demonstrates the configuration of checking the repository address in the `image` field for all Pods created in the namespace having the `security.deckhouse.io/pod-policy : restricted` label. A Pod will not be created if the address in the `image` field of the Pod does not start with `mycompany.registry.com`.
Подробнее о шаблонах и языке политик можно узнать в документации Gatekeeper.	The Gatekeeper documentation may find more info about templates and policy language.
Больше примеров описания проверок для расширения политики можно найти в библиотеке Gatekeeper.	Find more examples of checks for policy extension in the Gatekeeper Library.
Что, если несколько политик (операционных или безопасности) применяются на один объект?	What if there are multiple policies (operational or security) that are applied to the same object?
В таком случае необходимо, чтобы конфигурация объекта соответствовала всем политикам, которые на него распространяются.	In that case the object’s specification have to fulfil all the requirements imposed by the policies.
Например, рассмотрим две следующие политики безопасности:	For example, consider the following two security policies:
yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities: MKNOD apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: bar spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: requiredDropCapabilities: NET_BIND_SERVICE	yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities: MKNOD apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: bar spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: requiredDropCapabilities: NET_BIND_SERVICE
Тогда для выполнения требований приведенных политик безопасности в спецификации контейнера нужно указать:	Then, in order to fulfill the requirements of the above security policies, the following settings must be set in a container specification:
yaml securityContext: capabilities: drop: MKNOD NET_BIND_SERVICE readOnlyRootFilesystem: true	yaml securityContext: capabilities: drop: MKNOD NET_BIND_SERVICE readOnlyRootFilesystem: true