The admission-policy-engine module: custom resources

OperationPolicy

Scope: Cluster
Version: v1alpha1

Describes an operation policy for a cluster.

Each CustomResource OperationPolicy describes rules for objects in a cluster.

spec
object
Required value
- spec.enforcementAction
  string
  The enforcement action to control what to do with the result of the constraint.
  - Deny — Deny action.
  - Dryrun — No action. It is used when debugging. Information about the event can be viewed in Grafana in dashboard Security/Admission policy engine.
  - Warn — Same as Dryrun. In addition to the event information, it provides some info on why that constraint would have been denied if you had set Deny instead of Warn.
  Default: "Deny"
  Allowed values: Warn, Deny, Dryrun
- spec.match
  object
  Required value
  - spec.match.labelSelector
    object
    Specifies the label selector to filter Pods with.
    
    You can get more into here.
    - spec.match.labelSelector.matchExpressions
      array of objects
      List of label expressions for Pods.
      
      Example:
      matchExpressions: - key: tier operator: In values: - production - staging
      - spec.match.labelSelector.matchExpressions.key
        string
        Required value
      - spec.match.labelSelector.matchExpressions.operator
        string
        Required value
        Allowed values: In, NotIn, Exists, DoesNotExist
      - spec.match.labelSelector.matchExpressions.values
        array of strings
    - spec.match.labelSelector.matchLabels
      object
      List of labels which Pod should have.
      
      Example:
      matchLabels: foo: bar baz: who
  - spec.match.namespaceSelector
    object
    Required value
    Specifies the Namespace selector to filter objects with.
    - spec.match.namespaceSelector.excludeNames
      array of strings
      Include all namespaces except a particular set. Support glob pattern.
    - spec.match.namespaceSelector.labelSelector
      object
      Specifies the label selector to filter namespaces.
      
      You can get more info in the documentation.
      - spec.match.namespaceSelector.labelSelector.matchExpressions
        array of objects
        List of label expressions for namespaces.
        
        Example:
        matchExpressions: - key: tier operator: In values: - production - staging
        
        spec.match.namespaceSelector.labelSelector.matchExpressions.key
        string
        Required value
        
        spec.match.namespaceSelector.labelSelector.matchExpressions.operator
        string
        Required value
        Allowed values: In, NotIn, Exists, DoesNotExist
        
        spec.match.namespaceSelector.labelSelector.matchExpressions.values
        array of strings
      - spec.match.namespaceSelector.labelSelector.matchLabels
        object
        List of labels which a namespace should have.
        
        Example:
        matchLabels: foo: bar baz: who
    - spec.match.namespaceSelector.matchNames
      array of strings
      Include only a particular set of namespaces. Supports glob pattern.
- spec.policies
  object
  Required value
  - spec.policies.allowedRepos
    array of strings
    The list of prefixes a container image is allowed to have.
    - Element of the array
      string
      Example:
      registry.deckhouse.io
  - spec.policies.checkContainerDuplicates
    boolean
    Check container names and env variables for duplicates.
  - spec.policies.checkHostNetworkDNSPolicy
    boolean
    Check ClusterFirstWithHostNet dnsPolicy is set for Pods with hostNetwork: true.
  - spec.policies.disallowedImageTags
    array of strings
    Requires container images to have an image tag different from the ones in the specified list.
    
    Example:
    disallowedImageTags: latest
  - spec.policies.imagePullPolicy
    string
    Required image pull policy for containers.
    
    Allowed values: Always, IfNotPresent
  - spec.policies.ingressClassNames
    array of strings
    List of allowed ingress class names.
  - spec.policies.maxRevisionHistoryLimit
    integer
    A maximum value for a revision history.
  - spec.policies.priorityClassNames
    array of strings
    List of allowed priority class names.
  - spec.policies.replicaLimits
    object
    A range of allowed replicas. Values are inclusive.
    - spec.policies.replicaLimits.maxReplicas
      integer
      The maximum number of replicas allowed, inclusive.
    - spec.policies.replicaLimits.minReplicas
      integer
      The minimum number of replicas allowed, inclusive.
  - spec.policies.requiredAnnotations
    object
    A list of annotations and values the object must specify.
    - spec.policies.requiredAnnotations.annotations
      array of objects
      - spec.policies.requiredAnnotations.annotations.allowedRegex
        string
        If specified, a regular expression, the annotation’s value must match. The value must contain at least one match for the regular expression.
      - spec.policies.requiredAnnotations.annotations.key
        string
        The required annotation.
    - spec.policies.requiredAnnotations.watchKinds
      array of strings
      The list of kubernetes objects in the format $apiGroup/$kind to watch the annotations on.
      - Element of the array
        string
        Pattern: ^[a-z]*/[a-zA-Z]+$
        Examples:
        
        apps/Deployment
        
        "/Pod"
        
        networking.k8s.io/Ingress
  - spec.policies.requiredLabels
    object
    A list of labels and values the object must specify.
    - spec.policies.requiredLabels.labels
      array of objects
      - spec.policies.requiredLabels.labels.allowedRegex
        string
        If specified, a regular expression, the label’s value must match. The value must contain at least one match for the regular expression.
      - spec.policies.requiredLabels.labels.key
        string
        The required label.
    - spec.policies.requiredLabels.watchKinds
      array of strings
      The list of kubernetes objects in the format $apiGroup/$kind to watch the labels on.
      - Element of the array
        string
        Pattern: ^[a-z]*/[a-zA-Z]+$
        Examples:
        
        apps/Deployment
        
        "/Pod"
        
        networking.k8s.io/Ingress
  - spec.policies.requiredProbes
    array of strings
    The list of probes that are required (e.g. readinessProbe and livenessProbe)
    
    Example:
    requiredProbes: - readinessProbe - livenessProbe
    - Element of the array
      string
      Allowed values: livenessProbe, readinessProbe, startupProbe
  - spec.policies.requiredResources
    object
    Requires containers to have defined resources set.
    - spec.policies.requiredResources.limits
      array of strings
      A list of limits that should be enforced (CPU, memory, or both).
      
      Default: ["memory"]
      - Element of the array
        string
        Allowed values: cpu, memory
    - spec.policies.requiredResources.requests
      array of strings
      A list of requests that should be enforced (CPU, memory, or both).
      
      Default: ["cpu","memory"]
      - Element of the array
        string
        Allowed values: cpu, memory
  - spec.policies.storageClassNames
    array of strings
    List of allowed storage class names.

SecurityPolicy

Scope: Cluster
Version: v1alpha1

Describes a security policy for a cluster.

Each SecurityPolicy custom resource describes rules for the objects in the cluster.

spec
object
Required value
- spec.enforcementAction
  string
  An enforcement action as a result of the constraint:
  - Deny — Deny action.
  - Dryrun — No action. Used for debugging. Information about the event can be viewed in Grafana in dashboard Security/Admission policy engine.
  - Warn — No action; similar to Dryrun. Provides information about the constraint that would result in a denial if the Deny action is used.
  Default: "Deny"
  Allowed values: Warn, Deny, Dryrun
- spec.match
  object
  Required value
  Container filtering rules. Use selectors to specify the pods and containers to which you want to apply the policy.
  - spec.match.labelSelector
    object
    Specifies the label selector to filter Pods with.
    
    You can get more into here.
    - spec.match.labelSelector.matchExpressions
      array of objects
      The list of label expressions for Pods.
      
      Example:
      matchExpressions: - key: tier operator: In values: - production - staging
      - spec.match.labelSelector.matchExpressions.key
        string
        Required value
      - spec.match.labelSelector.matchExpressions.operator
        string
        Required value
        Allowed values: In, NotIn, Exists, DoesNotExist
      - spec.match.labelSelector.matchExpressions.values
        array of strings
    - spec.match.labelSelector.matchLabels
      object
      The list of the labels that the Pod should have.
      
      Example:
      matchLabels: foo: bar baz: who
  - spec.match.namespaceSelector
    object
    Required value
    Specifies the Namespace selector to filter objects with.
    - spec.match.namespaceSelector.excludeNames
      array of strings
      Includes all namespaces except a particular set. Support glob pattern.
    - spec.match.namespaceSelector.labelSelector
      object
      Specifies the label selector to filter namespaces.
      
      You can get more info in the documentation.
      - spec.match.namespaceSelector.labelSelector.matchExpressions
        array of objects
        The list of label expressions for namespaces.
        
        Example:
        matchExpressions: - key: tier operator: In values: - production - staging
        
        spec.match.namespaceSelector.labelSelector.matchExpressions.key
        string
        Required value
        
        spec.match.namespaceSelector.labelSelector.matchExpressions.operator
        string
        Required value
        Allowed values: In, NotIn, Exists, DoesNotExist
        
        spec.match.namespaceSelector.labelSelector.matchExpressions.values
        array of strings
      - spec.match.namespaceSelector.labelSelector.matchLabels
        object
        The list of the labels that the namespace should have.
        
        Example:
        matchLabels: foo: bar baz: who
    - spec.match.namespaceSelector.matchNames
      array of strings
      Includes only a particular set of namespaces. Supports glob pattern.
- spec.policies
  object
  Required value
  Policies that pods and containers must comply with.
  - spec.policies.allowHostIPC
    boolean
    Allows sharing the host’s IPC namespace with containers.
  - spec.policies.allowHostNetwork
    boolean
    Allows containers to use the host’s network.
  - spec.policies.allowHostPID
    boolean
    Allows sharing the host’s PID namespace with containers.
  - spec.policies.allowPrivilegeEscalation
    boolean
    Allows container processes to gain more privileges than its parent process.
  - spec.policies.allowPrivileged
    boolean
    Allows running containers in a privileged mode.
  - spec.policies.allowedAppArmor
    array of strings
    The list of AppArmor profiles the containers are permitted to use.
    
    Example:
    allowedAppArmor: - runtime/default - unconfined
    - Element of the array
      string
      An AppArmor profile.
  - spec.policies.allowedCapabilities
    array of strings
    The list of capabilities that the containers are permitted to use.
    
    To allow all capabilities, use ALL.
    
    Example:
    allowedCapabilities: - SETGID - SETUID - NET_BIND_SERVICE
    - Element of the array
      string
      A linux capability.
      
      Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND
  - spec.policies.allowedClusterRoles
    array of strings
    A list of allowed cluster roles to bind to users.
  - spec.policies.allowedFlexVolumes
    array of objects
    The list of Flex Volume drivers the containers are permitted to use.
    - spec.policies.allowedFlexVolumes.driver
      string
      A driver name.
  - spec.policies.allowedHostPaths
    array of objects
    The list of allowed hostpath prefixes. An empty list means any path can be used.
    
    Example:
    allowedHostPaths: - pathPrefix: "/dev" readOnly: true
    - spec.policies.allowedHostPaths.pathPrefix
      string
      Required value
      The path prefix to match against the host volume.
      
      It does not support the * mask. Trailing slashes are trimmed when validating the path prefix with a host path.
      
      For example, the /foo prefix allows /foo, /foo/ and /foo/bar path, but doesn’t allow /food or /etc/foo path.
    - spec.policies.allowedHostPaths.readOnly
      boolean
      When set to true, allows host volumes to be matched against the pathPrefix only if all the volume mounts are read-only.
      
      Default: false
  - spec.policies.allowedHostPorts
    array of objects
    The list of hostPort ranges allowed by the rule.
    - spec.policies.allowedHostPorts.max
      integer
      Max value for the hostPort.
    - spec.policies.allowedHostPorts.min
      integer
      Min value for the hostPort.
  - spec.policies.allowedProcMount
    string
    Allows /proc mount type for containers.
    
    Allowed values: Default, Unmasked
    Example:
    allowedProcMount: Unmasked.
  - spec.policies.allowedUnsafeSysctls
    array of strings
    The list of explicitly allowed unsafe sysctls.
    
    To allow all unsafe sysctls, use *.
    
    Example:
    allowedUnsafeSysctls: - kernel.msg* - net.core.somaxconn
  - spec.policies.allowedVolumes
    array of strings
    The set of the permitted volume plugins.
    
    Example:
    allowedVolumes: - hostPath - persistentVolumeClaim
    - Element of the array
      string
      Allowed values: *, none, awsElasticBlockStore, azureDisk, azureFile, cephFS, cinder, configMap, csi, downwardAPI, emptyDir, fc, flexVolume, flocker, gcePersistentDisk, gitRepo, glusterfs, hostPath, iscsi, nfs, persistentVolumeClaim, photonPersistentDisk, portworxVolume, projected, quobyte, rbd, scaleIO, secret, storageos, vsphereVolume
  - spec.policies.automountServiceAccountToken
    boolean
    Allows pods to run with automountServiceAccountToken enabled.
  - spec.policies.forbiddenSysctls
    array of strings
    The list of forbidden sysctls.
    
    Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).
    
    Example:
    forbiddenSysctls: - kernel.msg* - net.core.somaxconn
  - spec.policies.fsGroup
    object
    Specifies which fsGroup values the security context is permitted to use.
    - spec.policies.fsGroup.ranges
      array of objects
      The list of fsGroup ID ranges that are allowed in `MustRunAs’ mode.
      - spec.policies.fsGroup.ranges.max
        integer
        Max ID value.
      - spec.policies.fsGroup.ranges.min
        integer
        Min ID value.
    - spec.policies.fsGroup.rule
      string
      Required value
      Specifies the strategy of the fsGroup selection.
      
      Allowed values: MustRunAs, MayRunAs, RunAsAny
  - spec.policies.readOnlyRootFilesystem
    boolean
    If set to true, only the pods with the read-only root filesystem across all containers will be permitted to run. See the Kubernetes documentation for more details.
  - spec.policies.requiredDropCapabilities
    array of strings
    The list of capabilities that have to be dropped from the containers.
    
    To exclude all capabilities, use ALL’.
    
    Example:
    requiredDropCapabilities: - SETGID - SETUID - NET_BIND_SERVICE
    - Element of the array
      string
      A linux capability to drop from the containers’ specs.
      
      Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND
  - spec.policies.runAsGroup
    object
    Specifies which runAsGroup values the security context is permitted to use.
    - spec.policies.runAsGroup.ranges
      array of objects
      The list of group ID ranges that are allowed in `MustRunAs’ mode.
      - spec.policies.runAsGroup.ranges.max
        integer
        Max ID value.
      - spec.policies.runAsGroup.ranges.min
        integer
        Min ID value.
    - spec.policies.runAsGroup.rule
      string
      Required value
      Specifies the strategy of the group ID selection.
      
      Allowed values: MustRunAs, MayRunAs, RunAsAny
  - spec.policies.runAsUser
    object
    Specifies which runAsUser values the security context is permitted to use.
    - spec.policies.runAsUser.ranges
      array of objects
      The list of user ID ranges that are allowed in `MustRunAs’ mode.
      - spec.policies.runAsUser.ranges.max
        integer
        Max ID value.
      - spec.policies.runAsUser.ranges.min
        integer
        Min ID value.
    - spec.policies.runAsUser.rule
      string
      Required value
      Specifies the strategy of the user ID selection.
      
      Allowed values: MustRunAs, MustRunAsNonRoot, RunAsAny
  - spec.policies.seLinux
    array of objects
    Specifies which SElinux labels the security context is permitted to use.
    - spec.policies.seLinux.level
      string
      A SELinux level label that applies to the container.
    - spec.policies.seLinux.role
      string
      A SELinux role label that applies to the container.
    - spec.policies.seLinux.type
      string
      A SELinux type label that applies to the container.
    - spec.policies.seLinux.user
      string
      A SELinux user label that applies to the container.
  - spec.policies.seccompProfiles
    object
    Specifies the list of allowed profiles that can be set for the Pod or container’s seccomp annotations.
    - spec.policies.seccompProfiles.allowedLocalhostFiles
      array of strings
      Defines the local seccomp profiles (in JSON format) that can be used if Localhost is set in the allowedProfiles parameter.
      
      An empty list prohibits the use of any local profiles.
    - spec.policies.seccompProfiles.allowedProfiles
      array of strings
      The list of allowed profile values for seccomp on Pods/containers.
  - spec.policies.supplementalGroups
    object
    Specifies what supplemental groups are allowed to be used by the security context.
    - spec.policies.supplementalGroups.ranges
      array of objects
      The list of supplemental group ID ranges that are allowed in `MustRunAs’ mode.
      - spec.policies.supplementalGroups.ranges.max
        integer
        Max ID value.
      - spec.policies.supplementalGroups.ranges.min
        integer
        Min ID value.
    - spec.policies.supplementalGroups.rule
      string
      Required value
      Specifies the strategy of the supplemental group ID selection.
      
      Allowed values: MustRunAs, MayRunAs, RunAsAny
  - spec.policies.verifyImageSignatures
    array of objects
    List of policies to verify container images signatures.
    
    Container images must be signed using Cosign.
    
    This feature is available in enterprise edition only.
    Example:
    verifyImageSignatures: - reference: docker.io/myrepo/* publicKeys: - |- -----BEGIN PUBLIC KEY----- ..... -----END PUBLIC KEY----- - reference: company.registry.com/* dockerCfg: "<Base64_dockerCfg>" publicKeys: - |- -----BEGIN PUBLIC KEY----- ..... -----END PUBLIC KEY-----
    - spec.policies.verifyImageSignatures.ca
      string
      A custom certificate authority to use when connecting to the container image repository.
    - spec.policies.verifyImageSignatures.dockerCfg
      string
      A string in Base64 with authentication data for the container image repository.
      
      If the container images are available anonymously, it is not specified.
    - spec.policies.verifyImageSignatures.publicKeys
      array of strings
      Required value
      The list of Cosign compliant public keys.
    - spec.policies.verifyImageSignatures.reference
      string
      Required value
      Absolute address or template for container images.
      
      If it contains the * symbol, it is considered a template for container image addresses. The * symbol can only appear once and only at the end. For example, for the value company.registry.com/*, any container images from the repository company.registry.com will be checked with the specified keys and access parameters.
      
      If it does not contain the * symbol, it is considered an absolute address for a container image. For example, for the value company.registry.com/nginx, only the nginx image from the repository company.registry.com will be checked with the specified keys and access parameters.
      
      Pattern: ^[a-z0-9\.\-:@\/]*\*?$
      Examples:
      
      reference: docker.io/myuser/*
      
      reference: "*"

The admission-policy-engine module: custom resources

OperationPolicy

SecurityPolicy

Request trial access

Thank you

Error

Request callback

Thank you

Something went wrong

Book your sessions

Thank you

Error

Request demo

Thank you

Error

Get the PCI SSC Compliance Report

Thank you

Error