SecurityPolicy

Scope: Cluster
Version: v1alpha1

Describes a security policy for a cluster.

Each SecurityPolicy custom resource describes rules for the objects in the cluster.

  • spec
    object

    Required value

    • spec.enforcementAction
      string

      An enforcement action as a result of the constraint:

      • Deny — Deny action.
      • Dryrun — No action. Used for debugging. Information about the event can be viewed in Grafana in dashboard Security/Admission policy engine.
      • Warn — No action; similar to Dryrun. Provides information about the constraint that would result in a denial if the Deny action is used.

      Default: "Deny"

      Allowed values: Warn, Deny, Dryrun

    • spec.match
      object

      Required value

      Container filtering rules. Use selectors to specify the pods and containers to which you want to apply the policy.

      • spec.match.labelSelector
        object

        Specifies the label selector to filter Pods with.

        You can get more into here.

        • spec.match.labelSelector.matchExpressions
          array of objects

          The list of label expressions for Pods.

          Example:

          matchExpressions:
          - key: tier
            operator: In
            values:
            - production
            - staging
          
          • spec.match.labelSelector.matchExpressions.key
            string

            Required value

          • spec.match.labelSelector.matchExpressions.operator
            string

            Required value

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.match.labelSelector.matchExpressions.values
            array of strings
        • spec.match.labelSelector.matchLabels
          object

          The list of the labels that the Pod should have.

          Example:

          matchLabels:
            foo: bar
            baz: who
          
      • spec.match.namespaceSelector
        object

        Specifies the Namespace selector to filter objects with.

        • spec.match.namespaceSelector.excludeNames
          array of strings

          Includes all namespaces except a particular set. Support glob pattern.

        • spec.match.namespaceSelector.labelSelector
          object

          Specifies the label selector to filter namespaces.

          You can get more info in the documentation.

          • spec.match.namespaceSelector.labelSelector.matchExpressions
            array of objects

            The list of label expressions for namespaces.

            Example:

            matchExpressions:
            - key: tier
              operator: In
              values:
              - production
              - staging
            
            • spec.match.namespaceSelector.labelSelector.matchExpressions.key
              string

              Required value

            • spec.match.namespaceSelector.labelSelector.matchExpressions.operator
              string

              Required value

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.match.namespaceSelector.labelSelector.matchExpressions.values
              array of strings
          • spec.match.namespaceSelector.labelSelector.matchLabels
            object

            The list of the labels that the namespace should have.

            Example:

            matchLabels:
              foo: bar
              baz: who
            
        • spec.match.namespaceSelector.matchNames
          array of strings

          Includes only a particular set of namespaces. Supports glob pattern.

    • spec.policies
      object

      Required value

      Policies that pods and containers must comply with.

      • spec.policies.allowHostIPC
        boolean

        Allows sharing the host’s IPC namespace with containers.

      • spec.policies.allowHostNetwork
        boolean

        Allows containers to use the host’s network.

      • spec.policies.allowHostPID
        boolean

        Allows sharing the host’s PID namespace with containers.

      • spec.policies.allowPrivilegeEscalation
        boolean

        Allows container processes to gain more privileges than its parent process.

      • spec.policies.allowPrivileged
        boolean

        Allows running containers in a privileged mode.

      • spec.policies.allowedAppArmor
        array of strings

        The list of AppArmor profiles the containers are permitted to use.

        Example:

        allowedAppArmor:
        - runtime/default
        - unconfined
        
        • Element of the array
          string

          An AppArmor profile.

      • spec.policies.allowedCapabilities
        array of strings

        The list of capabilities that the containers are permitted to use.

        To allow all capabilities, use ALL.

        Example:

        allowedCapabilities:
        - SETGID
        - SETUID
        - NET_BIND_SERVICE
        
        • Element of the array
          string

          A linux capability.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.allowedClusterRoles
        array of strings

        A list of allowed cluster roles to bind to users.

      • spec.policies.allowedFlexVolumes
        array of objects

        The list of Flex Volume drivers the containers are permitted to use.

        • spec.policies.allowedFlexVolumes.driver
          string

          A driver name.

      • spec.policies.allowedHostPaths
        array of objects

        The list of allowed hostpath prefixes. An empty list means any path can be used.

        Example:

        allowedHostPaths:
        - pathPrefix: "/dev"
          readOnly: true
        
        • spec.policies.allowedHostPaths.pathPrefix
          string

          Required value

          The path prefix to match against the host volume.

          It does not support the * mask. Trailing slashes are trimmed when validating the path prefix with a host path.

          For example, the /foo prefix allows /foo, /foo/ and /foo/bar path, but doesn’t allow /food or /etc/foo path.

        • spec.policies.allowedHostPaths.readOnly
          boolean

          When set to true, allows host volumes to be matched against the pathPrefix only if all the volume mounts are read-only.

          Default: false

      • spec.policies.allowedHostPorts
        array of objects

        The list of hostPort ranges allowed by the rule.

        • spec.policies.allowedHostPorts.max
          integer

          Max value for the hostPort.

        • spec.policies.allowedHostPorts.min
          integer

          Min value for the hostPort.

      • spec.policies.allowedProcMount
        string

        Allows /proc mount type for containers.

        Allowed values: Default, Unmasked

        Example:

        allowedProcMount: Unmasked.
        
      • spec.policies.allowedUnsafeSysctls
        array of strings

        The list of explicitly allowed unsafe sysctls.

        To allow all unsafe sysctls, use *.

        Example:

        allowedUnsafeSysctls:
        - kernel.msg*
        - net.core.somaxconn
        
      • spec.policies.allowedVolumes
        array of strings

        The set of the permitted volume plugins.

        Example:

        allowedVolumes:
        - hostPath
        - persistentVolumeClaim
        
        • Element of the array
          string

          Allowed values: *, none, awsElasticBlockStore, azureDisk, azureFile, cephFS, cinder, configMap, csi, downwardAPI, emptyDir, ephemeral, fc, flexVolume, flocker, gcePersistentDisk, gitRepo, glusterfs, hostPath, iscsi, nfs, persistentVolumeClaim, photonPersistentDisk, portworxVolume, projected, quobyte, rbd, scaleIO, secret, storageos, vsphereVolume

      • spec.policies.automountServiceAccountToken
        boolean

        Allows pods to run with automountServiceAccountToken enabled.

      • spec.policies.forbiddenSysctls
        array of strings

        The list of forbidden sysctls.

        Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).

        Example:

        forbiddenSysctls:
        - kernel.msg*
        - net.core.somaxconn
        
      • spec.policies.fsGroup
        object

        Specifies which fsGroup values the security context is permitted to use.

        • spec.policies.fsGroup.ranges
          array of objects

          The list of fsGroup ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.fsGroup.ranges.max
            integer

            Max ID value.

          • spec.policies.fsGroup.ranges.min
            integer

            Min ID value.

        • spec.policies.fsGroup.rule
          string

          Required value

          Specifies the strategy of the fsGroup selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.readOnlyRootFilesystem
        boolean

        If set to true, only the pods with the read-only root filesystem across all containers will be permitted to run. See the Kubernetes documentation for more details.

      • spec.policies.requiredDropCapabilities
        array of strings

        The list of capabilities that have to be dropped from the containers.

        To exclude all capabilities, use ALL’.

        Example:

        requiredDropCapabilities:
        - SETGID
        - SETUID
        - NET_BIND_SERVICE
        
        • Element of the array
          string

          A linux capability to drop from the containers’ specs.

          Allowed values: ALL, SETPCAP, SYS_MODULE, SYS_RAWIO, SYS_PACCT, SYS_ADMIN, SYS_NICE, SYS_RESOURCE, SYS_TIME, SYS_TTY_CONFIG, MKNOD, AUDIT_WRITE, AUDIT_CONTROL, MAC_OVERRIDE, MAC_ADMIN, NET_ADMIN, SYSLOG, CHOWN, NET_RAW, DAC_OVERRIDE, FOWNER, DAC_READ_SEARCH, FSETID, KILL, SETGID, SETUID, LINUX_IMMUTABLE, NET_BIND_SERVICE, NET_BROADCAST, IPC_LOCK, IPC_OWNER, SYS_CHROOT, SYS_PTRACE, SYS_BOOT, LEASE, SETFCAP, WAKE_ALARM, BLOCK_SUSPEND

      • spec.policies.runAsGroup
        object

        Specifies which runAsGroup values the security context is permitted to use.

        • spec.policies.runAsGroup.ranges
          array of objects

          The list of group ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.runAsGroup.ranges.max
            integer

            Max ID value.

          • spec.policies.runAsGroup.ranges.min
            integer

            Min ID value.

        • spec.policies.runAsGroup.rule
          string

          Required value

          Specifies the strategy of the group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.runAsUser
        object

        Specifies which runAsUser values the security context is permitted to use.

        • spec.policies.runAsUser.ranges
          array of objects

          The list of user ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.runAsUser.ranges.max
            integer

            Max ID value.

          • spec.policies.runAsUser.ranges.min
            integer

            Min ID value.

        • spec.policies.runAsUser.rule
          string

          Required value

          Specifies the strategy of the user ID selection.

          Allowed values: MustRunAs, MustRunAsNonRoot, RunAsAny

      • spec.policies.seLinux
        array of objects

        Specifies which SElinux labels the security context is permitted to use.

        • spec.policies.seLinux.level
          string

          A SELinux level label that applies to the container.

        • spec.policies.seLinux.role
          string

          A SELinux role label that applies to the container.

        • spec.policies.seLinux.type
          string

          A SELinux type label that applies to the container.

        • spec.policies.seLinux.user
          string

          A SELinux user label that applies to the container.

      • spec.policies.seccompProfiles
        object

        Specifies the list of allowed profiles that can be set for the Pod or container’s seccomp annotations.

        • spec.policies.seccompProfiles.allowedLocalhostFiles
          array of strings

          Defines the local seccomp profiles (in JSON format) that can be used if Localhost is set in the allowedProfiles parameter.

          An empty list prohibits the use of any local profiles.

        • spec.policies.seccompProfiles.allowedProfiles
          array of strings

          The list of allowed profile values for seccomp on Pods/containers.

      • spec.policies.supplementalGroups
        object

        Specifies what supplemental groups are allowed to be used by the security context.

        • spec.policies.supplementalGroups.ranges
          array of objects

          The list of supplemental group ID ranges that are allowed in `MustRunAs’ mode.

          • spec.policies.supplementalGroups.ranges.max
            integer

            Max ID value.

          • spec.policies.supplementalGroups.ranges.min
            integer

            Min ID value.

        • spec.policies.supplementalGroups.rule
          string

          Required value

          Specifies the strategy of the supplemental group ID selection.

          Allowed values: MustRunAs, MayRunAs, RunAsAny

      • spec.policies.verifyImageSignatures
        array of objects

        List of policies to verify container images signatures.

        Container images must be signed using Cosign.

        This feature is available in enterprise edition only.

        Example:

        verifyImageSignatures:
        - reference: docker.io/myrepo/*
          publicKeys:
          - |-
            -----BEGIN PUBLIC KEY-----
            .....
            -----END PUBLIC KEY-----
        - reference: company.registry.com/*
          dockerCfg: "<Base64_dockerCfg>"
          publicKeys:
          - |-
            -----BEGIN PUBLIC KEY-----
            .....
            -----END PUBLIC KEY-----
        
        • spec.policies.verifyImageSignatures.ca
          string

          A custom certificate authority to use when connecting to the container image repository.

        • spec.policies.verifyImageSignatures.dockerCfg
          string

          A string in Base64 with authentication data for the container image repository.

          If the container images are available anonymously, it is not specified.

        • spec.policies.verifyImageSignatures.publicKeys
          array of strings

          Required value

          The list of Cosign compliant public keys.

        • spec.policies.verifyImageSignatures.reference
          string

          Required value

          Absolute address or template for container images.

          If it contains the * symbol, it is considered a template for container image addresses. The * symbol can only appear once and only at the end. For example, for the value company.registry.com/*, any container images from the repository company.registry.com will be checked with the specified keys and access parameters.

          If it does not contain the * symbol, it is considered an absolute address for a container image. For example, for the value company.registry.com/nginx, only the nginx image from the repository company.registry.com will be checked with the specified keys and access parameters.

          Pattern: ^[a-z0-9\.\-:@\/]*\*?$

          Examples:

          reference: docker.io/myuser/*
          
          reference: "*"