SecurityPolicy
Scope: Cluster
Version: v1alpha1
Describes a security policy for a cluster.
Each SecurityPolicy custom resource describes rules for the objects in the cluster.
- objectspec
Required value
- stringspec.enforcementAction
An enforcement action as a result of the constraint:
Deny— Deny action.Dryrun— No action. Used for debugging. Information about the event can be viewed in Grafana in dashboardSecurity/Admission policy engine.Warn— No action; similar toDryrun. Provides information about the constraint that would result in a denial if theDenyaction is used.
Default:
"Deny"Allowed values:
Warn,Deny,Dryrun - objectspec.match
Required value
Container filtering rules. Use selectors to specify the pods and containers to which you want to apply the policy.
- objectspec.match.labelSelector
Specifies the label selector to filter Pods with.
You can get more into here.
- array of objectsspec.match.labelSelector.matchExpressions
The list of label expressions for Pods.
Example:
matchExpressions: - key: tier operator: In values: - production - staging- stringspec.match.labelSelector.matchExpressions.key
Required value
- stringspec.match.labelSelector.matchExpressions.operator
Required value
Allowed values:
In,NotIn,Exists,DoesNotExist - array of stringsspec.match.labelSelector.matchExpressions.values
- objectspec.match.labelSelector.matchLabels
The list of the labels that the Pod should have.
Example:
matchLabels: foo: bar baz: who
- objectspec.match.namespaceSelector
Specifies the Namespace selector to filter objects with.
- array of stringsspec.match.namespaceSelector.excludeNames
Includes all namespaces except a particular set. Support glob pattern.
- objectspec.match.namespaceSelector.labelSelector
Specifies the label selector to filter namespaces.
You can get more info in the documentation.
- array of objectsspec.match.namespaceSelector.labelSelector.matchExpressions
The list of label expressions for namespaces.
Example:
matchExpressions: - key: tier operator: In values: - production - staging- stringspec.match.namespaceSelector.labelSelector.matchExpressions.key
Required value
- stringspec.match.namespaceSelector.labelSelector.matchExpressions.operator
Required value
Allowed values:
In,NotIn,Exists,DoesNotExist - array of stringsspec.match.namespaceSelector.labelSelector.matchExpressions.values
- objectspec.match.namespaceSelector.labelSelector.matchLabels
The list of the labels that the namespace should have.
Example:
matchLabels: foo: bar baz: who
- array of stringsspec.match.namespaceSelector.matchNames
Includes only a particular set of namespaces. Supports glob pattern.
- objectspec.policies
Required value
Policies that pods and containers must comply with.
- booleanspec.policies.allowHostIPC
Allows sharing the host’s IPC namespace with containers.
- booleanspec.policies.allowHostNetwork
Allows containers to use the host’s network.
- booleanspec.policies.allowHostPID
Allows sharing the host’s PID namespace with containers.
- booleanspec.policies.allowPrivilegeEscalation
Allows container processes to gain more privileges than its parent process.
- booleanspec.policies.allowPrivileged
Allows running containers in a privileged mode.
- array of stringsspec.policies.allowedAppArmor
The list of AppArmor profiles the containers are permitted to use.
Example:
allowedAppArmor: - runtime/default - unconfined- stringElement of the array
An AppArmor profile.
- array of stringsspec.policies.allowedCapabilities
The list of capabilities that the containers are permitted to use.
To allow all capabilities, use
ALL.Example:
allowedCapabilities: - SETGID - SETUID - NET_BIND_SERVICE- stringElement of the array
A linux capability.
Allowed values:
ALL,SETPCAP,SYS_MODULE,SYS_RAWIO,SYS_PACCT,SYS_ADMIN,SYS_NICE,SYS_RESOURCE,SYS_TIME,SYS_TTY_CONFIG,MKNOD,AUDIT_WRITE,AUDIT_CONTROL,MAC_OVERRIDE,MAC_ADMIN,NET_ADMIN,SYSLOG,CHOWN,NET_RAW,DAC_OVERRIDE,FOWNER,DAC_READ_SEARCH,FSETID,KILL,SETGID,SETUID,LINUX_IMMUTABLE,NET_BIND_SERVICE,NET_BROADCAST,IPC_LOCK,IPC_OWNER,SYS_CHROOT,SYS_PTRACE,SYS_BOOT,LEASE,SETFCAP,WAKE_ALARM,BLOCK_SUSPEND
- array of stringsspec.policies.allowedClusterRoles
A list of allowed cluster roles to bind to users.
- array of objectsspec.policies.allowedFlexVolumes
The list of Flex Volume drivers the containers are permitted to use.
- stringspec.policies.allowedFlexVolumes.driver
A driver name.
- array of objectsspec.policies.allowedHostPaths
The list of allowed hostpath prefixes. An empty list means any path can be used.
Example:
allowedHostPaths: - pathPrefix: "/dev" readOnly: true- stringspec.policies.allowedHostPaths.pathPrefix
Required value
The path prefix to match against the host volume.
It does not support the
*mask. Trailing slashes are trimmed when validating the path prefix with a host path.For example, the
/fooprefix allows/foo,/foo/and/foo/barpath, but doesn’t allow/foodor/etc/foopath. - booleanspec.policies.allowedHostPaths.readOnly
When set to true, allows host volumes to be matched against the pathPrefix only if all the volume mounts are read-only.
Default:
false
- array of objectsspec.policies.allowedHostPorts
The list of
hostPortranges allowed by the rule.- integerspec.policies.allowedHostPorts.max
Max value for the
hostPort. - integerspec.policies.allowedHostPorts.min
Min value for the
hostPort.
- stringspec.policies.allowedProcMount
Allows
/procmount type for containers.Allowed values:
Default,UnmaskedExample:
allowedProcMount: Unmasked. - array of stringsspec.policies.allowedUnsafeSysctls
The list of explicitly allowed unsafe sysctls.
To allow all unsafe sysctls, use
*.Example:
allowedUnsafeSysctls: - kernel.msg* - net.core.somaxconn - array of stringsspec.policies.allowedVolumes
The set of the permitted volume plugins.
Example:
allowedVolumes: - hostPath - persistentVolumeClaim- stringElement of the array
Allowed values:
*,none,awsElasticBlockStore,azureDisk,azureFile,cephFS,cinder,configMap,csi,downwardAPI,emptyDir,ephemeral,fc,flexVolume,flocker,gcePersistentDisk,gitRepo,glusterfs,hostPath,iscsi,nfs,persistentVolumeClaim,photonPersistentDisk,portworxVolume,projected,quobyte,rbd,scaleIO,secret,storageos,vsphereVolume
- booleanspec.policies.automountServiceAccountToken
Allows pods to run with
automountServiceAccountTokenenabled. - array of stringsspec.policies.forbiddenSysctls
The list of forbidden sysctls.
Takes precedence over allowed unsafe sysctls (allowedUnsafeSysctls).
Example:
forbiddenSysctls: - kernel.msg* - net.core.somaxconn - objectspec.policies.fsGroup
Specifies which
fsGroupvalues the security context is permitted to use.- array of objectsspec.policies.fsGroup.ranges
The list of
fsGroupID ranges that are allowed in `MustRunAs’ mode.- integerspec.policies.fsGroup.ranges.max
Max ID value.
- integerspec.policies.fsGroup.ranges.min
Min ID value.
- stringspec.policies.fsGroup.rule
Required value
Specifies the strategy of the
fsGroupselection.Allowed values:
MustRunAs,MayRunAs,RunAsAny
- booleanspec.policies.readOnlyRootFilesystem
If set to true, only the pods with the read-only root filesystem across all containers will be permitted to run. See the Kubernetes documentation for more details.
- array of stringsspec.policies.requiredDropCapabilities
The list of capabilities that have to be dropped from the containers.
To exclude all capabilities, use
ALL’.Example:
requiredDropCapabilities: - SETGID - SETUID - NET_BIND_SERVICE- stringElement of the array
A linux capability to drop from the containers’ specs.
Allowed values:
ALL,SETPCAP,SYS_MODULE,SYS_RAWIO,SYS_PACCT,SYS_ADMIN,SYS_NICE,SYS_RESOURCE,SYS_TIME,SYS_TTY_CONFIG,MKNOD,AUDIT_WRITE,AUDIT_CONTROL,MAC_OVERRIDE,MAC_ADMIN,NET_ADMIN,SYSLOG,CHOWN,NET_RAW,DAC_OVERRIDE,FOWNER,DAC_READ_SEARCH,FSETID,KILL,SETGID,SETUID,LINUX_IMMUTABLE,NET_BIND_SERVICE,NET_BROADCAST,IPC_LOCK,IPC_OWNER,SYS_CHROOT,SYS_PTRACE,SYS_BOOT,LEASE,SETFCAP,WAKE_ALARM,BLOCK_SUSPEND
- objectspec.policies.runAsGroup
Specifies which
runAsGroupvalues the security context is permitted to use.- array of objectsspec.policies.runAsGroup.ranges
The list of group ID ranges that are allowed in `MustRunAs’ mode.
- integerspec.policies.runAsGroup.ranges.max
Max ID value.
- integerspec.policies.runAsGroup.ranges.min
Min ID value.
- stringspec.policies.runAsGroup.rule
Required value
Specifies the strategy of the group ID selection.
Allowed values:
MustRunAs,MayRunAs,RunAsAny
- objectspec.policies.runAsUser
Specifies which
runAsUservalues the security context is permitted to use.- array of objectsspec.policies.runAsUser.ranges
The list of user ID ranges that are allowed in `MustRunAs’ mode.
- integerspec.policies.runAsUser.ranges.max
Max ID value.
- integerspec.policies.runAsUser.ranges.min
Min ID value.
- stringspec.policies.runAsUser.rule
Required value
Specifies the strategy of the user ID selection.
Allowed values:
MustRunAs,MustRunAsNonRoot,RunAsAny
- array of objectsspec.policies.seLinux
Specifies which SElinux labels the security context is permitted to use.
- stringspec.policies.seLinux.level
A SELinux level label that applies to the container.
- stringspec.policies.seLinux.role
A SELinux role label that applies to the container.
- stringspec.policies.seLinux.type
A SELinux type label that applies to the container.
- stringspec.policies.seLinux.user
A SELinux user label that applies to the container.
- objectspec.policies.seccompProfiles
Specifies the list of allowed profiles that can be set for the Pod or container’s seccomp annotations.
- array of stringsspec.policies.seccompProfiles.allowedLocalhostFiles
Defines the local seccomp profiles (in JSON format) that can be used if
Localhostis set in theallowedProfilesparameter.An empty list prohibits the use of any local profiles.
- array of stringsspec.policies.seccompProfiles.allowedProfiles
The list of allowed profile values for seccomp on Pods/containers.
- objectspec.policies.supplementalGroups
Specifies what supplemental groups are allowed to be used by the security context.
- array of objectsspec.policies.supplementalGroups.ranges
The list of supplemental group ID ranges that are allowed in `MustRunAs’ mode.
- integerspec.policies.supplementalGroups.ranges.max
Max ID value.
- integerspec.policies.supplementalGroups.ranges.min
Min ID value.
- stringspec.policies.supplementalGroups.rule
Required value
Specifies the strategy of the supplemental group ID selection.
Allowed values:
MustRunAs,MayRunAs,RunAsAny
- array of objectsspec.policies.verifyImageSignatures
List of policies to verify container images signatures.
Container images must be signed using Cosign.
This feature is available in enterprise edition only.
Example:
verifyImageSignatures: - reference: docker.io/myrepo/* publicKeys: - |- -----BEGIN PUBLIC KEY----- ..... -----END PUBLIC KEY----- - reference: company.registry.com/* dockerCfg: "<Base64_dockerCfg>" publicKeys: - |- -----BEGIN PUBLIC KEY----- ..... -----END PUBLIC KEY------ stringspec.policies.verifyImageSignatures.ca
A custom certificate authority to use when connecting to the container image repository.
- stringspec.policies.verifyImageSignatures.dockerCfg
A string in Base64 with authentication data for the container image repository.
If the container images are available anonymously, it is not specified.
- array of stringsspec.policies.verifyImageSignatures.publicKeys
Required value
The list of Cosign compliant public keys.
- stringspec.policies.verifyImageSignatures.reference
Required value
Absolute address or template for container images.
If it contains the
*symbol, it is considered a template for container image addresses. The*symbol can only appear once and only at the end. For example, for the valuecompany.registry.com/*, any container images from the repositorycompany.registry.comwill be checked with the specified keys and access parameters.If it does not contain the
*symbol, it is considered an absolute address for a container image. For example, for the valuecompany.registry.com/nginx, only the nginx image from the repositorycompany.registry.comwill be checked with the specified keys and access parameters.Pattern:
^[a-z0-9\.\-:@\/]*\*?$Examples:
reference: docker.io/myuser/*reference: "*"