Compare languages | The admission-policy-engine module: FAQ

How to extend Pod Security Standards policies?	Как расширить политики Pod Security Standards?
Pod Security Standards respond to the `security.deckhouse.io/pod-policy: restricted` or `security.deckhouse.io/pod-policy: baseline` label.	Pod Security Standards реагируют на label `security.deckhouse.io/pod-policy: restricted` или `security.deckhouse.io/pod-policy: baseline`.
To extend the Pod Security Standards policy by adding your checks to existing checks, you need to: Create a constraint template for the check (a `ConstraintTemplate` resource). Bind it to the `restricted` or `baseline` policy.	Чтобы расширить политику Pod Security Standards, добавив к существующим проверкам политики свои собственные, необходимо: создать шаблон проверки (ресурс `ConstraintTemplate`); привязать его к политике `restricted` или `baseline`.
Example of the `ConstraintTemplate` for checking a repository URL of a container image:	Пример шаблона для проверки адреса репозитория образа контейнера:
yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets: target: admission.k8s.gatekeeper.sh rego: \| package d8.pod_security_standards.extended	yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets: target: admission.k8s.gatekeeper.sh rego: \| package d8.pod_security_standards.extended
violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }	violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }
violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }	violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good \| repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) }
Example of binding a check to the `restricted` policy:	Пример привязки проверки к политике `restricted`:
yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds: apiGroups: [””] kinds: [“Pod”] namespaceSelector: matchLabels: security.deckhouse.io/pod-policy: restricted parameters: repos: “mycompany.registry.com”	yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds: apiGroups: [””] kinds: [“Pod”] namespaceSelector: matchLabels: security.deckhouse.io/pod-policy: restricted parameters: repos: “mycompany.registry.com”
The example demonstrates the configuration of checking the repository address in the `image` field for all Pods created in the namespace having the `security.deckhouse.io/pod-policy : restricted` label. A Pod will not be created if the address in the `image` field of the Pod does not start with `mycompany.registry.com`.	Пример демонстрирует настройку проверки адреса репозитория в поле `image` у всех подов, создающихся в пространстве имен, имеющих label `security.deckhouse.io/pod-policy: restricted`. Если адрес в поле `image` создаваемого пода начинается не с `mycompany.registry.com`, под создан не будет.
The Gatekeeper documentation may find more info about templates and policy language.	Подробнее о шаблонах и языке политик можно узнать в документации Gatekeeper.
Find more examples of checks for policy extension in the Gatekeeper Library.	Больше примеров описания проверок для расширения политики можно найти в библиотеке Gatekeeper.
What if there are multiple policies (operational or security) that are applied to the same object?	Что, если несколько политик (операционных или безопасности) применяются на один объект?
In that case the object’s specification have to fulfil all the requirements imposed by the policies.	В таком случае необходимо, чтобы конфигурация объекта соответствовала всем политикам, которые на него распространяются.
For example, consider the following two security policies:	Например, рассмотрим две следующие политики безопасности:
yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities: MKNOD apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: bar spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: requiredDropCapabilities: NET_BIND_SERVICE	yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities: MKNOD apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: bar spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: requiredDropCapabilities: NET_BIND_SERVICE
Then, in order to fulfill the requirements of the above security policies, the following settings must be set in a container specification:	Тогда для выполнения требований приведенных политик безопасности в спецификации контейнера нужно указать:
yaml securityContext: capabilities: drop: MKNOD NET_BIND_SERVICE readOnlyRootFilesystem: true	yaml securityContext: capabilities: drop: MKNOD NET_BIND_SERVICE readOnlyRootFilesystem: true