How to extend Pod Security Standards policies? | Как расширить политики Pod Security Standards? |
|
|
To extend the Pod Security Standards policy by adding your checks to existing checks, you need to:
| Чтобы расширить политику Pod Security Standards, добавив к существующим проверкам политики свои собственные, необходимо:
|
Example of the | Пример шаблона для проверки адреса репозитория образа контейнера: |
yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets:
| yaml apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8sallowedrepos spec: crd: spec: names: kind: K8sAllowedRepos validation: openAPIV3Schema: type: object properties: repos: type: array items: type: string targets:
|
violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } | violation[{“msg”: msg}] { container := input.review.object.spec.containers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } |
violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } | violation[{“msg”: msg}] { container := input.review.object.spec.initContainers[] satisfied := [good | repo = input.parameters.repos[] ; good = startswith(container.image, repo)] not any(satisfied) msg := sprintf(“container <%v> has an invalid image repo <%v>, allowed repos are %v”, [container.name, container.image, input.parameters.repos]) } |
Example of binding a check to the | Пример привязки проверки к политике |
yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds:
| yaml apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sAllowedRepos metadata: name: prod-repo spec: match: kinds:
|
The example demonstrates the configuration of checking the repository address in the | Пример демонстрирует настройку проверки адреса репозитория в поле |
The Gatekeeper documentation may find more info about templates and policy language. | Подробнее о шаблонах и языке политик можно узнать в документации Gatekeeper. |
Find more examples of checks for policy extension in the Gatekeeper Library. | Больше примеров описания проверок для расширения политики можно найти в библиотеке Gatekeeper. |
What if there are multiple policies (operational or security) that are applied to the same object? | Что, если несколько политик (операционных или безопасности) применяются на один объект? |
In that case the object’s specification have to fulfil all the requirements imposed by the policies. | В таком случае необходимо, чтобы конфигурация объекта соответствовала всем политикам, которые на него распространяются. |
For example, consider the following two security policies: | Например, рассмотрим две следующие политики безопасности: |
yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities:
| yaml apiVersion: deckhouse.io/v1alpha1 kind: SecurityPolicy metadata: name: foo spec: enforcementAction: Deny match: namespaceSelector: labelSelector: matchLabels: name: test policies: readOnlyRootFilesystem: true requiredDropCapabilities:
|
Then, in order to fulfill the requirements of the above security policies, the following settings must be set in a container specification: | Тогда для выполнения требований приведенных политик безопасности в спецификации контейнера нужно указать: |
yaml securityContext: capabilities: drop:
| yaml securityContext: capabilities: drop:
|