-
符合策略实例的资源定义 没有更新ServiceAccount,符合策略实例。 # Note: The gator tests currently require exactly one object per example file.
# Since this is an update-triggered policy, at least two objects are technically
# required to demonstrate it. Due to the gator requirement, we only have one
# object below. The policy should allow changing everything but the
# serviceAccountName field.
kind: Deployment
apiVersion: apps/v1
metadata:
name: policy-test
namespace: kube-system
labels:
app: policy-test
spec:
replicas: 1
selector:
matchLabels:
app: policy-test-deploy
template:
metadata:
labels:
app: policy-test-deploy
spec:
# Changing anything except this field should be allowed by the policy.
serviceAccountName: policy-test-sa-1
containers:
- name: policy-test
image: ubuntu
command:
- /bin/bash
- -c
- sleep 99999
-
策略实例示例 以下策略实例展示了策略定义生效的资源类型,pararmeters中定义了允许的组列表allowedGroups和允许的用户列表allowedUsers。 # IMPORTANT: Before deploying this policy, make sure you allow-list any groups
# or users that need to deploy workloads to kube-system, such as cluster-
# lifecycle controllers, addon managers, etc. Such controllers may need to
# update service account names during automated rollouts (e.g. of refactored
# configurations). You can allow-list them with the allowedGroups and
# allowedUsers properties of the NoUpdateServiceAccount Constraint.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: NoUpdateServiceAccount
metadata:
name: no-update-kube-system-service-account
spec:
match:
namespaces: ["kube-system"]
kinds:
- apiGroups: [""]
kinds:
# You can optionally add "Pod" here, but it is unnecessary because
# Pod service account immutability is enforced by the Kubernetes API.
- "ReplicationController"
- apiGroups: ["apps"]
kinds:
- "ReplicaSet"
- "Deployment"
- "StatefulSet"
- "DaemonSet"
- apiGroups: ["batch"]
kinds:
# You can optionally add "Job" here, but it is unnecessary because
# Job service account immutability is enforced by the Kubernetes API.
- "CronJob"
parameters:
allowedGroups: []
allowedUsers: []
-
不符合策略实例的资源定义 Pod中有livenessProbe,但是没有定义probeType,不符合策略实例。 apiVersion: v1kind: Podmetadata: name: test-pod1spec: containers: - name: nginx-1 image: nginx:1.7.9 ports: - containerPort: 80 livenessProbe: # tcpSocket: # port: 80 # initialDelaySeconds: 5 # periodSeconds: 10 volumeMounts: - mountPath: /tmp/cache name: cache-volume - name: tomcat image: tomcat ports: - containerPort: 8080 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 10 volumes: - name: cache-volume emptyDir: {}
-
策略实例示例 以下策略实例展示了策略定义生效的资源类型,parameters展示了probes的类型和probeTypes。 apiVersion: constraints.gatekeeper.sh/v1beta1kind: K8sRequiredProbesmetadata: name: must-have-probesspec: match: kinds: - apiGroups: [""] kinds: ["Pod"] parameters: probes: ["readinessProbe", "livenessProbe"] probeTypes: ["tcpSocket", "httpGet", "exec"]
-
符合策略实例的资源定义 Pod中有livenessProbe和readinessProbe,probeType为tcpSocket,符合策略实例。 apiVersion: v1kind: Podmetadata: name: test-pod1spec: containers: - name: tomcat image: tomcat ports: - containerPort: 8080 livenessProbe: tcpSocket: port: 80 initialDelaySeconds: 5 periodSeconds: 10 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 10 volumes: - name: cache-volume emptyDir: {}
