Requires container images to begin with a string from the specified list.
可选策略
General
k8spspautomountserviceaccounttokenpod
Controls the ability of any Pod to enable automountServiceAccountToken.
可选策略
General
k8sblockendpointeditdefaultrole
Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints.
可选策略
General
k8sblockloadbalancer
Disallows all Services with type LoadBalancer.
可选策略
General
k8sblocknodeport
Disallows all Services with type NodePort.
可选策略
General
k8sblockwildcardingress
Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services.
可选策略
General
k8scontainerlimits
Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
可选策略
General
k8scontainerrequests
Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values.
可选策略
General
k8scontainerratios
Sets a maximum ratio for container resource limits to requests.
可选策略
General
k8srequiredresources
Requires containers to have defined resources set.
可选策略
General
k8sdisallowanonymous
Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
可选策略
General
k8sdisallowedtags
Requires container images to have an image tag different from the ones in the specified list.
可选策略
General
k8sexternalips
Restricts Service externalIPs to an allowed list of IP addresses.
可选策略
General
k8simagedigests
Requires container images to contain a digest.
可选策略
General
noupdateserviceaccount
Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode.
可选策略
General
k8sreplicalimits
Requires that objects with the field spec.replicas (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.
可选策略
General
k8srequiredannotations
Requires resources to contain specified annotations, with values matching provided regular expressions.
可选策略
General
k8srequiredlabels
Requires resources to contain specified labels, with values matching provided regular expressions.
可选策略
General
k8srequiredprobes
Requires Pods to have readiness and/or liveness probes.
可选策略
Pod Security Policy
k8spspallowprivilegeescalationcontainer
Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spspapparmor
Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spspcapabilities
Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spspflexvolumes
Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy.
可选策略
Pod Security Policy
k8spspforbiddensysctls
Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden.
可选策略
Pod Security Policy
k8spspfsgroup
Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spsphostfilesystem
Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spsphostnamespace
Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spsphostnetworkingports
Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spspprivilegedcontainer
Controls the ability of any container to enable privileged mode.
可选策略
Pod Security Policy
k8spspprocmount
Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy.
可选策略
Pod Security Policy
k8spspreadonlyrootfilesystem
Requires the use of a read-only root file system by pod containers.
可选策略
Pod Security Policy
k8spspseccomp
Controls the seccomp profile used by containers.
可选策略
Pod Security Policy
k8spspselinuxv2
Defines an allow-list of seLinuxOptions configurations for pod containers.
可选策略
Pod Security Policy
k8spspallowedusers
Controls the user and group IDs of the container and some volumes.
可选策略
Pod Security Policy
k8spspvolumetypes
Restricts mountable volume types to those specified by the user.
是
否
本页内容是否解决了您的问题?