tencent cloud

Feedback

Policy Management

Last updated: 2024-05-08 09:58:32

    Overview

    Native Kubernetes has a cascade deletion mechanism. If a resource is deleted, other related resources will be automatically deleted. For example, when a namespace is deleted, all the related resources such as pods, services, and ConfigMaps under this namespace will be deleted accordingly, which may cause business disruption.
    To solve this problem, TKE provides the policy management module implemented by the Gatekeeper based on the Open Policy Agent (OPA). This function helps you define and execute consistent policies in multiple clusters to gain a serious safe and reliable system.

    Policy Description

    Policy Classification

    Cluster deletion protection: It is not allowed to delete a cluster that still contains working nodes.
    Cluster resource deletion protection: It is not allowed to delete the cluster scoped or namespace scoped Kubernetes resource that may cause cascading deletion for other system resources.

    Support Boundary

    Cluster deletion protection policy: It supports all versions of TKE standard clusters and TKE serverless clusters, but does not support registered clusters and edge clusters.
    Cluster resource deletion protection policy: It support kubernetes version 1.16 and later for both TKE standard clusters and TKE serverless clusters, but does not support registered clusters and edge clusters.

    Policy Type

    Baseline policy: It is mandatory and cannot be disabled.
    Preferred policy: It is enabled by default, but can be disabled by the user.
    Optional policy: It is disabled by default, but can be enabled by the user.

    Policy Library

    TKE Policy

    Classification
    Policy Name
    Policy Description
    Policy Type
    Cluster policy
    If there are nodes in the cluster, the cluster cannot be deleted.
    If there are regular nodes, native nodes, or registered nodes in the cluster, the nodes must be eliminated before the cluster can be deleted.
    Baseline policy
    Namespace policy
    If there are workloads, services and routes, or storage objects under the namespace, the namespace cannot be deleted.
    If there are pods, services, ingresses, and PVCs within the namespace, clear the aforementioned resources before deleting the namespace.
    Preferred policy
    Configuration-related policy
    Disallow deletion if a CRD has associated CR resources
    If a CRD defines CR resources, the CR resources must be deleted first before the CRD can be deleted.
    Preferred policy

    OPA Standard Library Policy

    Type
    Policy Name
    Policy Description
    Policy Type
    General
    k8sallowedrepos
    Requires container images to begin with a string from the specified list.
    Optional Policy
    General
    k8spspautomountserviceaccounttokenpod
    Controls the ability of any Pod to enable automountServiceAccountToken.
    Optional Policy
    General
    k8sblockendpointeditdefaultrole
    Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints.
    Optional Policy
    General
    k8sblockloadbalancer
    Disallows all Services with type LoadBalancer.
    Optional Policy
    General
    k8sblocknodeport
    Disallows all Services with type NodePort.
    Optional Policy
    General
    k8sblockwildcardingress
    Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services.
    Optional Policy
    General
    k8scontainerlimits
    Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
    Optional Policy
    General
    k8scontainerrequests
    Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values.
    Optional Policy
    General
    k8scontainerratios
    Sets a maximum ratio for container resource limits to requests.
    Optional Policy
    General
    k8srequiredresources
    Requires containers to have defined resources set.
    Optional Policy
    General
    k8sdisallowanonymous
    Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group.
    Optional Policy
    General
    k8sdisallowedtags
    Requires container images to have an image tag different from the ones in the specified list.
    Optional Policy
    General
    k8sexternalips
    Restricts Service externalIPs to an allowed list of IP addresses.
    Optional Policy
    General
    k8simagedigests
    Requires container images to contain a digest.
    Optional Policy
    
    General
    noupdateserviceaccount
    Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode.
    Optional Policy
    
    General
    k8sreplicalimits
    Requires that objects with the field spec.replicas (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.
    Optional Policy
    
    General
    k8srequiredannotations
    Requires resources to contain specified annotations, with values matching provided regular expressions.
    Optional Policy
    
    General
    k8srequiredlabels
    Requires resources to contain specified labels, with values matching provided regular expressions.
    Optional Policy
    General
    k8srequiredprobes
    Requires Pods to have readiness and/or liveness probes.
    Optional Policy
    Pod Security Policy
    k8spspallowprivilegeescalationcontainer
    Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spspapparmor
    Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spspcapabilities
    Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spspflexvolumes
    Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spspforbiddensysctls
    Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden.
    Optional Policy
    Pod Security Policy
    k8spspfsgroup
    Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spsphostfilesystem
    Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spsphostnamespace
    Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spsphostnetworkingports
    Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spspprivilegedcontainer
    Controls the ability of any container to enable privileged mode.
    Optional Policy
    Pod Security Policy
    k8spspprocmount
    Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy.
    Optional Policy
    Pod Security Policy
    k8spspreadonlyrootfilesystem
    Requires the use of a read-only root file system by pod containers.
    Optional Policy
    Pod Security Policy
    k8spspseccomp
    Controls the seccomp profile used by containers.
    Optional Policy
    Pod Security Policy
    k8spspselinuxv2
    Defines an allow-list of seLinuxOptions configurations for pod containers.
    Optional Policy
    Pod Security Policy
    k8spspallowedusers
    Controls the user and group IDs of the container and some volumes.
    Optional Policy
    Pod Security Policy
    k8spspvolumetypes
    Restricts mountable volume types to those specified by the user.
    Optional Policy

    Operation Description

    Enabling/Disabling Policy

    1. Log in to the TKE console, and select Cluster in the left sidebar.
    2. On the cluster management page, select the target cluster ID to enter the basic information page for the cluster.
    3. Select Policy Management from the left navigation bar to enter the policy management page, select a policy, and click Enable/Disable. Disabling a policy requires a second confirmation, while enabling it does not. See below:
    

    Verifying Policy Effect

    Taking the cluster deletion policy as an example, create a TKE standard cluster and verify whether a deletion request will be intercepted when there are nodes in the cluster.
    1. Create a TKE standard cluster with nodes. For detailed steps, see Create Cluster.
    2. Initiate a cluster deletion request.
    Delete via console
    Delete through API
    1. Delete the cluster. For detailed steps, see Delete Cluster.
    2. A window prompt indicates that nodes must be removed before you proceed with cluster deletion. See below:
    
    1. Delete the cluster through API. For how to call the API, see the API document Delete Cluster.
    2. Calling the API to delete the cluster failed. The error message returned includes a list of existing nodes in the cluster. See below:
    
    3. On the Policy Management page, click the number of related events to view the interception event information. See below:
    
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support