Classification | Policy Name | Policy Description | Policy Type |
Cluster policy | If there are nodes in the cluster, the cluster cannot be deleted. | If there are regular nodes, native nodes, or registered nodes in the cluster, the nodes must be eliminated before the cluster can be deleted. | Baseline policy |
Namespace policy | If there are workloads, services and routes, or storage objects under the namespace, the namespace cannot be deleted. | If there are pods, services, ingresses, and PVCs within the namespace, clear the aforementioned resources before deleting the namespace. | Preferred policy |
Configuration-related policy | Disallow deletion if a CRD has associated CR resources | If a CRD defines CR resources, the CR resources must be deleted first before the CRD can be deleted. | Preferred policy |
Type | Policy Name | Policy Description | Policy Type |
General | k8sallowedrepos | Requires container images to begin with a string from the specified list. | Optional Policy |
General | k8spspautomountserviceaccounttokenpod | Controls the ability of any Pod to enable automountServiceAccountToken. | Optional Policy |
General | k8sblockendpointeditdefaultrole | Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints. | Optional Policy |
General | k8sblockloadbalancer | Disallows all Services with type LoadBalancer. | Optional Policy |
General | k8sblocknodeport | Disallows all Services with type NodePort. | Optional Policy |
General | k8sblockwildcardingress | Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services. | Optional Policy |
General | k8scontainerlimits | Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values. | Optional Policy |
General | k8scontainerrequests | Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values. | Optional Policy |
General | k8scontainerratios | Sets a maximum ratio for container resource limits to requests. | Optional Policy |
General | k8srequiredresources | Requires containers to have defined resources set. | Optional Policy |
General | k8sdisallowanonymous | Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group. | Optional Policy |
General | k8sdisallowedtags | Requires container images to have an image tag different from the ones in the specified list. | Optional Policy |
General | k8sexternalips | Restricts Service externalIPs to an allowed list of IP addresses. | Optional Policy |
General | k8simagedigests | Requires container images to contain a digest. | Optional Policy |
General | noupdateserviceaccount | Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode. | Optional Policy |
General | k8sreplicalimits | Requires that objects with the field spec.replicas (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. | Optional Policy |
General | k8srequiredannotations | Requires resources to contain specified annotations, with values matching provided regular expressions. | Optional Policy |
General | k8srequiredlabels | Requires resources to contain specified labels, with values matching provided regular expressions. | Optional Policy |
General | k8srequiredprobes | Requires Pods to have readiness and/or liveness probes. | Optional Policy |
Pod Security Policy | k8spspallowprivilegeescalationcontainer | Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspapparmor | Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspcapabilities | Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspflexvolumes | Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspforbiddensysctls | Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden. | Optional Policy |
Pod Security Policy | k8spspfsgroup | Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spsphostfilesystem | Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spsphostnamespace | Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spsphostnetworkingports | Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspprivilegedcontainer | Controls the ability of any container to enable privileged mode. | Optional Policy |
Pod Security Policy | k8spspprocmount | Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspreadonlyrootfilesystem | Requires the use of a read-only root file system by pod containers. | Optional Policy |
Pod Security Policy | k8spspseccomp | Controls the seccomp profile used by containers. | Optional Policy |
Pod Security Policy | k8spspselinuxv2 | Defines an allow-list of seLinuxOptions configurations for pod containers. | Optional Policy |
Pod Security Policy | k8spspallowedusers | Controls the user and group IDs of the container and some volumes. | Optional Policy |
Pod Security Policy | k8spspvolumetypes | Restricts mountable volume types to those specified by the user. | Optional Policy |
Was this page helpful?