Tencent Kubernetes Engine
- Release Notes and Announcements
- Release Notes
- Announcements
- Security Vulnerability Fix Description
- Release Notes
- Kubernetes Version Maintenance
- Runtime Version Maintenance Description
- Product Introduction
- Quick Start
- TKE General Cluster Guide
- Purchase a TKE General Cluster
- Permission Management
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Cluster Management
- Images
- Worker node introduction
- Normal Node Management
- Native Node Management
- Purchasing Native Nodes
- Supernode management
- Purchasing a Super Node
- Registered Node Management
- Memory Compression Instructions
- GPU Share
- qGPU Online/Offline Hybrid Deployment
- Kubernetes Object Management
- Workload
- Configuration
- Auto Scaling
- Service Management
- Ingress Management
- CLB Type Ingress
- API Gateway Type Ingress
- Storage Management
- Use File to Store CFS
- Use Cloud Disk CBS
- Add-On Management
- CBS-CSI Description
- Network Management
- GlobalRouter Mode
- VPC-CNI Mode
- Static IP Address Mode Instructions
- Cilium-Overlay Mode
- OPS Center
- Audit Management
- Event Management
- Monitoring Management
- Log Management
- Using CRD to Configure Log Collection
- Backup Center
- TKE Serverless Cluster Guide
- Purchasing a TKE Serverless Cluster
- TKE Serverless Cluster Management
- Super Node Management
- Kubernetes Object Management
- OPS Center
- Log Collection
- Using a CRD to Configure Log Collection
- Audit Management
- Event Management
- TKE Registered Cluster Guide
- Registered Cluster Management
- Ops Guide
- TKE Insight
- TKE Scheduling
- Job Scheduling
- Native Node Dedicated Scheduler
- Cloud Native Service Guide
- Cloud Service for etcd
- Version Maintenance
- Cluster Troubleshooting
- Practical Tutorial
- Cluster
- Serverless Cluster
- Mastering Deep Learning in Serverless Cluster
- Scheduling
- Security
- Service Deployment
- Proper Use of Node Resources
- Network
- DNS
- Self-Built Nginx Ingress Practice Tutorial
- Logs
- Monitoring
- OPS
- DevOps
- Construction and Deployment of Jenkins Public Network Framework Appications based on TKE
- Auto Scaling
- KEDA
- Containerization
- Microservice
- Cost Management
- Hybrid Cloud
- Fault Handling
- Pod Status Exception and Handling
- Pod exception troubleshooter
- API Documentation
- Making API Requests
- Elastic Cluster APIs
- Resource Reserved Coupon APIs
- Cluster APIs
- Third-party Node APIs
- Network APIs
- Node APIs
- Node Pool APIs
- TKE Edge Cluster APIs
- Cloud Native Monitoring APIs
- Super Node APIs
- TKE API 2022-05-01
- Making API Requests
- Node Pool APIs
- FAQs
- TKE General Cluster
- TKE Serverless Cluster
- About OPS
- Service Agreement
- User Guide(Old)
Policy Management
Last updated: 2024-05-08 09:58:32
Overview
Native Kubernetes has a cascade deletion mechanism. If a resource is deleted, other related resources will be automatically deleted. For example, when a namespace is deleted, all the related resources such as pods, services, and ConfigMaps under this namespace will be deleted accordingly, which may cause business disruption.
To solve this problem, TKE provides the policy management module implemented by the Gatekeeper based on the Open Policy Agent (OPA). This function helps you define and execute consistent policies in multiple clusters to gain a serious safe and reliable system.
Policy Description
Policy Classification
Cluster deletion protection: It is not allowed to delete a cluster that still contains working nodes.
Cluster resource deletion protection: It is not allowed to delete the cluster scoped or namespace scoped Kubernetes resource that may cause cascading deletion for other system resources.
Support Boundary
Cluster deletion protection policy: It supports all versions of TKE standard clusters and TKE serverless clusters, but does not support registered clusters and edge clusters.
Cluster resource deletion protection policy: It support kubernetes version 1.16 and later for both TKE standard clusters and TKE serverless clusters, but does not support registered clusters and edge clusters.
Policy Type
Baseline policy: It is mandatory and cannot be disabled.
Preferred policy: It is enabled by default, but can be disabled by the user.
Optional policy: It is disabled by default, but can be enabled by the user.
Policy Library
TKE Policy
Classification | Policy Name | Policy Description | Policy Type |
Cluster policy | If there are nodes in the cluster, the cluster cannot be deleted. | If there are regular nodes, native nodes, or registered nodes in the cluster, the nodes must be eliminated before the cluster can be deleted. | Baseline policy |
Namespace policy | If there are workloads, services and routes, or storage objects under the namespace, the namespace cannot be deleted. | If there are pods, services, ingresses, and PVCs within the namespace, clear the aforementioned resources before deleting the namespace. | Preferred policy |
Configuration-related policy | Disallow deletion if a CRD has associated CR resources | If a CRD defines CR resources, the CR resources must be deleted first before the CRD can be deleted. | Preferred policy |
OPA Standard Library Policy
Type | Policy Name | Policy Description | Policy Type |
General | k8sallowedrepos | Requires container images to begin with a string from the specified list. | Optional Policy |
General | k8spspautomountserviceaccounttokenpod | Controls the ability of any Pod to enable automountServiceAccountToken. | Optional Policy |
General | k8sblockendpointeditdefaultrole | Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints. | Optional Policy |
General | k8sblockloadbalancer | Disallows all Services with type LoadBalancer. | Optional Policy |
General | k8sblocknodeport | Disallows all Services with type NodePort. | Optional Policy |
General | k8sblockwildcardingress | Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services. | Optional Policy |
General | k8scontainerlimits | Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values. | Optional Policy |
General | k8scontainerrequests | Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values. | Optional Policy |
General | k8scontainerratios | Sets a maximum ratio for container resource limits to requests. | Optional Policy |
General | k8srequiredresources | Requires containers to have defined resources set. | Optional Policy |
General | k8sdisallowanonymous | Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group. | Optional Policy |
General | k8sdisallowedtags | Requires container images to have an image tag different from the ones in the specified list. | Optional Policy |
General | k8sexternalips | Restricts Service externalIPs to an allowed list of IP addresses. | Optional Policy |
General | k8simagedigests | Requires container images to contain a digest. | Optional Policy |
General | noupdateserviceaccount | Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode. | Optional Policy |
General | k8sreplicalimits | Requires that objects with the field spec.replicas (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. | Optional Policy |
General | k8srequiredannotations | Requires resources to contain specified annotations, with values matching provided regular expressions. | Optional Policy |
General | k8srequiredlabels | Requires resources to contain specified labels, with values matching provided regular expressions. | Optional Policy |
General | k8srequiredprobes | Requires Pods to have readiness and/or liveness probes. | Optional Policy |
Pod Security Policy | k8spspallowprivilegeescalationcontainer | Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspapparmor | Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspcapabilities | Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspflexvolumes | Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspforbiddensysctls | Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden. | Optional Policy |
Pod Security Policy | k8spspfsgroup | Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spsphostfilesystem | Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spsphostnamespace | Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spsphostnetworkingports | Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspprivilegedcontainer | Controls the ability of any container to enable privileged mode. | Optional Policy |
Pod Security Policy | k8spspprocmount | Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy. | Optional Policy |
Pod Security Policy | k8spspreadonlyrootfilesystem | Requires the use of a read-only root file system by pod containers. | Optional Policy |
Pod Security Policy | k8spspseccomp | Controls the seccomp profile used by containers. | Optional Policy |
Pod Security Policy | k8spspselinuxv2 | Defines an allow-list of seLinuxOptions configurations for pod containers. | Optional Policy |
Pod Security Policy | k8spspallowedusers | Controls the user and group IDs of the container and some volumes. | Optional Policy |
Pod Security Policy | k8spspvolumetypes | Restricts mountable volume types to those specified by the user. | Optional Policy |
Operation Description
Enabling/Disabling Policy
1. Log in to the TKE console, and select Cluster in the left sidebar.
2. On the cluster management page, select the target cluster ID to enter the basic information page for the cluster.
3. Select Policy Management from the left navigation bar to enter the policy management page, select a policy, and click Enable/Disable. Disabling a policy requires a second confirmation, while enabling it does not. See below:
Verifying Policy Effect
Taking the cluster deletion policy as an example, create a TKE standard cluster and verify whether a deletion request will be intercepted when there are nodes in the cluster.
1. Create a TKE standard cluster with nodes. For detailed steps, see Create Cluster.
2. Initiate a cluster deletion request.
1. Delete the cluster. For detailed steps, see Delete Cluster.
2. A window prompt indicates that nodes must be removed before you proceed with cluster deletion. See below:
1. Delete the cluster through API. For how to call the API, see the API document Delete Cluster.
2. Calling the API to delete the cluster failed. The error message returned includes a list of existing nodes in the cluster. See below:
3. On the Policy Management page, click the number of related events to view the interception event information. See below:
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No