类型 | 策略名称 | 策略描述 | 策略类型 |
集群策略 | 集群中存在节点则不允许删除。 | 集群中存在普通节点、原生节点、注册节点,需先下线节点后再删除集群。 | 基线策略 |
命名空间策略 | 命名空间下存在工作负载、服务与路由、存储对象则不允许删除。 | 命名空间内如果存在 Pod、Service、Ingress、Pvc,清空上述资源后,再删除 Namespace。 | 优选策略 |
配置相关策略 | CRD 存在关联的 CR 资源则不允许删除。 | CRD 定义了 CR 资源,需要先删除 CR 资源,再删除 CRD。 | 优选策略 |
类型 | 策略名称 | 策略描述 | 策略类型 |
General | k8sallowedrepos | Requires container images to begin with a string from the specified list. | 可选策略 |
General | k8spspautomountserviceaccounttokenpod | Controls the ability of any Pod to enable automountServiceAccountToken. | 可选策略 |
General | k8sblockendpointeditdefaultrole | Many Kubernetes installations by default have a system:aggregate-to-edit ClusterRole which does not properly restrict access to editing Endpoints. This ConstraintTemplate forbids the system:aggregate-to-edit ClusterRole from granting permission to create/patch/update Endpoints. | 可选策略 |
General | k8sblockloadbalancer | Disallows all Services with type LoadBalancer. | 可选策略 |
General | k8sblocknodeport | Disallows all Services with type NodePort. | 可选策略 |
General | k8sblockwildcardingress | Users should not be able to create Ingresses with a blank or wildcard (*) hostname since that would enable them to intercept traffic for other services in the cluster, even if they don't have access to those services. | 可选策略 |
General | k8scontainerlimits | Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values. | 可选策略 |
General | k8scontainerrequests | Requires containers to have memory and CPU requests set and constrains requests to be within the specified maximum values. | 可选策略 |
General | k8scontainerratios | Sets a maximum ratio for container resource limits to requests. | 可选策略 |
General | k8srequiredresources | Requires containers to have defined resources set. | 可选策略 |
General | k8sdisallowanonymous | Disallows associating ClusterRole and Role resources to the system:anonymous user and system:unauthenticated group. | 可选策略 |
General | k8sdisallowedtags | Requires container images to have an image tag different from the ones in the specified list. | 可选策略 |
General | k8sexternalips | Restricts Service externalIPs to an allowed list of IP addresses. | 可选策略 |
General | k8simagedigests | Requires container images to contain a digest. | 可选策略 |
General | noupdateserviceaccount | Blocks updating the service account on resources that abstract over Pods. This policy is ignored in audit mode. | 可选策略 |
General | k8sreplicalimits | Requires that objects with the field spec.replicas (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. | 可选策略 |
General | k8srequiredannotations | Requires resources to contain specified annotations, with values matching provided regular expressions. | 可选策略 |
General | k8srequiredlabels | Requires resources to contain specified labels, with values matching provided regular expressions. | 可选策略 |
General | k8srequiredprobes | Requires Pods to have readiness and/or liveness probes. | 可选策略 |
Pod Security Policy | k8spspallowprivilegeescalationcontainer | Controls restricting escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spspapparmor | Configures an allow-list of AppArmor profiles for use by containers. This corresponds to specific annotations applied to a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spspcapabilities | Controls Linux capabilities on containers. Corresponds to the allowedCapabilities and requiredDropCapabilities fields in a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spspflexvolumes | Controls the allowlist of FlexVolume drivers. Corresponds to the allowedFlexVolumes field in PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spspforbiddensysctls | Controls the sysctl profile used by containers. Corresponds to the allowedUnsafeSysctls and forbiddenSysctls fields in a PodSecurityPolicy. When specified, any sysctl not in the allowedSysctls parameter is considered to be forbidden. | 可选策略 |
Pod Security Policy | k8spspfsgroup | Controls allocating an FSGroup that owns the Pod's volumes. Corresponds to the fsGroup field in a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spsphostfilesystem | Controls usage of the host filesystem. Corresponds to the allowedHostPaths field in a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spsphostnamespace | Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spsphostnetworkingports | Controls usage of host network namespace by pod containers. Specific ports must be specified. Corresponds to the hostNetwork and hostPorts fields in a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spspprivilegedcontainer | Controls the ability of any container to enable privileged mode. | 可选策略 |
Pod Security Policy | k8spspprocmount | Controls the allowed procMount types for the container. Corresponds to the allowedProcMountTypes field in a PodSecurityPolicy. | 可选策略 |
Pod Security Policy | k8spspreadonlyrootfilesystem | Requires the use of a read-only root file system by pod containers. | 可选策略 |
Pod Security Policy | k8spspseccomp | Controls the seccomp profile used by containers. | 可选策略 |
Pod Security Policy | k8spspselinuxv2 | Defines an allow-list of seLinuxOptions configurations for pod containers. | 可选策略 |
Pod Security Policy | k8spspallowedusers | Controls the user and group IDs of the container and some volumes. | 可选策略 |
Pod Security Policy | k8spspvolumetypes | Restricts mountable volume types to those specified by the user. | 可选策略 |
本页内容是否解决了您的问题?