| copyright | lastupdated | ||
|---|---|---|---|
|
2020-03-24 |
View a description of the the policy samples that are included in your Red Hat Advanced Cluster Management for Kubernetes installation.
- Memory usage policy
- Namespace policy
- Network policy
- Pod nginx policy
- Pod security policy
- Role policy
- Rolebinding policy
Note: You must create a placement policy and placement binding policy to apply your policies on to your cluster. For more information, see Red Hat Advanced Cluster Management for Kubernetes policy example.
Apply the limit range policy to limit your memory usage. Your memory usage policy might resemble the following YAML file:
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-limitrange
namespace: mcm
spec:
complianceType: musthave
remediationAction: inform
namespaces:
exclude: ["kube-*"]
include: ["default"]
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: LimitRange # limit memory usage
metadata:
name: mem-limit-range
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
...Complete the following steps to apply the memory usage policy from the console:
- Log in to your Red Hat Advanced Cluster Management for Kubernetes console.
- From the navigation menu, click Governance and risk.
- Click Create policy.
- Select Limitrange from the Specifications field.
Apply the namespace policy to define specific rules for your namespace. Your namespace policy might resemble the following YAML file:
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-namespace-1
namespace: mcm
spec:
complianceType: musthave
remediationAction: inform
namespaces:
exclude: ["kube-*"]
include: ["default"]
object-templates:
- complianceType: musthave
objectDefinition:
kind: Namespace # must have namespace 'prod'
apiVersion: v1
metadata:
name: prod
...Complete the following steps to apply the memory usage policy from the console:
- Log in to your Red Hat Advanced Cluster Management for Kubernetes console.
- From the navigation menu, click Governance and risk.
- Click Create policy.
- Select Namespace from the Specifications field.
Apply the network policy to define which network request to deny. For more information about network policies, see Network Policy from the Kubernetes documentation.
Your network policy might resemble the following YAML file:
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-networkpolicy
namespace: mcm
spec:
complianceType: musthave
remediationAction: inform
namespaces:
exclude: ["kube-*"]
include: ["default"]
object-templates:
- complianceType: musthave
objectDefinition:
kind: NetworkPolicy # deny network request
apiVersion: networking.k8s.io/v1
metadata:
name: deny-from-other-namespaces
spec:
podSelector:
matchLabels:
ingress:
- from:
- podSelector: {} # accept ingress from all pods within this namespace only
... Complete the following steps to apply the network policy from the console:
- Log in to your Red Hat Advanced Cluster Management for Kubernetes console.
- From the navigation menu, click Govern risk.
- Click Create policy.
- Select Networkpolicy from the Specifications field.
Apply the pod policy to define the container rules for your pods. A nginx pod must exist in your cluster. Your pod policy nginx policy might resemble the following YAML file:
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-pod
namespace: mcm
spec:
complianceType: musthave
remediationAction: inform
namespaces:
exclude: ["kube-*"]
include: ["default"]
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
kind: Pod # nginx pod must exist
metadata:
name: nginx-pod
spec:
containers:
- image: nginx:1.7.9
name: nginx
ports:
- containerPort: 80
...Complete the following steps to apply the pod policy from the console:
- Log in to your Red Hat Advanced Cluster Management for Kubernetes console
- From the navigation menu, click Govern risk.
- Click Create policy.
- Select Pod from the Specifications field.
Apply a pod security policy to secure pods and containers. For more information, see Pod Security Policies in the Kubernetes documentation.
Your pod security policy might resemble the following YAML file:
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-podsecuritypolicy
namespace: mcm
spec:
complianceType: musthave
remediationAction: inform
namespaces:
exclude: ["kube-*"]
include: ["default"]
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy # no privileged pods
metadata:
name: restricted-mcm
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: false # no priviliedged pods
allowPrivilegeEscalation: false
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 1000 # ports < 1000 are reserved
max: 65535
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
...Complete the following steps to apply the pod security policy from the console:
- Log in to your Red Hat Advanced Cluster Management for Kubernetes console
- From the navigation menu, click Govern risk.
- Click Create policy.
- Select Podsecuritypolicy from the Specifications field.
Apply a role policy to set rules and permissions for specific roles in your cluster. For more information on roles, see Role-based access control (RBAC). Your role policy might resemble the following YAML file:
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-role
namespace: mcm
spec:
complianceType: musthave
remediationAction: inform
namespaces:
exclude: ["kube-*"]
include: ["default"]
role-templates:
- apiVersion: roletemplate.mcm.ibm.com/v1alpha1 # role must follow defined permissions
metadata:
namespace: "" # will be inferred
name: operator-role-policy
selector:
matchLabels:
dev: "true"
complianceType: musthave # at this level, it means the role must exist with the rules that it must have the following
rules:
- complianceType: musthave # at this level, it means if the role exists the rule is a musthave
policyRule:
apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "delete","patch"]
- complianceType: "mustnothave" # at this level, it means if the role exists the rule is a mustnothave
policyRule:
apiGroups: ["core"]
resources: ["secrets"]
verbs: ["get", "list", "watch","delete", "create", "update", "patch"]
...Complete the following steps to apply the role policy from the console:
- Log in to your Red Hat Advanced Cluster Management for Kubernetes console
- From the navigation menu, click Govern risk.
- Click Create policy.
- Select Role from the Specifications field.
Apply a role binding policy to bind a policy to a namespace in your cluster. Your role binding policy might resemble the following YAML file:
apiVersion: policy.mcm.ibm.com/v1alpha1
kind: Policy
metadata:
name: policy-rolebinding
namespace: mcm
spec:
complianceType: musthave
remediationAction: inform
namespaces:
exclude: ["kube-*"]
include: ["default"]
object-templates:
- complianceType: musthave
objectDefinition:
kind: RoleBinding # role binding must exist
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: operate-pods-rolebinding
subjects:
- kind: User
name: admin # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: operator # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
...Complete the following steps to apply the role binding policy from the console:
- Log in to your Red Hat Advanced Cluster Management for Kubernetes console
- From the navigation menu, click Govern risk.
- Click Create policy.
- Select Rolebinding from the Specifications field.
See Red Hat Advanced Cluster Management for Kubernetes Governance and risk for more information about policies.