title: Desktop Pod Security Policies | abcdesktop.io description: Configure abcdesktop.io desktop pod security policies: network interface management, NFS volume options, and Kubernetes security context settings. keywords: security policy, network, NFS, ReadOnly, Kubernetes, desktop pod, abcdesktop, security tags: - desktop - security - policies
desktop.policies
The desktop.policies configuration defines rules for attaching additional volumes and network interfaces to user pods. Each rule matches a label value.
If a user is assigned the label 'hello', then volumes['hello'] and network['hello'] are applied to that user's pod.
volumesdefines additional volumes to be mounted in the pod-
for example, mounting an NFS share for all members of a group
-
networkdefines additional network interfaces and command hooks for a pod - Add a new network interface to a pod
- Run commands to update DNS entries for a pod (on creation or deletion)
volumes
volumes is a dictionary of label-keyed lists. Each entry describes the mountPath to be mounted inside the pod and the volume type.
Supported volume types are nfs, hostPath, pvc, and cifs.
desktop.policies: {
'rules': {
'volumes':
{ 'shipcrew': [
{ 'type': 'hostPath',
'name': 'mntmyproject',
'path': '/mnt/sharedhost',
'mountPath': '/mnt/testmyproject'
}
] } } }
If the user is assigned the
shipcrewlabel, the mount point/mnt/testmyprojectis added as ahostPathvolume mapped to/mnt/sharedhostin the pod.
volume type nfs
desktop.policies: {
'rules': {
'volumes': {
'nfsisostore': [
{ 'type': 'nfs',
'name': 'isostore',
'server': '192.168.7.112',
'path': '/volume1/isostore',
'mountPath': '/mnt/iso'
} ]
} } }
If the user is assigned the
nfsisostorelabel, the mount point/mnt/isois added to the pod as an NFS mount targeting192.168.7.112:/volume1/isostore.
Requirements
type:nfsname(string) is the name of the volumemountPath(string) is the mountPath of the volumeserver(string) is the NFS server hostname or IP addresspath(string) is the NFS export path on the server
Options
readOnly(boolean) whether the mount should be read-only
volume type hostPath
desktop.policies: {
'rules': {
'volumes': {
'shipcrew': [
{
'type': 'hostPath',
'name': 'mntmyproject',
'path': '/mnt/sharedhost',
'mountPath': '/mnt/testmyproject'
} ]
} } }
Requirements
type:hostPathname(string) is the name of the volumemountPath(string) is the mountPath of the volumepath(string) is the absolute path on the host node
If the user is assigned the
shipcrewlabel, the mount point/mnt/testmyprojectis added to the pod as ahostPathvolume mapped to/mnt/sharedhost.
volume type pvc
desktop.policies: {
'rules': {
'volumes': {
'nfspvc': [ {
'type': 'pvc',
'name': 'pvcstore',
'claimName': 'pvc-store',
'mountPath': '/mnt/newpvcstore'
} ]
} } }
Requirements
type:pvcname(string) is the name of the volumemountPath(string) is the mountPath of the volumeclaimName(string) is the PersistentVolumeClaim name
If the user is assigned the
nfspvclabel, the mount point/mnt/newpvcstoreis added to the pod using the PVC namedpvc-store.
network
desktop.policies: {
'rules': {
'network': {
'shipcrew': {
'webhook': {
'create': 'curl "http://{{ livedns_fqdn }}:8080/update?secret={{ livedns_secret }}&domain=desktop.yourdomain.net&hostname={{ name }}&addr={{ net2 }}"',
'destroy': 'curl "http://{{ livedns_fqdn }}:8080/update?secret={{ livedns_secret }}&domain=desktop.yourdomain.net&hostname={{ name }}&addr={{ net2 }}"'
},
'annotations' : {
'k8s.v1.cni.cncf.io/networks': '[ {"name":"macvlan-conf-7"} ]'
}
}
If the user is assigned the
shipcrewlabel:
- The webhook
createcommand is executed when the pod is created. - The webhook
destroycommand is executed when the pod is deleted. - The
annotationsdictionary is merged into the pod's metadata annotations.
For all fields, template entries in the form {{ VAR }} are replaced with the corresponding runtime value.
- desktop.webhookdict is a dictionary with key/value for
webhookconfiguration
desktop.webhookdict: {
'fw_ip': '1.2.3.4',
'api_key': 'CAFECAFE',
'livedns_secret': 'ThisISMyDesktop',
'livedns_fqdn': 'ns01desktop.yourdomain.net' }
The desktop interfaces are generated during the provisioning process
{
'eth0': {'mac': '56:c7:eb:dc:c0:b8', 'ips': '10.244.0.239' },
'net1': {'mac': '2a:94:43:e0:f4:46', 'ips': '192.168.9.137' },
'net2': {'mac': '1e:50:5f:b7:85:f6', 'ips': '194.3.2.1' }
}
Only the
ipsfield replace the value ofeth0ornet1ornet2. The number of interface is not limited.
For example, the command line
curl "http://{{ livedns_fqdn }}:8080/update?secret={{ livedns_secret }}&domain=desktop.yourdomain.net&hostname={{ name }}&addr={{ net2 }}"
becomes
curl "http://ns01desktop.yourdomain.net:8080/update?secret=ThisISMyDesktop&domain=desktop.yourdomain.net&hostname=pod_fry3241&addr=194.3.2.1"