题目
context A PodsecurityPolicy shall prevent the creati on of privileged Pods in a specific namespace. Task Create a new PodSecurityPolicy named prevent-psp-policy, which prevents the creation of privileged Pods. Create a new ClusterRole named restrict-access-role, which uses the newly created PodSecurityPolicy prevent-psp-policy. Create a new serviceAccount named psp-denial-sa in the existing namespace development. Finally, create a new clusterRoleBinding named deny-access-bind, which binds the newly created ClusterRole restrict-access-role to the newly created serviceAccount psp-denial-sa.
- 创建一个新的PodSecurityPolicy,名称为prevent-psp-policy,防止创建特权容器。
- 创建一个新的ClusterRole,名称为restrict-access-role,使用prevent-psp-policy
- 在已存在的命名空间development中创建一个新的serviceAccount,名称为psp-denial-sa
- 创建一个新的clusterRoleBinding,名称为deny-access-bind,把restrict-access-role绑定到psp-denial-sa
环境搭建
1.开启PSP
vim /etc/kubernetes/manifests/kube-apiserver.yaml systemctl restart kubelet
2.创建命名空间
kubectl create ns development
namespace/development created
解题
任务一
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: prevent-psp-policy spec: privileged: false # 不允许提权的 Pod! # 以下内容负责填充一些必需字段。 seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*'
任务二
命令
kubectl create clusterrole restrict-access-role --verb=use --resource=psp --resource-name=prevent-psp-policy
或者使用yaml文件
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: restrict-access-role rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - prevent-psp-policy
任务三
kubectl create sa psp-denial-sa -n development
任务四
kubectl create clusterrolebinding deny-access-bind --clusterrole=restrict-access-role --serviceaccount=development:psp-denial-sa -n development
结果截图
可以看到有个Warning提示,1.25版本之后就没有psp了,之后这个考题可能变动。
