kubernetes pod podsecurityPolicies
tags: 资源对象,pod
文章目录
1. 简介
Pod Security Policies(PSP)是集群级的 Pod 安全策略,自动为集群内的 Pod 和 Volume 设置 Security Context。
使用 PSP 需要 API Server 开启 extensions/v1beta1/podsecuritypolicy,并且配置 PodSecurityPolicy admission 控制器。
注意: PodSecurityPolicy 自 Kubernetes v1.21 起已弃用,并将在 v1.25 中删除。我们建议迁移到Pod Security Admission或 3rd party admission 插件。有关迁移指南,请参阅从 PodSecurityPolicy 迁移到内置 PodSecurity 准入控制器。有关弃用的更多信息,请参阅PodSecurityPolicy 弃用:过去、现在和未来。
2. API 版本对照表
| Kubernetes 版本 | Extension 版本 |
| v1.5-v1.15 | extensions/v1beta1 |
| v1.10+ | policy/v1beta1 |
3. 支持的控制项
4. 实例
4.1 控制是否允许超出父进程特权
allowPrivilegeEscalation:控制进程是否可以获得超出其父进程的特权。 此布尔值直接控制是否为容器进程设置 no_new_privs标志。 当容器满足一下条件之一时,allowPrivilegeEscalation 总是为 true: 以特权模式运行,或者 具有 CAP_SYS_ADMIN 权能 readOnlyRootFilesystem:以只读方式加载容器的根文件系统。
root@master:~/cks/securitytext# vim /etc/kubernetes/manifests/kube-apiserver.yaml --- - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy --- root@master:~/cks/securitytext# cat psp.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: default spec: allowPrivilegeEscalation: false privileged: false # Don't allow privileged pods! # The rest fills in some required fields. seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*' root@master:~/cks/securitytext# k create -f psp.yaml podsecuritypolicy.policy/default created root@master:~/cks/securitytext# k create deploy nginx --image=nginx deployment.apps/nginx created root@master:~/cks/securitytext# k get deploy nginx -w NAME READY UP-TO-DATE AVAILABLE AGE nginx 0/1 0 0 22s ^Croot@master:~/cks/securitytext# k run nginx --image=nginx pod/nginx created root@master:~/cks/securitytext# k get pod nginx NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 44s root@master:~/cks/securitytext# k create role psp-access --verb=use --resource=podsecuritypolicies role.rbac.authorization.k8s.io/psp-access created root@master:~/cks/securitytext# k create rolebinding psp-access --role=psp-access --serviceaccount=default:default rolebinding.rbac.authorization.k8s.io/psp-access created root@master:~/cks/securitytext# k get deploy nginx NAME READY UP-TO-DATE AVAILABLE AGE nginx 0/1 0 0 3m26s root@master:~/cks/securitytext# k delete deploy nginx deployment.apps "nginx" deleted root@master:~/cks/securitytext# k create deploy nginx --image=nginx deployment.apps/nginx created ^Croot@master:~/cks/securitytext# k get deploy nginx NAME READY UP-TO-DATE AVAILABLE AGE nginx 1/1 1 1 20s
allowPrivilegeEscalation设置为rue
root@master:~/cks/securitytext# vim pod.yaml apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: run: pod name: pod spec: # securityContext: # runAsUser: 1000 # runAsGroup: 3000 containers: - command: - sh - -c - sleep 1d image: busybox name: pod resources: {} securityContext: allowPrivilegeEscalation: true dnsPolicy: ClusterFirst restartPolicy: Always status: {} root@master:~/cks/securitytext# k -f pod.yaml create Error from server (Forbidden): error when creating "pod.yaml": pods "pod" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed]
4.2 限制端口
限制容器的 host 端口范围为 8000-8080
apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
4.3 限制只允许使用 lvm 和 cifs 等 flexVolume 插件
apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: allow-flex-volumes spec: fsGroup: rule: RunAsAny runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - flexVolume allowedFlexVolumes: - driver: example/lvm - driver: example/cifs
参考:
