Read the pod security policy of k8s

Liusy01 2021-01-20 22:47:20
read pod security policy k8s


Reading guide

Pod The container wants to get the resource information of the cluster , You need to configure roles and ServiceAccount To authorize . For better control of Pod How resources are used ,Kubernetes from 1.4 Version started to be introduced PodSecurityPolicy Resource object pair Pod Security policy management .

Pod Privilege mode

Processes inside the container get almost the same privileges as processes outside the container . Use privilege mode , It's easier to write network and volume plug-ins as separate pod, No need to compile to kubelet in .

PodSecurityPolicy

Official website definition

Pod The security policy (Pod Security Policy) It's a cluster level resource , It can control Pod Statute Security related aspects of .PodSecurityPolicy Object defines a set of Pod The conditions that must be followed at runtime and the default values of the related fields , Only Pod Only when these conditions are met can the system accept it .

Pod Security policy allows administrators to control the following aspects :

 

Pod The security policy It consists of settings and policies , They can control Pod Security features of access . These settings fall into three categories :

(1) Based on Boolean control : This type of field defaults to the most restrictive value .

(2) Control based on the set of allowed values : This type of field is compared to this set of values , Allowed with confirmation value .

(3) Based on policy control : The setting item generates the value through a policy provided mechanism , This mechanism ensures that the specified values fall within the allowed set of values .

Turn on

If it needs to be turned on PodSecurityPolicy, Need to be in kube-apiserver Set the following parameters in the startup parameters of

--enable-admission-plugins=PodSecurityPolicy

In the open PodSecurityPolicy After entering the controller ,k8s It is not allowed to create any by default Pod, Need to create PodSecurityPolicy and RBAC The authorization policy ,Pod To create a successful .

notes : modify kube-apiserver The configuration file /etc/kubernetes/manifests/kube-apiserver.yaml, Because it is static pod, So the changes will take effect .

By default, this parameter is :

--enable-admission-plugins=NodeRestriction

Open and create Pod The following error occurs :

 

establish PodSecurityPolicy

The following PodSecurityPolicy Indicates that privilege mode creation is not allowed Pod

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp-non-privileged
spec:
privileged: false # Privilege mode is not allowed Pod
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'

View after creation :

kubectl get psp
perhaps
kubectl get podSecurityPolicy

 

And then create it again Pod You can create it

 

above PodSecurytiPolicy The privilege mode is not allowed to be created Pod, for example , In the following YAML The configuration file pod-privileged.yaml In Chinese, it means Pod Set privilege mode :

apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
securityContext:
privileged: true

The following error will be reported when creating :

unable to validate against any pod security policy

 

PodSecurityPolicy Configuration details

stay PodSecurityPolicy The following fields can be set in the object to control Pod Various security policies at runtime

(1) Privilege mode related configuration

privileged: Whether to allow Pod Run in privileged mode

(2) Host resource related configuration

1、hostPID: Whether to allow Pod Shared host process space

2、hostIPC: Whether to allow Pod Sharing host IPC Namespace

3、hostNetwork: Whether to allow Pod Shared host network namespace

4、hostPorts: Whether to allow Pod Use the host port number , Can pass hostPortRange Field to set the allowed port number range , With [min, max] Set the minimum port number and the maximum port number

5、Volumes: allow Pod Used storage volume Volume type , Set to “*” Indicates that you are allowed to use any Volume type , It is suggested that at least Pod Use the following Volume type .configMap,emptyDir、downwardAPI、persistentVolumeClaim、secret、projected

6、AllowedHostPaths: allow Pod Using the host hostPath Path name , It can be done by pathPrefix Field to set the prefix of the path , And you can set whether the property is read-only or not , for example : Only Pod Visit the host to “/foo” Path for prefix , package enclosed “/foo”“/foo/”“/foo/bar” etc. ,

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: all-hostpath-volumes
spec:
volumes:
- hostPath
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: true

7、FSGroup: Set to allow access to some Volume Of Group ID Range , Can be rule Field set to ManyRunAs、MayRunAs、RunAsAny

MustRunAs: Need to set up Group ID The scope of the , for example 1~65535, requirement Pod Of securityContext.fsGroup The set value must belong to the Group ID The scope of the .

MayRunAs: Need to set up Group ID The scope of the , for example 1~65535, It's not mandatory Pod Set up securityContext.fsGroup.

RunAsAny: Don't limit Group ID The scope of the , whatever Group All accessible Volume.

8、ReadOnlyRootFilesystem: The root file system that the container is required to run (root filesystem) It has to be read-only

9、allowedFlexVolumes: For types of flexVolume The storage volume of , Set the type of driver allowed , for example :

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowedflexvolumes
spec:
volumes:
- flexVolume
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs

(3) User and group related configuration

1、RunAsUser: Set up the user running the container ID Range ,rule Can be set to MustRunAs、MustRunAsNonRoot or RunAsAny

MustRunAs: Need to set up User ID The scope of the , requirement Pod Of securityContext.runAsUser The set value must belong to the User ID The scope of the .

MustRunAsNonRoot: It has to be non root User run container , requirement Pod Of securityContext.runAsUser Set a non 0 Users of ID, Or in the mirror image USER Field sets the user ID, It is recommended to set it at the same time allowPrivilegeEscalation=false To avoid not Raise the necessary permissions .

RunAsAny: Don't limit User ID The scope of the , whatever User Can run .

2、RunAsGroup: Set the running container's Group ID Range , Can be set to MustRunAs、MustRunAsNonRoot、RunAsAny

MustRunAs: Need to set up Group ID The scope of the , requirement Pod Of securityContext.runAsGroup The set value must belong to the Group ID The scope of the .

MustRunAsNonRoot: It has to be non root Group run container , requirement Pod Of securityContext.runAsUser Set a non 0 Users of ID, Or in the mirror image USER Field sets the user ID, It is recommended to set it at the same time allowPrivilegeEscalation=false In order to avoid unnecessary privilege operation .

RunAsAny: Don't limit Group ID The scope of the , whatever Group All users can run .

3、SupplementalGroups: Set the container to add additional Group ID Range , You can put the rules (rule Field ) Set to MustRunAs、MayRunAs or RunAsAny

MustRunAs: Need to set up Group ID The scope of the , requirement Pod Of securityContext.supplementalGroups The set value must belong to the Group ID Range .

MayRunAs: Need to set up Group ID The scope of the , It's not mandatory Pod Set up securityContext.supplementalGroups.

RunAsAny: Don't limit Group ID The scope of the , whatever supplementalGroups All users can run .

(4) Enhance the configuration of privilege

1、AllowPrivilegeEscalation: It is used to set whether the child process in the container can be promoted , It's usually set to not Root user (MustRunAsNonRoot) Set when .

2、DefaultAllowPrivilegeEscalation: Set up AllowPrivilegeEscalation The default value of , Set to disallow when , Administrators can also explicitly set AllowPrivilegeEscalation To specify whether permission elevation is allowed .

(5)Linux Capability related configuration

1、AllowedCapabilities: Set the container to use linux Ability list , Set to “*” Indicates permission to use Linux All abilities ( Such as NET_ADMIN、SYS_TIME etc. ).

2、RequiredDropCapabilities: Set the container is not allowed to use linux Ability list

3、DefaultAddCapabilities: Set default to container added Linux Ability list , for example SYS_TIME etc.

(6)SELinux Related configuration

seLinux: Set up SELinux Parameters , You can put the rule field (rule) Is set to MustRunAs or RunAsAny.

MustRunAs: It is required to set seLinuxOptions, The system will Pod Of securityContext.seLinuxOptions Set the value for verification .

RunAsAny: Don't limit seLinuxOptions Set up

(7) Other Linux Related configuration

1、AllowedProcMountType: Set allowed PropMountTypes Type list , You can set allowedProcMountTypes or DefaultProcMount.

2、AppArmor: Set access control permissions for container executable programs ,

3、Seccomp: Set the system calls that the container is allowed to use (System Calls) Of profile

4、Sysctl: Set the kernel parameters that are allowed to be adjusted ,

(8) List two commonly used PodSecurityPolicy Security policy configuration

1、 Basic unlimited security policy , Allows the creation of arbitrary security settings Pod.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
spec:
privileged: true # It is not allowed to create privilege mode Pod
allowPrivilegeEscalation: true # Set whether the child process can elevate permissions , To configure MustRunAsNonRoot
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'

2、 requirement Pod The running user is a non privileged user ; Prohibit elevation of authority ; Host network is not allowed 、 Port number 、IPC And so on ; Limit what can be used Volume type , wait

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: retricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
seccomp.security.alpha.kubernetes.io/defaultProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileNames: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAsRoot'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAsRoot'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false

Kubernetes It is recommended to use RBAC Authorization mechanism to set up for Pod Authorization of security policy , You should usually be right about Pod Of ServiceAccount To authorize .

for example , You can create the following ClusterRole( You can also create Role) And set it to allow the use of PodSecurityPolicy:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role-name
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- # permissible PodSecurityPolicy list

And then create a ClusterRoleBinding With users and ServiceAccount Binding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: bind-name
ruleRef:
kind: ClusterRole
name: role-name
apiGroup: rabc.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: serviceaccount
namespace:
- kind: User
name: username
apiGroup: rbac.authorization.k8s.io

You can also create RoleBinding Yes, it is RoleBinding same Namespace Medium Pod To authorize , Usually it can be associated with some system level Group Association configuration , for example :

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: bind-name
namespace: namespace # The RoleBinding Of namespace
roleRef:
kind: Role
name:
apiGroup: rabc.authorization.k8s.io
subjects:
# Authorize the Namespace All of ServiceAccount
- kind: Group
apiGroup: rabc.authorization.k8s.io
name: system:serviceaccounts
# Authorize the Namespace All users of
- kind: User
apiGroup: rabc.authorization.k8s.io
name: system:authenticated

Pod Security settings for

Pod And container security policies can be found in Pod or Container Of securityContext Field , If in Pod and Container Levels have the same security type field set , The container will use Container Level settings .

stay Pod The security measures that can be set at the level are as follows :

◎ runAsUser: The user running the program in the container ID.

◎ runAsGroup: The user group that runs the program in the container ID.

◎ runAsNonRoot: Whether it is necessary to use non root The user runs the program .◎ fsGroup:SELinux Related settings .

◎ seLinuxOptions:SELinux Related settings .

◎ supplementalGroups: Other user groups that the container is allowed to use ID.

◎ sysctls: Set the kernel parameters that are allowed to be adjusted .

stay Container The security policy types that can be set at level are as follows :

◎ runAsUser: The user running the program in the container ID.

◎ runAsGroup: The user group that runs the program in the container ID.

◎ runAsNonRoot: Whether it is necessary to use non root The user runs the program .

◎ privileged: Whether to run in privileged mode .

◎ allowPrivilegeEscalation: Whether to allow elevation of permissions .

◎ readOnlyRootFilesystem: Whether the root file system is read-only .

◎ capabilities:Linux Ability list .

◎ seLinuxOptions:SELinux Related settings .

for example :Pod Level security settings , Act on the Pod All the containers inside

apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: nginx
volumeMounts:
- name: sec-ctx-demo
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false

◎ runAsUser=1000: All containers will be in User ID 1000 Run the program , All newly generated files User ID It's also set to 1000.

◎ runAsGroup=3000: All containers will be in Group ID 3000 Run the program , All newly generated files Group ID It's also set to 3000.

◎ fsGroup=2000: Mounted volume “/data/demo” And the files created in it will belong to Group ID 2000.

Container Level security settings , Acting on a particular container .

apiVersion: v1
kind: Pod
metadata:
name: scd-2
spec:
securityContext:
runAsUser: 1000
containers:
- name: scd-2
image: nginx:latest
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false

by Container Set available Linux Ability , Set the allowed... For the container Linux Abilities include NET_ADMIN and SYS_TIME.

apiVersion: v1
kind: Pod
metadata:
name: scd-3
spec:
containers:
- name: scd-3
image: nginx
securityContext:
capabilities:
add: ["NET_ADMIN","SYS_TIME"]

 

===============================

I am a Liusy, A programmer who likes to keep fit .

Get more dry goods and the latest news , Please pay attention to the official account. : Ancient false gods

If it helps you , A little attention is my biggest support !!!

版权声明
本文为[Liusy01]所创,转载请带上原文链接,感谢
https://javamana.com/2021/01/20210120224641655x.html

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云