Read the pod security policy of k8s

itread01 2021-01-21 01:46:14
read pod security policy k8s


Guide reading

Pod The container wants to get cluster resource information , You need to configure roles and ServiceAccount To authorize . In order to control Pod How to use resources ,Kubernetes From 1.4 The version began to introduce PodSecurityPolicy Resource object pair Pod Security policy management .

Pod Privilege model

Programs inside the container get almost the same privileges as programs outside the container . Use privilege mode , It's easier to write network and volume plug-ins as independent pod, You don't need to compile to kubelet in .

PodSecurityPolicy

Official website definition

Pod The security policy (Pod Security Policy) It's a cluster level resource , It can control Pod The statute All aspects related to security in .PodSecurityPolicy Objects define a set of Pod The conditions that must be followed when executing and the preset values of related fields , Only Pod Only when these conditions are met will it be accepted by the system .

Pod Security policy allows administrators to control :

 

Pod The security policy It's made up of settings and Strategies , They can control Pod Security features of access . These settings fall into three categories :

(1) Based on brin value control : This type of field is default to the most restrictive value .

(2) Control... Based on the set of allowed values : This type of field will be compared with this set of values , To confirm that the value is allowed .

(3) Based on policy control : The setter generates the value through a mechanism provided by the policy , This mechanism ensures that the specified value falls within the allowed set of values .

Turn on

If it needs to be turned on PodSecurityPolicy, Need to be in kube-apiserver Set the following arguments in the startup arguments of

--enable-admission-plugins=PodSecurityPolicy

On PodSecurityPolicy After entering the controller ,k8s The default does not allow any Pod, Need to establish PodSecurityPolicy and RBAC Authorization strategy ,Pod To build success .

notes : modify kube-apiserver Configuration file /etc/kubernetes/manifests/kube-apiserver.yaml, Because of static pod, So the changes will take effect .

The system preset this argument as :

--enable-admission-plugins=NodeRestriction

Set up after opening Pod The following error will occur :

 

establish PodSecurityPolicy

The following PodSecurityPolicy It is not allowed to establish privilege mode Pod

apiVersion: policy/v1beta1 kind: PodSecurityPolicymetadata: name: psp-non-privilegedspec: privileged: false # Privilege mode is not allowed Pod seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny volumes: - '*'

Review after creation :

kubectl get psp perhaps kubectl get podSecurityPolicy

 

And then set up again Pod Can build success

 

above PodSecurytiPolicy It is set that privilege mode is not allowed Pod, for example , In the following YAML Configuration file pod-privileged.yaml Middle is Pod Privilege mode is set :

apiVersion: v1kind: Podmetadata: name: nginxspec: containers: - name: nginx image: nginx:latest imagePullPolicy: IfNotPresent ports: - containerPort: 80 securityContext: privileged: true

The following error will be reported when establishing :

unable to validate against any pod security policy

 

PodSecurityPolicy Configuration details

stay PodSecurityPolicy The following fields can be set in the object to control Pod Various security policies at the time of execution

(1) Privilege mode related configuration

privileged: Whether to allow Pod Execute in privileged mode

(2) Host resource related configuration

1、hostPID: Whether to allow Pod Sharing the host's program space

2、hostIPC: Whether to allow Pod Sharing host IPC The name space

3、hostNetwork: Whether to allow Pod Share the name space of the host network

4、hostPorts: Whether to allow Pod Use the port number of the host , It can be done by hostPortRange Field to set the allowed port number range , With [min, max] Set the minimum and maximum port numbers

5、Volumes: Allow Pod Storage volume used Volume Type , Set to “*” Indicates that you are allowed to use any Volume Type , It is recommended that at least Pod Use the following Volume Type .configMap,emptyDir、downwardAPI、persistentVolumeClaim、secret、projected

6、AllowedHostPaths: Allow Pod Using the host hostPath Path name , It can be done by pathPrefix Field to set the prefix of the path , And you can set whether the property is read-only or not , for example : Only allowed Pod Visit the host to “/foo” For the initial path , package enclosed “/foo”“/foo/”“/foo/bar” etc. ,

apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: all-hostpath-volumesspec: volumes: - hostPath allowedHostPaths: - pathPrefix: "/foo" readOnly: true 

7、FSGroup: Set to allow access to certain Volume Of Group ID Scope , You can rule The field is set to ManyRunAs、MayRunAs、RunAsAny

MustRunAs: Need to set Group ID The scope of , for example 1~65535, requirement Pod Of securityContext.fsGroup The set value must belong to the Group ID The scope of .

MayRunAs: Need to set Group ID The scope of , for example 1~65535, Not compulsory Pod Set securityContext.fsGroup.

RunAsAny: Don't limit Group ID The scope of , whatever Group All accessible Volume.

8、ReadOnlyRootFilesystem: The root file system that the container is required to execute (root filesystem) Must be read-only

9、allowedFlexVolumes: For type flexVolume The storage volume of , Set the allowed drive type , for example :

apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: allowedflexvolumesspec: volumes: - flexVolume allowedFlexVolumes: - driver: example/lvm - driver: example/cifs

(3) User and group related configuration

1、RunAsUser: Set the user of the execution container ID Scope ,rule Can be set to MustRunAs、MustRunAsNonRoot or RunAsAny

MustRunAs: Need to set User ID The scope of , requirement Pod Of securityContext.runAsUser The set value must belong to the User ID The scope of .

MustRunAsNonRoot: Must be with non root User execution container , requirement Pod Of securityContext.runAsUser Set a non 0 Users of ID, Or in the image USER The field sets the user ID, It is recommended to set allowPrivilegeEscalation=false To avoid not Necessary to enhance the license operation .

RunAsAny: Don't limit User ID The scope of , whatever User All can be carried out .

2、RunAsGroup: Set the Group ID Scope , Can be set to MustRunAs、MustRunAsNonRoot、RunAsAny

MustRunAs: Need to set Group ID The scope of , requirement Pod Of securityContext.runAsGroup The set value must belong to the Group ID The scope of .

MustRunAsNonRoot: Must be with non root Group execution container , requirement Pod Of securityContext.runAsUser Set a non 0 Users of ID, Or in the image USER The field sets the user ID, It is recommended to set allowPrivilegeEscalation=false In order to avoid unnecessary license operation .

RunAsAny: Don't limit Group ID The scope of , whatever Group All users of can execute .

3、SupplementalGroups: Set containers to add extra Group ID Scope , The rules can be (rule Hurdles ) Set to MustRunAs、MayRunAs or RunAsAny

MustRunAs: Need to set Group ID The scope of , requirement Pod Of securityContext.supplementalGroups The set value must belong to the Group ID Scope .

MayRunAs: Need to set Group ID The scope of , Not compulsory Pod Set securityContext.supplementalGroups.

RunAsAny: Don't limit Group ID The scope of , whatever supplementalGroups All users of can execute .

(4) Upgrade license related configuration

1、AllowPrivilegeEscalation: Used to set whether a subroutine in a container can raise permissions , Usually in the setting of non Root Users (MustRunAsNonRoot) Set when .

2、DefaultAllowPrivilegeEscalation: Set AllowPrivilegeEscalation Default value of , Set to disallow When , Administrators can also explicitly set AllowPrivilegeEscalation To specify whether to allow the license to be promoted .

(5)Linux Capability related configuration

1、AllowedCapabilities: Set the container to use linux Ability list , Set to “*” Indicates that the use of Linux All abilities ( Such as NET_ADMIN、SYS_TIME etc. ).

2、RequiredDropCapabilities: Set the container not allowed to use linux Ability list

3、DefaultAddCapabilities: Set the default to the new Linux Ability list , for example SYS_TIME etc.

(6)SELinux Related configuration

seLinux: Set SELinux Arguments , The rule field can be (rule) The value of is set to MustRunAs or RunAsAny.

MustRunAs: Ask to set seLinuxOptions, The system will be right for Pod Of securityContext.seLinuxOptions Set the value to verify .

RunAsAny: Don't limit seLinuxOptions Settings for

(7) Other Linux Related configuration

1、AllowedProcMountType: Set the allowed PropMountTypes Type list , You can set allowedProcMountTypes or DefaultProcMount.

2、AppArmor: Set access control permissions for container executables ,

3、Seccomp: Set the system call that the container is allowed to use (System Calls) Of profile

4、Sysctl: Set the core arguments that are allowed to be adjusted ,

(8) List two common PodSecurityPolicy Security policy configuration

1、 There are basically no restrictive security policies , Allows the creation of arbitrary security settings Pod.

apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: privileged annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"spec: privileged: true # Privilege mode is not allowed Pod allowPrivilegeEscalation: true # Set whether subroutines can increase permissions , To configure MustRunAsNonRoot allowedCapabilities: - '*' volumes: - '*' hostNetwork: true hostPorts: - min: 0 max: 65535 hostIPC: true hostPID: true runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny'

2、 requirement Pod The execution user is an unprivileged user ; It is forbidden to increase the license right ; Host network not allowed 、 Port number 、IPC Equal resources ; Limit what can be used Volume Type , wait

apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: retricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileNames: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileNames: 'runtime/default' spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'MustRunAsRoot' ranges: - min: 1 max: 65535 fsGroup: rule: 'MustRunAsRoot' ranges: - min: 1 max: 65535 readOnlyRootFilesystem: false

Kubernetes Recommended RBAC Authorization mechanism for Pod Authorization of security policy , Usually it should be right Pod Of ServiceAccount To authorize .

for example , You can create the following ClusterRole( You can also create Role) And set it to allow PodSecurityPolicy:

apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: role-namerules:- apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - # Permitted to use PodSecurityPolicy list 

Then build a ClusterRoleBinding With users and ServiceAccount To tie

apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: bind-nameruleRef: kind: ClusterRole name: role-name apiGroup: rabc.authorization.k8s.iosubjects:- kind: ServiceAccount name: serviceaccount namespace:- kind: User name: username apiGroup: rbac.authorization.k8s.io

You can also create RoleBinding Yes, it is RoleBinding same Namespace Medium Pod To authorize , It's usually possible to work with a system level Group Associated configuration , for example :

apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: bind-name namespace: namespace # The RoleBinding Belong to namespaceroleRef: kind: Role name: apiGroup: rabc.authorization.k8s.iosubjects:# Authorize the Namespace All of ServiceAccount- kind: Group apiGroup: rabc.authorization.k8s.io name: system:serviceaccounts# Authorize the Namespace All users of - kind: User apiGroup: rabc.authorization.k8s.io name: system:authenticated

Pod Details of the security settings for

Pod And container security policies can be found in Pod or Container Of securityContext Field , If in Pod and Container All levels have the same security type field set , The container will use Container Level setting .

stay Pod The level of security can be set as follows :

◎ runAsUser: The user running the program in the container ID.

◎ runAsGroup: The user group within the container that runs the program ID.

◎ runAsNonRoot: Whether it is necessary to use non root The user runs the program .◎ fsGroup:SELinux Related settings .

◎ seLinuxOptions:SELinux Related settings .

◎ supplementalGroups: Other user groups that are allowed to be used by the container ID.

◎ sysctls: Set the core arguments that are allowed to be adjusted .

stay Container The types of security policies that can be set are as follows :

◎ runAsUser: The user running the program in the container ID.

◎ runAsGroup: The user group within the container that runs the program ID.

◎ runAsNonRoot: Whether it is necessary to use non root The user runs the program .

◎ privileged: Whether to execute in privileged mode .

◎ allowPrivilegeEscalation: Is it allowed to increase the license right .

◎ readOnlyRootFilesystem: Is the root file system read-only .

◎ capabilities:Linux Ability list .

◎ seLinuxOptions:SELinux Related settings .

for example :Pod Level security settings , Act on Pod All the containers inside

apiVersion: v1kind: Podmetadata: name: security-context-demospec: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: nginx volumeMounts: - name: sec-ctx-demo mountPath: /data/demo securityContext: allowPrivilegeEscalation: false

◎ runAsUser=1000: All containers will be filled with User ID 1000 Run the program , All the newly generated files User ID It's also set to 1000.

◎ runAsGroup=3000: All containers will be filled with Group ID 3000 Run the program , All the newly generated files Group ID It's also set to 3000.

◎ fsGroup=2000: The attached volume “/data/demo” And the files created therein will belong to Group ID 2000.

Container Level security settings , Acting on a particular container .

apiVersion: v1kind: Podmetadata: name: scd-2spec: securityContext: runAsUser: 1000 containers: - name: scd-2 image: nginx:latest imagePullPolicy: IfNotPresent securityContext: runAsUser: 2000 allowPrivilegeEscalation: false

For Container Set the available Linux Ability , Set the allowed... For the container Linux Abilities include NET_ADMIN and SYS_TIME.

apiVersion: v1kind: Podmetadata: name: scd-3spec: containers: - name: scd-3 image: nginx securityContext: capabilities: add: ["NET_ADMIN","SYS_TIME"]

 

===============================

I am a Liusy, A program designer likes .

Get more dry goods and the latest information , Please pay attention to the public account : Ancient false gods

If it helps you , A little attention is my biggest support !

版权声明
本文为[itread01]所创,转载请带上原文链接,感谢
https://javamana.com/2021/01/20210121014355152m.html

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云