当前位置：网站首页>kubernetes pod podsecurityPolicies（PSP）

kubernetes pod podsecurityPolicies（PSP）

2022-08-02 21:28:00 【ghostwritten】

kubernetes pod podsecurityPolicies

tags: 资源对象，pod

文章目录

kubernetes pod podsecurityPolicies

美剧《开发者》（Devs）颠覆感藏在最后。

1. 简介

Pod Security Policies（PSP）是集群级的 Pod 安全策略，自动为集群内的 Pod 和 Volume 设置 Security Context。

使用 PSP 需要 API Server 开启 extensions/v1beta1/podsecuritypolicy，并且配置 PodSecurityPolicy admission 控制器。

注意： PodSecurityPolicy 自 Kubernetes v1.21 起已弃用，并将在 v1.25 中删除。我们建议迁移到Pod Security Admission或 3rd party admission 插件。有关迁移指南，请参阅从 PodSecurityPolicy 迁移到内置 PodSecurity 准入控制器。有关弃用的更多信息，请参阅PodSecurityPolicy 弃用：过去、现在和未来。

2. API 版本对照表

Kubernetes 版本	Extension 版本
v1.5-v1.15	extensions/v1beta1
v1.10+	policy/v1beta1

3. 支持的控制项

控制项	说明
privileged	运行特权容器
defaultAddCapabilities	可添加到容器的 Capabilities
requiredDropCapabilities	会从容器中删除的 Capabilities
allowedCapabilities	允许使用的 Capabilities 列表
volumes	控制容器可以使用哪些 volume
hostNetwork	允许使用 host 网络
hostPorts	允许的 host 端口列表
hostPID	使用 host PID namespace
hostIPC	使用 host IPC namespace
seLinux	SELinux Context
runAsUser	user ID
supplementalGroups	允许的补充用户组
fsGroup	volume FSGroup
readOnlyRootFilesystem	只读根文件系统
allowedHostPaths	允许 hostPath 插件使用的路径列表
allowedFlexVolumes	允许使用的 flexVolume 插件列表
allowPrivilegeEscalation	允许容器进程设置 no_new_privs
defaultAllowPrivilegeEscalation	默认是否允许特权升级

4. 实例

4.1 控制是否允许超出父进程特权

allowPrivilegeEscalation：控制进程是否可以获得超出其父进程的特权。此布尔值直接控制是否为容器进程设置 no_new_privs标志。当容器满足一下条件之一时，allowPrivilegeEscalation 总是为 true：以特权模式运行，或者具有 CAP_SYS_ADMIN 权能 readOnlyRootFilesystem：以只读方式加载容器的根文件系统。
在这里插入图片描述

[email protected]:~/cks/securitytext# vim /etc/kubernetes/manifests/kube-apiserver.yaml
---
    - --enable-admission-plugins=NodeRestriction,PodSecurityPolicy
---


[email protected]:~/cks/securitytext# cat psp.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: default
spec:
  allowPrivilegeEscalation: false
  privileged: false  # Don't allow privileged pods!
  # The rest fills in some required fields.
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'


[email protected]:~/cks/securitytext# k create -f psp.yaml 
podsecuritypolicy.policy/default created


[email protected]:~/cks/securitytext# k create deploy nginx --image=nginx
deployment.apps/nginx created
[email protected]:~/cks/securitytext# k get deploy nginx -w
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
nginx   0/1     0            0           22s
^[email protected]:~/cks/securitytext#  k run nginx --image=nginx
pod/nginx created
[email protected]:~/cks/securitytext# k get pod nginx
NAME    READY   STATUS              RESTARTS   AGE
nginx   1/1     Running             0          44s

[email protected]:~/cks/securitytext#  k create role psp-access --verb=use --resource=podsecuritypolicies
role.rbac.authorization.k8s.io/psp-access created
[email protected]:~/cks/securitytext# k create rolebinding psp-access --role=psp-access --serviceaccount=default:default
rolebinding.rbac.authorization.k8s.io/psp-access created
[email protected]:~/cks/securitytext# k get deploy nginx
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
nginx   0/1     0            0           3m26s
[email protected]:~/cks/securitytext# k delete deploy nginx
deployment.apps "nginx" deleted
[email protected]:~/cks/securitytext# k create deploy nginx --image=nginx
deployment.apps/nginx created
^[email protected]:~/cks/securitytext# k get deploy nginx
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
nginx   1/1     1            1           20s

allowPrivilegeEscalation设置为rue

[email protected]:~/cks/securitytext# vim pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: pod
  name: pod
spec:
# securityContext:
# runAsUser: 1000
# runAsGroup: 3000
  containers:
  - command:
    - sh
    - -c
    - sleep 1d
    image: busybox
    name: pod
    resources: {
    }
    securityContext:
      allowPrivilegeEscalation: true
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {
    }

[email protected]:~/cks/securitytext# k -f pod.yaml create
Error from server (Forbidden): error when creating "pod.yaml": pods "pod" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.containers[0].securityContext.allowPrivilegeEscalation: Invalid value: true: Allowing privilege escalation for containers is not allowed]

4.2 限制端口

限制容器的 host 端口范围为 8000-8080

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: permissive
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  hostPorts:
  - min: 8000
    max: 8080
  volumes:
  - '*'

4.3 限制只允许使用 lvm 和 cifs 等 flexVolume 插件

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: allow-flex-volumes
spec:
  fsGroup:
    rule: RunAsAny
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
    - flexVolume
  allowedFlexVolumes:
    - driver: example/lvm
    - driver: example/cifs

参考：