当前位置：网站首页>OpenShift 4 - Customize RHACS security policies to prevent production clusters from using high-risk registry

OpenShift 4 - Customize RHACS security policies to prevent production clusters from using high-risk registry

2022-07-31 14:26:00 【dawnsky.liu】

《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.10 / RHACS 3.71环境中验证

ACS Security policy scenarios

在 RHACS Security policy of the rich,Can help users to realize from the mirror to the container、From the network to the host operating system and so on various aspects of the security check.Users can also be customized personalized strategy to implement features security inspection requirements.

This example will create a custom security strategy,The strategy for “生产集群” ,It does not allow deployment in a production environment from security risk docker.io 的容器镜像.
在这里插入图片描述

创建 ACS 安全策略

进入 RHACS 的 Platform Configuration -> Policy Management 菜单,然后点击 Create Policy 按钮.
在 Create policy 页面中的 Policy details Offer the following configuration steps,然后点击 Next.
Name：Image Policy - Production
Severity：Medium
Categories：Production
Description：In a production environment from docker.io 的镜像
Rationale：In a production environment using from docker.io A mirror image of the safety risk is higher
Guidance：Cannot be used in a production environment from docker.io 的镜像
在 Create policy 页面中的 Policy behavior Offer the following configuration steps,然后点击 Next.
Lifecycle stages：Deploy
Response method：Inform and enforce
Deploy：Enforce on Deploy
在 Create policy 页面中的 Policy criteria Steps will be on the right side of the Image registry 拖拽到 Drop a policy field inside,And then fill in the below docker.io.进行点击 Next.
在 Create policy 页面中的 Policy scope Steps in the open Add inclusion scope,在 Cluster Choose the need to protect OpenShift 集群.然后点击 Next.
在最后一步中 Save 即可.

Deployment tests the mirror

在 OpenShift 控制台中使用 “导入 YAML” Function to create the following Deployment,其中使用了 docker.io/openshift/hello-openshift 镜像.

kind: Deployment
apiVersion: apps/v1
metadata:
  name: hello-openshift
  labels:
    app: hello-openshift
    app.kubernetes.io/name: hello-openshift
    app.kubernetes.io/part-of: hello-openshift-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
    spec:
      containers:
        - name: hello-openshift
          image: docker.io/openshift/hello-openshift
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8888
              protocol: TCP

Confirm the following error message is.
将镜像换成 quay.io/dawnskyliu/hello-openshift 后重新创建 Deployment,Confirm can successfully create.

kind: Deployment
apiVersion: apps/v1
metadata:
  name: hello-openshift
  labels:
    app: hello-openshift
    app.kubernetes.io/name: hello-openshift
    app.kubernetes.io/part-of: hello-openshift-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
    spec:
      containers:
        - name: hello-openshift
          image: quay.io/dawnskyliu/hello-openshift
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8888
              protocol: TCP