当前位置:网站首页>OpenShift 4 - Customize RHACS security policies to prevent production clusters from using high-risk registry

OpenShift 4 - Customize RHACS security policies to prevent production clusters from using high-risk registry

2022-07-31 14:26:00 dawnsky.liu

OpenShift 4.x HOL教程汇总
说明:本文已经在OpenShift 4.10 / RHACS 3.71环境中验证

文章目录

ACS Security policy scenarios

在 RHACS Security policy of the rich,Can help users to realize from the mirror to the container、From the network to the host operating system and so on various aspects of the security check.Users can also be customized personalized strategy to implement features security inspection requirements.

This example will create a custom security strategy,The strategy for “生产集群” ,It does not allow deployment in a production environment from security risk docker.io 的容器镜像.
在这里插入图片描述

创建 ACS 安全策略

  1. 进入 RHACS 的 Platform Configuration -> Policy Management 菜单,然后点击 Create Policy 按钮.
  2. 在 Create policy 页面中的 Policy details Offer the following configuration steps,然后点击 Next.
    Name:Image Policy - Production
    Severity:Medium
    Categories:Production
    Description:In a production environment from docker.io 的镜像
    Rationale:In a production environment using from docker.io A mirror image of the safety risk is higher
    Guidance:Cannot be used in a production environment from docker.io 的镜像
  3. 在 Create policy 页面中的 Policy behavior Offer the following configuration steps,然后点击 Next.
    Lifecycle stages:Deploy
    Response method:Inform and enforce
    Deploy:Enforce on Deploy
    在这里插入图片描述
  4. 在 Create policy 页面中的 Policy criteria Steps will be on the right side of the Image registry 拖拽到 Drop a policy field inside,And then fill in the below docker.io.进行点击 Next.
    在这里插入图片描述
  5. 在 Create policy 页面中的 Policy scope Steps in the open Add inclusion scope,在 Cluster Choose the need to protect OpenShift 集群.然后点击 Next.
    在这里插入图片描述
  6. 在最后一步中 Save 即可.

Deployment tests the mirror

  1. 在 OpenShift 控制台中使用 “导入 YAML” Function to create the following Deployment,其中使用了 docker.io/openshift/hello-openshift 镜像.
kind: Deployment
apiVersion: apps/v1
metadata:
  name: hello-openshift
  labels:
    app: hello-openshift
    app.kubernetes.io/name: hello-openshift
    app.kubernetes.io/part-of: hello-openshift-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
    spec:
      containers:
        - name: hello-openshift
          image: docker.io/openshift/hello-openshift
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8888
              protocol: TCP
  1. Confirm the following error message is.
    在这里插入图片描述
  2. 将镜像换成 quay.io/dawnskyliu/hello-openshift 后重新创建 Deployment,Confirm can successfully create.
kind: Deployment
apiVersion: apps/v1
metadata:
  name: hello-openshift
  labels:
    app: hello-openshift
    app.kubernetes.io/name: hello-openshift
    app.kubernetes.io/part-of: hello-openshift-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
    spec:
      containers:
        - name: hello-openshift
          image: quay.io/dawnskyliu/hello-openshift
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8888
              protocol: TCP

参考

https://docs.openshift.com/acs/3.71/operating/manage-security-policies.html

原网站

版权声明
本文为[dawnsky.liu]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/212/202207311413209230.html

边栏推荐

猜你喜欢

随机推荐