《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.10 / RHACS 3.71环境中验证

ACS Security policy scenarios

在 RHACS Security policy of the rich,Can help users to realize from the mirror to the container、From the network to the host operating system and so on various aspects of the security check.Users can also be customized personalized strategy to implement features security inspection requirements.

This example will create a custom security strategy,The strategy for “生产集群” ,It does not allow deployment in a production environment from security risk docker.io 的容器镜像.

创建 ACS 安全策略

1. 进入 RHACS 的 Platform Configuration -> Policy Management 菜单,然后点击 Create Policy 按钮.
2. 在 Create policy 页面中的 Policy details Offer the following configuration steps,然后点击 Next.
   Name：Image Policy - Production
   Severity：Medium
   Categories：Production
   Description：In a production environment from docker.io 的镜像
   Rationale：In a production environment using from docker.io A mirror image of the safety risk is higher
   Guidance：Cannot be used in a production environment from docker.io 的镜像
3. 在 Create policy 页面中的 Policy behavior Offer the following configuration steps,然后点击 Next.
   Lifecycle stages：Deploy
   Response method：Inform and enforce
   Deploy：Enforce on Deploy
   
4. 在 Create policy 页面中的 Policy criteria Steps will be on the right side of the Image registry 拖拽到 Drop a policy field inside,And then fill in the below docker.io.进行点击 Next.
   
5. 在 Create policy 页面中的 Policy scope Steps in the open Add inclusion scope,在 Cluster Choose the need to protect OpenShift 集群.然后点击 Next.
   
6. 在最后一步中 Save 即可.

Deployment tests the mirror

1. 在 OpenShift 控制台中使用 “导入 YAML” Function to create the following Deployment,其中使用了 docker.io/openshift/hello-openshift 镜像.

kind: Deployment
apiVersion: apps/v1
metadata:
  name: hello-openshift
  labels:
    app: hello-openshift
    app.kubernetes.io/name: hello-openshift
    app.kubernetes.io/part-of: hello-openshift-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
    spec:
      containers:
        - name: hello-openshift
          image: docker.io/openshift/hello-openshift
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8888
              protocol: TCP

2. Confirm the following error message is.
   
3. 将镜像换成 quay.io/dawnskyliu/hello-openshift 后重新创建 Deployment,Confirm can successfully create.

kind: Deployment
apiVersion: apps/v1
metadata:
  name: hello-openshift
  labels:
    app: hello-openshift
    app.kubernetes.io/name: hello-openshift
    app.kubernetes.io/part-of: hello-openshift-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
    spec:
      containers:
        - name: hello-openshift
          image: quay.io/dawnskyliu/hello-openshift
          ports:
            - containerPort: 8080
              protocol: TCP
            - containerPort: 8888
              protocol: TCP

参考

https://docs.openshift.com/acs/3.71/operating/manage-security-policies.html