Kubernetes的Pod安全性原則(Pod Security Policy)准入控制組件會基於您定義的規則驗證在叢集上建立和更新Pod的請求。如果建立或更新Pod的請求不符合定義的規則,系統將拒絕該請求並返回錯誤。本文將介紹如何在Container ServiceKubernetes版ACK(Container Service for Kubernetes)中使用Pod安全性原則。
ACK預設的Pod安全性原則
在ACK中,Kubernetes 1.16.6版本的標準專有叢集和標準託管叢集將預設啟用Pod安全性原則准入控制組件,並配置一個名為ack.privileged的Pod安全性原則。這個安全性原則將允許存取任意類型的Pod,效果等同於叢集未開啟Pod安全性原則准入控制組件。
預設的Pod安全性原則命令
$ kubectl get psp ack.privileged
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
ack.privileged true * RunAsAny RunAsAny RunAsAny RunAsAny false *
詳細規則的Pod安全性原則命令
$ kubectl describe psp ack.privileged
Name: ack.privileged
Settings:
Allow Privileged: true
Allow Privilege Escalation: true
Default Add Capabilities: <none>
Required Drop Capabilities: <none>
Allowed Capabilities: *
Allowed Volume Types: *
Allow Host Network: true
Allow Host Ports: 0-65535
Allow Host PID: true
Allow Host IPC: true
Read Only Root Filesystem: false
SELinux Context Strategy: RunAsAny
User: <none>
Role: <none>
Type: <none>
Level: <none>
Run As User Strategy: RunAsAny
Ranges: <none>
FSGroup Strategy: RunAsAny
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
展開查看Pod安全性原則、相應叢集角色、叢集角色綁定的完整YAML檔案內容
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ack.privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack:podsecuritypolicy:privileged
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
rules:
- apiGroups:
- policy
resourceNames:
- ack.privileged
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack:podsecuritypolicy:authenticated
annotations:
kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ack:podsecuritypolicy:privileged
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated
刪除ACK預設Pod安全性原則對應的叢集角色綁定
警告 在刪除ACK預設的Pod安全性原則對應的叢集角色綁定前必須先配置好自訂的Pod安全性原則及其相應的RBAC綁定,否則所有使用者、控制器、服務帳號都將無法建立或更新Pod。
在配置好自訂的Pod安全性原則及其相應的RBAC綁定後,您可以通過刪除ACK預設Pod安全性原則ack.privileged的叢集角色綁定的方式來啟用您自訂的Pod安全性原則。
重要 請不要刪除或修改名為ack.privileged的Pod安全性原則以及名為ack:podsecuritypolicy:privileged的叢集角色,ACK叢集的正常運行需要依賴這兩個資源。
展開查看刪除ACK預設Pod安全性原則ack.privileged的叢集角色綁定命令
$ cat <<EOF | kubectl delete -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack:podsecuritypolicy:authenticated
annotations:
kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ack:podsecuritypolicy:privileged
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated
EOF
配置或恢複ACK預設的Pod安全性原則
展開查看配置或恢複使用ACK預設的Pod安全性原則及其RBAC綁定命令
$ cat <<EOF | kubectl apply -f -
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: ack.privileged
annotations:
kubernetes.io/description: 'privileged allows full unrestricted access to
pod features, as if the PodSecurityPolicy controller was not enabled.'
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack:podsecuritypolicy:privileged
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
rules:
- apiGroups:
- policy
resourceNames:
- ack.privileged
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack:podsecuritypolicy:authenticated
annotations:
kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
labels:
kubernetes.io/cluster-service: "true"
ack.alicloud.com/component: pod-security-policy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ack:podsecuritypolicy:privileged
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:authenticated
EOF