全部產品
Search

搜尋本產品

    Container Service for Kubernetes:【已棄用】使用Pod安全性原則

    文件中心

    Container Service for Kubernetes:【已棄用】使用Pod安全性原則

    更新時間:Dec 09, 2025

    Kubernetes的Pod安全性原則(Pod Security Policy)准入控制組件會基於您定義的規則驗證在叢集上建立和更新Pod的請求。如果建立或更新Pod的請求不符合定義的規則,系統將拒絕該請求並返回錯誤。本文將介紹如何在Container ServiceKubernetes版ACK(Container Service for Kubernetes)中使用Pod安全性原則。

    前提條件

    您已完成以下操作:

    說明

    本文檔僅適用於1.26以下版本的叢集。

    ACK預設的Pod安全性原則

    在ACK中,Kubernetes 1.16.6版本的標準專有叢集和標準託管叢集將預設啟用Pod安全性原則准入控制組件,並配置一個名為ack.privileged的Pod安全性原則。這個安全性原則將允許存取任意類型的Pod,效果等同於叢集未開啟Pod安全性原則准入控制組件。

    預設的Pod安全性原則命令

    $ kubectl get psp ack.privileged
NAME             PRIV   CAPS   SELINUX    RUNASUSER   FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
ack.privileged   true   *      RunAsAny   RunAsAny    RunAsAny   RunAsAny   false            *

    詳細規則的Pod安全性原則命令

    $ kubectl describe psp ack.privileged
Name:  ack.privileged

Settings:
  Allow Privileged:                       true
  Allow Privilege Escalation:             true
  Default Add Capabilities:               <none>
  Required Drop Capabilities:             <none>
  Allowed Capabilities:                   *
  Allowed Volume Types:                   *
  Allow Host Network:                     true
  Allow Host Ports:                       0-65535
  Allow Host PID:                         true
  Allow Host IPC:                         true
  Read Only Root Filesystem:              false
  SELinux Context Strategy: RunAsAny
    User:                                 <none>
    Role:                                 <none>
    Type:                                 <none>
    Level:                                <none>
  Run As User Strategy: RunAsAny
    Ranges:                               <none>
  FSGroup Strategy: RunAsAny
    Ranges:                               <none>
  Supplemental Groups Strategy: RunAsAny
    Ranges:                               <none>

    展開查看Pod安全性原則、相應叢集角色、叢集角色綁定的完整YAML檔案內容

    ---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: ack.privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:
    kubernetes.io/cluster-service: "true"
    ack.alicloud.com/component: pod-security-policy
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack:podsecuritypolicy:privileged
  labels:
    kubernetes.io/cluster-service: "true"
    ack.alicloud.com/component: pod-security-policy
rules:
- apiGroups:
  - policy
  resourceNames:
  - ack.privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack:podsecuritypolicy:authenticated
  annotations:
    kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
  labels:
    kubernetes.io/cluster-service: "true"
    ack.alicloud.com/component: pod-security-policy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ack:podsecuritypolicy:privileged
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated

    刪除ACK預設Pod安全性原則對應的叢集角色綁定

    警告

    在刪除ACK預設的Pod安全性原則對應的叢集角色綁定前必須先配置好自訂的Pod安全性原則及其相應的RBAC綁定,否則所有使用者、控制器、服務帳號都將無法建立或更新Pod。

    在配置好自訂的Pod安全性原則及其相應的RBAC綁定後,您可以通過刪除ACK預設Pod安全性原則ack.privileged的叢集角色綁定的方式來啟用您自訂的Pod安全性原則。

    重要

    請不要刪除或修改名為ack.privileged的Pod安全性原則以及名為ack:podsecuritypolicy:privileged的叢集角色,ACK叢集的正常運行需要依賴這兩個資源。

    展開查看刪除ACK預設Pod安全性原則ack.privileged的叢集角色綁定命令

    $ cat <<EOF | kubectl delete -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack:podsecuritypolicy:authenticated
  annotations:
    kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
  labels:
    kubernetes.io/cluster-service: "true"
    ack.alicloud.com/component: pod-security-policy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ack:podsecuritypolicy:privileged
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated
EOF

    配置或恢複ACK預設的Pod安全性原則

    展開查看配置或恢複使用ACK預設的Pod安全性原則及其RBAC綁定命令

    cat <<EOF | kubectl apply -f -
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: ack.privileged
  annotations:
    kubernetes.io/description: 'privileged allows full unrestricted access to
      pod features, as if the PodSecurityPolicy controller was not enabled.'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
  labels:
    kubernetes.io/cluster-service: "true"
    ack.alicloud.com/component: pod-security-policy
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack:podsecuritypolicy:privileged
  labels:
    kubernetes.io/cluster-service: "true"
    ack.alicloud.com/component: pod-security-policy
rules:
- apiGroups:
  - policy
  resourceNames:
  - ack.privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack:podsecuritypolicy:authenticated
  annotations:
    kubernetes.io/description: 'Allow all authenticated users to create privileged pods.'
  labels:
    kubernetes.io/cluster-service: "true"
    ack.alicloud.com/component: pod-security-policy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ack:podsecuritypolicy:privileged
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated
EOF

    常見問題

    Pod建立失敗,報錯資訊包含no providers available to validate pod request

    問題現象

    Pod建立失敗,報錯資訊包含no providers available to validate pod request或者unable to validate against any pod security policy

    解決方案

    當前叢集內預置的Pod安全性原則被誤刪除,需手動恢複對應資源。詳見配置或恢複ACK預設的Pod安全性原則

    Pod建立失敗,報錯資訊包含PodSecurityPolicy: unable to admit pod: pod.spec.securityContext.sysctls[0]: Forbidden: unsafe sysctl

    問題現象

    Pod建立失敗,報錯資訊包含PodSecurityPolicy: unable to admit pod: [pod.spec.securityContext.sysctls[0]: Forbidden: unsafe sysctl "***" is not allowed]

    解決方案

    出於安全考量,叢集預設不允許建立使用“不安全”sysctl的 Pod。如需為特定應用開啟此許可權,可通過建立新的 Pod 安全性原則來實現。

    警告

    請勿修改或刪除以下叢集預置的核心安全資源。ACK 叢集的正常運行依賴這些核心資源。擅自修改可能導致叢集功能異常,且相關更改可能會被系統自動重設。

    • 名為 ack.privileged的 Pod 安全性原則。

    • 名稱以 ack:podsecuritypolicy:開頭的 Role、ClusterRole、RoleBinding 和 ClusterRoleBinding。

    請通過新增 Pod 安全性原則的方式,來配置所需的額外 sysctl策略。

    1. 使用以下內容,建立unsafe-sysctl-psp.yaml檔案。

      可按需調整allowedUnsafeSysctls的參數取值。
      ---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp.allow-unsafe-sysctls
spec:
  allowedUnsafeSysctls:
  - '*'
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - '*'
  volumes:
  - '*'
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  hostIPC: true
  hostPID: true
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  readOnlyRootFilesystem: false

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: podsecuritypolicy:allow-unsafe-sysctls
rules:
- apiGroups:
  - policy
  resourceNames:
  - psp.allow-unsafe-sysctls
  resources:
  - podsecuritypolicies
  verbs:
  - use

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: podsecuritypolicy:allow-unsafe-sysctls:authenticated
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: podsecuritypolicy:allow-unsafe-sysctls
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated

    2. 在叢集內建立相應資源。

      kubectl create -f unsafe-sysctl-psp.yaml

      預期輸出:

      podsecuritypolicy.policy/psp.allow-unsafe-sysctls created
clusterrole.rbac.authorization.k8s.io/podsecuritypolicy:allow-unsafe-sysctls created
clusterrolebinding.rbac.authorization.k8s.io/podsecuritypolicy:allow-unsafe-sysctls:authenticated created

    3. 自訂節點池的kubelet參數,允許使用不安全的sysctl。詳見支援自訂的kubelet參數

    4. 部署一個使用不安全的sysctl的測試Pod。

      可按需調整sysctls參數內容。如果叢集中僅有部分節點(例如特定節點池中的節點)的 kubelet配置了允許不安全的 sysctl,還需為 Pod 添加 nodeSelector,以確保Pod可被精確調度到目標節點上。
      cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: sysctl-example
spec:
#  nodeSelector:
#    alibabacloud.com/nodepool-id: npd912756***  # 替換為目標節點池ID
  securityContext:
    sysctls:
    - name: net.ipv4.tcp_syncookies
      value: "1"
    - name: net.core.somaxconn
      value: "1024"
    - name: net.ipv4.tcp_max_syn_backlog
      value: "65536"
  containers:
  - name: test
    image: nginx
EOF

      預期輸出:

      如果Pod運行時提示SysctlForbidden事件,表明運行該Pod的節點上的kubelet未配置允許使用不安全的sysctl。請檢查並調整 Pod 的 nodeSelector,確保被調度到已正確配置 kubelet 參數的節點。

      pod/sysctl-example created