• Kubernetes保证集群内节点和网络安全

    • 容器中指定固定的用户:spec.containers.securityContext.runAsUser: uid
    • 容器内不允许root用户:spec.container.securityContext.runAsNonRoot:true
    • 使用特权模式运行容器:spec.containers.securityContext.privileged:true
    • 为容器添加固定的内核功能:spec.containers.securityContext.capabilities.add:ADD_TIME(修改系统时间)
    • 在容器中禁用内核:spec.containers.securityContext.capabilities.drop:ADD_TIME
    • 阻止对容器根目录的写入:spec.containers.securityContext.readOnlyRootFilesystem:true

    容器中的上下文限制,在pod仍然适用

    • 不同用户共享存储卷:spec.securityContext.fsGroup和spec.securityContext.supplementalGroups

    RBAC与PodSecurityPolicy结合

    定义PodSecurityPolicy

    • default
    
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: default
  namespace: default
spec:
  hostIPC: false
  hostPID: false
  hostNetwork: false
  hostPorts:
  - min: 10000
    max: 11000
  - min: 13000
    max: 14000
  privileged: true
  readOnlyRootFilesystem: false
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  volumes:
  - '*'
    • privileged
    apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: privileged
  namespace: default
spec:
  hostIPC: false
  hostPID: false
  hostNetwork: false
  hostPorts:
  - min: 10000
    max: 11000
  - min: 13000
    max: 14000
  privileged: true
  readOnlyRootFilesystem: false
  runAsUser:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  volumes:
  - '*'

    定义clusterRole

    kubectl create clusterrole psp-default --verb=use --resources=podsecuritypolicy --resource-name=default

    kubectl create clusterrole psp-privileged --verb=use --resources=podsecuritypolicy --resource-name=privileged

    定义clusterrolebinding

    kubectl create clusterrolebinding --clusterrole=psp-default --Groups=system:authenticated

    kubectl create clusterrolebinding --clusterrole=psp-privileged --user=admin

    适用admin1创建privileged=true的Pod

    kubectl  create -f centos_1.yaml 
Error from server (Forbidden): error when creating "centos_1.yaml": pods "centos5" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
  • 相关阅读:
    快速实现一个带后端服务的 Vue 项目,用云开发Vue插件!
    做好内容安全检测,和风险说「再见」(下)!
    新能力|云调用支持微信支付啦!
    获奖结果公布|2020腾讯犀牛鸟云开发校园技术布道师养成计划
    SpringMVC原理及流程解析
    Mysql梳理-关于索引/引擎与锁
    写在庚子年之前
    Spring的BeanPostProcessor后置处理器与bean的生命周期
    AQS系列(六)- Semaphore的使用及原理
    AQS系列(五)- CountDownLatch的使用及原理
  • 原文地址:https://www.cnblogs.com/zhangjxblog/p/12167676.html
Copyright © 2020-2023  润新知