PODSECURITYPOLICY
Pod 安全策略 是集群级别的资源,它能够控制 Pod 运行的行为,以及它具有访问什么的能力。 PodSecurityPolicy对象定义了一组条件,指示 Pod 必须按系统所能接受的顺序运行
允许的控制
image.png
开启PodSecurityPolicy:
配置apiserver增加admission plugin PodSecurityPolicy即可
- --enable-admission-plugins=NodeRestriction,PodSecurityPolicy
# 可以添加以下其它的参数
NamespaceLifecycle
LimitRanger
ServiceAccount
DefaultStorageClass
DefaultTolerationSeconds
MutatingAdmissionWebhook
ValidatingAdmissionWebhook
ResourceQuota
PodSecurityPolicy
NodeRestriction
PRIVILEGED
[root@master01 privileged]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
RunAsUser
[root@master01 runAsUser]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasuser
spec:
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
SELinux
[root@master01 selinux]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: selinux
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'MustRunAs'
seLinuxOptions:
level: "s0:c2,c3"
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 0
max: 65535
readOnlyRootFilesystem: false
supplementalGroups
[root@master01 supplementalGroups]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: supplementalgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
fsGroup:
rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: supplementalgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
FSGroup
[root@master01 fsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: fsgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 20
max:65535
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: fsgroups
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
RUNASGROUP
[root@master01 runAsGroup]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasgroup
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 10
max: 65535
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: runasgroup
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
HOSTPORTS
[root@master01 HostPorts]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostports
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostPorts:
- min: 65532
max: 65535
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
hostPort: 8080
ALLOWEDHOSTPATHS
[root@master01 allowedHostPaths]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowedhostpaths
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: true
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html
name: html
volumes:
- name: html
hostPath:
path: /data
type: DirectoryOrCreate
HOSTIPC
[root@master01 hostIPC]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostipc
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostIPC: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostIPC: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
volumeMounts:
- mountPath: /usr/share/nginx/html
name: html
volumes:
- name: html
hostPath:
path: /data
type: DirectoryOrCreate
HOSTPID
[root@master01 hostPID]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostpid
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostPID: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostPID: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
HOSTNETWORK
[root@master01 hostNetwork]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: hostnetwork
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
hostNetwork: false
hostPorts:
- min: 0
max: 65536
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
hostNetwork: true
containers:
- image: nginx
name: nginx
ports:
- containerPort: 80
ALLOWPRIVILEGEESCALATION
[root@master01 allowPrivilegeEscalation]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowprivilegeescalation
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowPrivilegeEscalation: false
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
securityContext:
allowPrivilegeEscalation: true
REQUIREDDROPCAPABILITIES
[root@master01 requiredDropCapabilities]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
requiredDropCapabilities:
- CHOWN
ALLOWEDCAPABILITIES
[root@master01 allowedCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedCapabilities:
- NET_ADMIN
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-6
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
DEFAULTADDCAPABILITIES
[root@master01 defaultAddCapabilities]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: requireddropcapabilities
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
defaultAddCapabilities:
- NET_ADMIN
- SYS_TIME
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-6
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
READONLYROOTFILESYSTEM
[root@master01 readOnlyRootFilesystem]# cat ./*
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: readonlyrootfilesystem
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
readOnlyRootFilesystem: true
ALLOWEDUNSAFESYSCTLS
[root@master01 allowedUnsafeSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: allowedunsafesysctls
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
allowedUnsafeSysctls:
- net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-10
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
FORBIDDENSYSCTLS
[root@master01 forbiddenSysctls]# cat ./*
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: forbiddensysctls
spec:
volumes:
- '*'
runAsUser:
rule: 'RunAsAny'
runAsGroup:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
forbiddenSysctls:
- net.ipv4.ip_forward
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-10
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: sec-ctx-4
image: busybox
args:
- "sh"
- "-c"
- "sleep 36000"
网友评论