为什么即使我没有访问权限,我的 PodSecurityPolicy 也会应用?
Why is my PodSecurityPolicy applied even if I don't have access?
我有两个 PodSecurityPolicy:
- 000 权限(仅限 kube 系统服务帐户和管理员用户)
- 100 限制(其他所有)
我对他们分配给 pods 有疑问。
第一个策略绑定:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:privileged
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- 000-privileged
verbs:
- use
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:privileged-kube-system
namespace: kube-system
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: psp:privileged
apiGroup: rbac.authorization.k8s.io
第二个策略绑定:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- 100-restricted
verbs:
- use
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: psp:restricted
apiGroup: rbac.authorization.k8s.io
kube-system 一切正常。
但是,在其他命名空间中,它没有按预期工作:
如果我创建一个 Deployment (kubectl apply -f deployment.yml),它的 pod 会被标记为 psp 100-restricted。
如果我创建一个 Pod (kubectl apply -f pod.yml),它会被标记为 psp 000-privileged。 我真的不明白为什么它不是 100 限制的。
我的 kubectl 配置了来自 OpenID Connect (OIDC) 的外部身份验证令牌。
我验证了访问权限,一切正常:
kubectl auth can-i use psp/100-restricted
yes
kubectl auth can-i use psp/000-privileged
no
有线索吗?
问题是我的用户在其 角色 中可以访问 'extensions' apiGroup 的所有资源 (*) 的所有动词 (*)。
文档有点不清楚(https://github.com/kubernetes/examples/tree/master/staging/podsecuritypolicy/rbac):
The use verb is a special verb that grants access to use a policy while not permitting any other access. Note that a user with superuser permissions within a namespace (access to * verbs on * resources) would be allowed to use any PodSecurityPolicy within that namespace.
我对“在该命名空间”的提及感到困惑。由于 PodSecurityGroup 不是 "namespaced",我假设如果命名空间中没有 ClusterRole/RoleBinding 就无法使用它们以提供显式访问权限。看来我错了...
我修改了我的角色以指定以下内容:
rules:
- apiGroups: ["", "apps", "autoscaling", "batch"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["*"]
# Avoid using * here to prevent use of 'use' verb for podsecuritypolicies resource
verbs: ["create", "get", "watch", "list", "patch", "delete", "deletecollection", "update"]
现在它选择了正确的 PSP。一件有趣的事情是,它还可以防止用户修改 (create/delete/update/etc) podsecuritypolicies。
看来'use'动词毕竟还是挺特别的.....
我有两个 PodSecurityPolicy:
- 000 权限(仅限 kube 系统服务帐户和管理员用户)
- 100 限制(其他所有)
我对他们分配给 pods 有疑问。
第一个策略绑定:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:privileged
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- 000-privileged
verbs:
- use
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:privileged-kube-system
namespace: kube-system
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: psp:privileged
apiGroup: rbac.authorization.k8s.io
第二个策略绑定:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- 100-restricted
verbs:
- use
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:restricted
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: psp:restricted
apiGroup: rbac.authorization.k8s.io
kube-system 一切正常。
但是,在其他命名空间中,它没有按预期工作:
如果我创建一个 Deployment (kubectl apply -f deployment.yml),它的 pod 会被标记为 psp 100-restricted。
如果我创建一个 Pod (kubectl apply -f pod.yml),它会被标记为 psp 000-privileged。 我真的不明白为什么它不是 100 限制的。
我的 kubectl 配置了来自 OpenID Connect (OIDC) 的外部身份验证令牌。
我验证了访问权限,一切正常:
kubectl auth can-i use psp/100-restricted
yes
kubectl auth can-i use psp/000-privileged
no
有线索吗?
问题是我的用户在其 角色 中可以访问 'extensions' apiGroup 的所有资源 (*) 的所有动词 (*)。
文档有点不清楚(https://github.com/kubernetes/examples/tree/master/staging/podsecuritypolicy/rbac):
The use verb is a special verb that grants access to use a policy while not permitting any other access. Note that a user with superuser permissions within a namespace (access to * verbs on * resources) would be allowed to use any PodSecurityPolicy within that namespace.
我对“在该命名空间”的提及感到困惑。由于 PodSecurityGroup 不是 "namespaced",我假设如果命名空间中没有 ClusterRole/RoleBinding 就无法使用它们以提供显式访问权限。看来我错了...
我修改了我的角色以指定以下内容:
rules:
- apiGroups: ["", "apps", "autoscaling", "batch"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["*"]
# Avoid using * here to prevent use of 'use' verb for podsecuritypolicies resource
verbs: ["create", "get", "watch", "list", "patch", "delete", "deletecollection", "update"]
现在它选择了正确的 PSP。一件有趣的事情是,它还可以防止用户修改 (create/delete/update/etc) podsecuritypolicies。
看来'use'动词毕竟还是挺特别的.....