如何在 AKS 的 K8S 群集中强制执行 MustRunAsNonRoot 策略
How to enforce MustRunAsNonRoot policy in K8S cluster in AKS
我在 Azure AKS 服务中有一个 K8S 集群 运行ning。
我想执行 MustRunAsNonRoot 政策。怎么做?
创建了以下策略:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrict-root
spec:
privileged: false
allowPrivilegeEscalation: false
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
部署在集群中:
$ kubectl get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
restrict-root false RunAsAny MustRunAsNonRoot RunAsAny RunAsAny false *
准入控制器在集群中 运行ning:
$ kubectl get pods -n gatekeeper-system
NAME READY STATUS RESTARTS AGE
gatekeeper-audit-7b4bc6f977-lvvfl 1/1 Running 0 32d
gatekeeper-controller-5948ddcd54-5mgsm 1/1 Running 0 32d
gatekeeper-controller-5948ddcd54-b59wg 1/1 Running 0 32d
无论如何都可以 运行 一个简单的 pod 运行ning 在 root 下:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args: ["sleep", "10000"]
securityContext:
runAsUser: 0
Pod 是 运行ning:
$ kubectl describe po mypod
Name: mypod
Namespace: default
Priority: 0
Node: aks-default-31327534-vmss000001/10.240.0.5
Start Time: Mon, 08 Feb 2021 23:10:46 +0100
Labels: <none>
Annotations: <none>
Status: Running
为什么 MustRunAsNonRoot 没有应用?如何执行?
编辑:AKS 引擎似乎不支持 PodSecurityPolicy (list of supported policies)。那么问题还是一样:如何对工作负载执行 MustRunAsNonRoot 规则?
您不应在 Azure AKS 集群 上使用 PodSecurityPolicy,因为它已设置为自 2021 年 5 月 31 日起弃用,取而代之的是 Azure Policy for AKS. Check the official docs更多详情:
Warning
The feature described in this document, pod security policy (preview), is set for deprecation and will no longer be available
after May 31st, 2021 in favor of Azure Policy for
AKS.
The deprecation date has been extended from the previous date of
October 15th, 2020.
所以目前您应该在 AKS 集群.
上使用 Azure Policy for AKS, where among other built-in policies grouped into initiatives (an initiative in Azure Policy is a collection of policy definitions that are tailored towards achieving a singular overarching goal), you can find a policy which goal is to disallow running of privileged containers
至于PodSecurityPolicy,暂时应该还是可以的。请选中 here if you didn't forget about anything e.g. make sure you set up the corresponding ClusterRole and ClusterRoleBinding 以允许使用该策略。
我在 Azure AKS 服务中有一个 K8S 集群 运行ning。
我想执行 MustRunAsNonRoot 政策。怎么做?
创建了以下策略:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrict-root
spec:
privileged: false
allowPrivilegeEscalation: false
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
部署在集群中:
$ kubectl get psp
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP READONLYROOTFS VOLUMES
restrict-root false RunAsAny MustRunAsNonRoot RunAsAny RunAsAny false *
准入控制器在集群中 运行ning:
$ kubectl get pods -n gatekeeper-system
NAME READY STATUS RESTARTS AGE
gatekeeper-audit-7b4bc6f977-lvvfl 1/1 Running 0 32d
gatekeeper-controller-5948ddcd54-5mgsm 1/1 Running 0 32d
gatekeeper-controller-5948ddcd54-b59wg 1/1 Running 0 32d
无论如何都可以 运行 一个简单的 pod 运行ning 在 root 下:
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: busybox
args: ["sleep", "10000"]
securityContext:
runAsUser: 0
Pod 是 运行ning:
$ kubectl describe po mypod
Name: mypod
Namespace: default
Priority: 0
Node: aks-default-31327534-vmss000001/10.240.0.5
Start Time: Mon, 08 Feb 2021 23:10:46 +0100
Labels: <none>
Annotations: <none>
Status: Running
为什么 MustRunAsNonRoot 没有应用?如何执行?
编辑:AKS 引擎似乎不支持 PodSecurityPolicy (list of supported policies)。那么问题还是一样:如何对工作负载执行 MustRunAsNonRoot 规则?
您不应在 Azure AKS 集群 上使用 PodSecurityPolicy,因为它已设置为自 2021 年 5 月 31 日起弃用,取而代之的是 Azure Policy for AKS. Check the official docs更多详情:
Warning
The feature described in this document, pod security policy (preview), is set for deprecation and will no longer be available after May 31st, 2021 in favor of Azure Policy for AKS. The deprecation date has been extended from the previous date of October 15th, 2020.
所以目前您应该在 AKS 集群.
上使用 Azure Policy for AKS, where among other built-in policies grouped into initiatives (an initiative in Azure Policy is a collection of policy definitions that are tailored towards achieving a singular overarching goal), you can find a policy which goal is to disallow running of privileged containers至于PodSecurityPolicy,暂时应该还是可以的。请选中 here if you didn't forget about anything e.g. make sure you set up the corresponding ClusterRole and ClusterRoleBinding 以允许使用该策略。