如何检查 Kubernetes 中的 PSP(pod 安全策略)规范

How to check PSP(pod security policy) spec in Kubernetes

部分 PSP(Pod 安全策略)规范不可见 (例如 hostIPC: false, priviledged: false ... 等等)

你能告诉我为什么我不能检查吗?

[psp.yaml]

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: default
spec:
  allowPrivilegeEscalation: false
  hostIPC: false
  hostNetwork: false
  hostPID: false
  privileged: false
  readOnlyRootFilesystem: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  fsGroup:
    rule: 'RunAsAny'
  requiredDropCapabilities:
  - NET_RAW
"default-psp.yaml" 21L

[psp 创建]

[root@master01 ~]# kubectl create -f default-psp.yaml
podsecuritypolicy.policy/default created
[root@master01 ~]# kubectl get psp
NAME      PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP    SUPGROUP   READONLYROOTFS   VOLUMES
default   false          RunAsAny   MustRunAsNonRoot   RunAsAny   RunAsAny   false
[root@master01 ~]#

[psp 检查]

[root@master01 ~]# kubectl get psp default -o json
{
    "apiVersion":"v1",
    "items":[
        {
            "apiVersion":"policy/v1beta1",
            "kind":"PodSecurityPolicy",
            "metadata":{
                "creationTimestamp":"2021-05-04T04:12:52Z",
                "managedFields":[
                    {
                        "apiVersion":"policy/v1beta1",
                        "fieldsType":"FieldsV1",
                        "fieldsV1":{
                            "f:spec":{
                                "f:allowPrivilegeEscalation":{
                                    
                                },
                                "f:fsGroup":{
                                    "f:rule":{
                                        
                                    }
                                },
                                "f:requiredDropCapabilities":{
                                    
                                },
                                "f:runAsUser":{
                                    "f:rule":{
                                        
                                    }
                                },
                                "f:seLinux":{
                                    "f:rule":{
                                        
                                    }
                                },
                                "f:supplementalGroups":{
                                    "f:rule":{
                                        
                                    }
                                }
                            }
                        },
                        "manager":"kubectl",
                        "operation":"Update",
                        "time":"2021-05-04T04:12:52Z"
                    }
                ],
                "name":"default",
                "resourceVersion":"163847",
                "selfLink":"/apis/policy/v1beta1/podsecuritypolicies/default",
                "uid":"b8ed1cf3-7cb8-4f03-a5d4-d1f6d8fb51a0"
            },
            "**""spec":{
                "allowPrivilegeEscalation":false,
                "fsGroup":{
                    "rule":"RunAsAny"
                },
                "requiredDropCapabilities":[
                    "NET_RAW"
                ],
                "runAsUser":{
                    "rule":"MustRunAsNonRoot"
                },
                "seLinux":{
                    "rule":"RunAsAny"
                },
                "supplementalGroups":{
                    "rule":"RunAsAny""**"
                }
            }
        }
    ],
    "kind":"List",
    "metadata":{
        "resourceVersion":"",
        "selfLink":""
    }
}

kube 版本:1.18.6

这跟围棋的底层数据表示和json编码有关

bool 数据类型的所有字段在编码为 json:

时以相同的方式工作
  • 如果false:字段不会出现在结果json
  • 如果 true:字段 出现在结果 json

有人已经将此作为问题提到:go/issues/13284。我只会提到解释,阅读整个问题以获取详细信息和上下文:

This is working as intended. false is the zero value of booleans, and your json struct tag has omitempty. As you can see from t2, if you don't use omitempty, the value isn't omitted.

您可以看到,如果将这些字段设置为 true,它们就会显示出来。

你无能为力。请记住,如果该字段未显示,则其值为 false。

如果您真的认为这是一个问题并且它不应该以这种方式工作,请打开 issue on k8s github repo 并直接向开发人员询问此问题。