PSP 是否仅适用于通过 deplyment/replica 集创建的 pods?
Is PSP only for pods created through deplyment/replica set?
我正在尝试在集群中设置安全策略。我启用了 pod 安全并创建了一个受限的 psp
1.Step 1 - 创建了 PSP
2.Step 2 - 创建集群角色
3.Step 3 - 创建 ClusterRoleBinding
PSP
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
serviceaccount.cluster.cattle.io/pod-security: restricted
serviceaccount.cluster.cattle.io/pod-security-version: "2315292"
creationTimestamp: "2022-02-28T20:48:12Z"
labels:
cattle.io/creator: norman
name: restricted-psp
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
集群角色 -
apiVersion: rbac.authorization.k8s.io/v1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
serviceaccount.cluster.cattle.io/pod-security: restricted
labels:
cattle.io/creator: norman
name: restricted-clusterrole
rules:
- apiGroups:
- extensions
resourceNames:
- restricted-psp
resources:
- podsecuritypolicies
verbs:
- use
ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restricted-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: restricted-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:security
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
创建两个 yams,一个用于部署,另一个用于 pod
kubectl create ns security
$ cat previleged-pod.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
app: privileged-deploy
name: privileged-pod
spec:
containers:
- image: alpine
name: alpine
stdin: true
tty: true
securityContext:
privileged: true
hostPID: true
hostNetwork: true
$ cat previleged-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: privileged-deploy
name: privileged-deploy
spec:
replicas: 1
selector:
matchLabels:
app: privileged-deploy
template:
metadata:
labels:
app: privileged-deploy
spec:
containers:
- image: alpine
name: alpine
stdin: true
tty: true
securityContext:
privileged: true
hostPID: true
hostNetwork: true
期望 pod 和 deployment 都被阻止。但 pod 已创建且部署失败
$ kg all -n security
NAME READY STATUS RESTARTS AGE
**pod/privileged-pod 1/1 Running 0 13m**
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/privileged-deploy 0/1 0 0 13m
NAME DESIRED CURRENT READY AGE
replicaset.apps/privileged-deploy-77d7c75dd8 1 0 0 13m
部署的预期错误如下
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 3m10s (x18 over 14m) replicaset-controller Error creating: pods "privileged-deploy-77d7c75dd8-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
但是通过 yaml 直接创建的 pod 有效。 PSP 仅适用于通过 deplyment/rs 创建的 pods 吗?请帮忙,我们怎样才能防止用户创建 pods 特权和危险
- But the pod created directly though yaml worked . Is PSP only for pods getting created through deplyment/rs ?
=> 那是因为,当您创建裸 pod(直接创建 pod)时,它将由名为“kubernetes-admin”的用户(在默认情况下)创建,该用户是组 "system:masters" 映射到名为“cluster-admin”的 cluster-role,它可以访问在 cluster.so 裸 pods 创建时创建的所有 PSP 将成功.
=> 当 pods 由部署创建时,rs、sts、ds(所有托管 pods)将使用其定义中提到的服务帐户创建。只有当这些服务帐户可以通过集群角色或角色访问 PSP 时,这些 pods 创建才会成功。
- how can we prevent users from creating pods which are previleged and dangerous
=> 我们需要确定将创建这些 pods 的用户和组是什么(通过检查 ~/kube/config 或其证书),然后确保它无权访问通过任何集群角色或角色的 PSP。
我正在尝试在集群中设置安全策略。我启用了 pod 安全并创建了一个受限的 psp
1.Step 1 - 创建了 PSP 2.Step 2 - 创建集群角色 3.Step 3 - 创建 ClusterRoleBinding
PSP
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
serviceaccount.cluster.cattle.io/pod-security: restricted
serviceaccount.cluster.cattle.io/pod-security-version: "2315292"
creationTimestamp: "2022-02-28T20:48:12Z"
labels:
cattle.io/creator: norman
name: restricted-psp
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
集群角色 -
apiVersion: rbac.authorization.k8s.io/v1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
serviceaccount.cluster.cattle.io/pod-security: restricted
labels:
cattle.io/creator: norman
name: restricted-clusterrole
rules:
- apiGroups:
- extensions
resourceNames:
- restricted-psp
resources:
- podsecuritypolicies
verbs:
- use
ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: restricted-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: restricted-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:security
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
创建两个 yams,一个用于部署,另一个用于 pod
kubectl create ns security
$ cat previleged-pod.yaml
apiVersion: v1
kind: Pod
metadata:
labels:
app: privileged-deploy
name: privileged-pod
spec:
containers:
- image: alpine
name: alpine
stdin: true
tty: true
securityContext:
privileged: true
hostPID: true
hostNetwork: true
$ cat previleged-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: privileged-deploy
name: privileged-deploy
spec:
replicas: 1
selector:
matchLabels:
app: privileged-deploy
template:
metadata:
labels:
app: privileged-deploy
spec:
containers:
- image: alpine
name: alpine
stdin: true
tty: true
securityContext:
privileged: true
hostPID: true
hostNetwork: true
期望 pod 和 deployment 都被阻止。但 pod 已创建且部署失败
$ kg all -n security
NAME READY STATUS RESTARTS AGE
**pod/privileged-pod 1/1 Running 0 13m**
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/privileged-deploy 0/1 0 0 13m
NAME DESIRED CURRENT READY AGE
replicaset.apps/privileged-deploy-77d7c75dd8 1 0 0 13m
部署的预期错误如下
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 3m10s (x18 over 14m) replicaset-controller Error creating: pods "privileged-deploy-77d7c75dd8-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.securityContext.hostNetwork: Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
但是通过 yaml 直接创建的 pod 有效。 PSP 仅适用于通过 deplyment/rs 创建的 pods 吗?请帮忙,我们怎样才能防止用户创建 pods 特权和危险
- But the pod created directly though yaml worked . Is PSP only for pods getting created through deplyment/rs ?
=> 那是因为,当您创建裸 pod(直接创建 pod)时,它将由名为“kubernetes-admin”的用户(在默认情况下)创建,该用户是组 "system:masters" 映射到名为“cluster-admin”的 cluster-role,它可以访问在 cluster.so 裸 pods 创建时创建的所有 PSP 将成功.
=> 当 pods 由部署创建时,rs、sts、ds(所有托管 pods)将使用其定义中提到的服务帐户创建。只有当这些服务帐户可以通过集群角色或角色访问 PSP 时,这些 pods 创建才会成功。
- how can we prevent users from creating pods which are previleged and dangerous
=> 我们需要确定将创建这些 pods 的用户和组是什么(通过检查 ~/kube/config 或其证书),然后确保它无权访问通过任何集群角色或角色的 PSP。